[GXYCTF2019]BabyUpload；[BJDCTF2020]The mystery of ip

[GXYCTF2019]BabyUpload；[BJDCTF2020]The mystery of ip

[GXYCTF2019]BabyUpload;[BJDCTF2020]The mystery of ip

• [GXYCTF2019]BabyUpload
• [BJDCTF2020]The mystery of ip

[GXYCTF2019]BabyUpload

不管上传什么类型的文件，都回显上传类型也太露骨了吧！，只能看一下源码了

<?php
session_start();
echo "<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>Upload</title>
<form action="" method="post" enctype="multipart/form-data">
上传文件<input type="file" name="uploaded" />
<input type="submit" name="submit" value="上传" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {$target_path  = getcwd() . "/upload/" . md5($_SESSION['user']);$t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext  = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);$uploaded_size = $_FILES['uploaded']['size'];$uploaded_tmp  = $_FILES['uploaded']['tmp_name'];if(preg_match("/ph/i", strtolower($uploaded_ext))){die("后缀名不能有ph！");}else{if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){$content = file_get_contents($uploaded_tmp);if(preg_match("/<?/i", $content)){die("诶，别蒙我啊，这标志明显还是php啊");}else{mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);move_uploaded_file($uploaded_tmp, $t_path);echo "{$t_path} succesfully uploaded!";}}else{die("上传类型也太露骨了吧！");}}
}
?>

发现这里限制了文件大小<2048，
并且只检查了文件后缀不能有ph，
content-type的类型为image/pjpeg或image/jpeg，
内容不能有<?

这里可以上传.htaccess,再改content-type（上传过1.asp，但是连接失败，就换成了这种，它不是windows的服务器，不能解析asp）
有了.htaccess配置文件，它会将aa的后缀解析成php文件，因为这里过滤了<?，故可以使用js编写一句话木马绕过
蚁剑连接得到flag

[BJDCTF2020]The mystery of ip

得到自己的ip，

尝试添加X-Forwarded-For，猜测是否能更改，结果成功

之后尝试sql注入，xss都失败了，看了wp后知道还可能使模板注入
报错信息返回了模板的类型为Smarty
这里可以根据此模板的格式执行命令

或者使用{{}}