文件上传和爆破题,来自XCTF
upload1
打开网页
![](https://www.cztcode.com/wp-content/uploads/2020/04/56.png)
上传一个试试
![](https://www.cztcode.com/wp-content/uploads/2020/04/57.png)
只让传图片,去看看源码
<!Doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript">
Array.prototype.contains = function (obj) {
var i = this.length;
while (i--) {
if (this[i] === obj) {
return true;
}
}
return false;
}
function check(){
upfile = document.getElementById("upfile");
submit = document.getElementById("submit");
name = upfile.value;
ext = name.replace(/^.+\./,'');
if(['jpg','png'].contains(ext)){
submit.disabled = false;
}else{
submit.disabled = true;
alert('请选择一张图片文件上传!');
}
}
</script>
</head>
<body>
<form enctype='multipart/form-data' id='aa' name='aaa' method='post' action='index.php'>
<input id="upfile" name='upfile' type='file' onchange="check();" />
<input type='submit' id ='submit' value='上传'>
</form>
</body>
</html>
只可以上传jpg和png格式
可以在上传时更改文件名后缀,比如用brupsuit改包
先上传jpg后缀的一句话木马
![](https://www.cztcode.com/wp-content/uploads/2020/04/61.png)
再改成php
![](https://www.cztcode.com/wp-content/uploads/2020/04/62.png)
上传成功
![](https://www.cztcode.com/wp-content/uploads/2020/04/63.png)
蚁剑连接找到flag
![](https://www.cztcode.com/wp-content/uploads/2020/04/60-1024x335.png)
还有一种方式,可以在前端更改,把上传按钮的disable去掉就可以了
![](https://www.cztcode.com/wp-content/uploads/2020/04/58.png)
ics-06
云平台报表中心收集了设备管理基础服务的数据,但是数据被删除了,只有一处留下了入侵者的痕迹。
打开网页
![](https://www.cztcode.com/wp-content/uploads/2020/04/64-1-1024x453.png)
题目提示去报表中心
![](https://www.cztcode.com/wp-content/uploads/2020/04/65-1.png)
发现了一个变量,用brupsuit爆破试试
![](https://www.cztcode.com/wp-content/uploads/2020/04/66.png)
变量已经选好了
![](https://www.cztcode.com/wp-content/uploads/2020/04/67.png)
类型选择数字,范围选择的是1-9999
![](https://www.cztcode.com/wp-content/uploads/2020/04/68.png)
线程500
![](https://www.cztcode.com/wp-content/uploads/2020/04/69.png)
找到了一个响应包不同的值
![](https://www.cztcode.com/wp-content/uploads/2020/04/70.png)
访问即可拿到flag
![](https://www.cztcode.com/wp-content/uploads/2020/04/71.png)