V1.0

V1.0

Pass-01/helper.php

@@ -0,0 +1,16 @@
+<?php
+include "../Parsedown.php";
+$Parsedown = new Parsedown();
+$Parsedown->setBreaksEnabled(true);
+$Parsedown->setSafeMode(true);
+$Parsedown->setMarkupEscaped(true);
+
+if($_GET['action'] == 'get_prompt'){
+
+    $file=file('wp.markdown'); //返回数组的内容
+        foreach($file as $v){
+                echo $Parsedown->text($v);
+
+    }
+}
+?>

Pass-01/index.php

@@ -0,0 +1,83 @@
+<?php
+include '../config.php';
+include '../head.php';
+include '../card.php';
+
+$is_upload = false;
+$msg = null;
+if (isset($_POST['submit'])) {
+    if (file_exists(UPLOAD_PATH)) {
+        $temp_file = $_FILES['upload_file']['tmp_name'];
+        $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];
+        if (move_uploaded_file($temp_file, $img_path)){
+            $is_upload = true;
+        } else {
+            $msg = '上传出错！';
+        }
+    } else {
+        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
+    }
+}
+?>
+
+
+    <ol>
+        <li>
+            <h3>任务</h3>
+            <p>上传一个<code>webshell</code>到服务器。</p>
+        </li>
+        <li>
+            <h3>上传区</h3>
+            <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
+                <p>请选择要上传的图片：<p>
+                <input class="input_file" type="file" name="upload_file"  dir="rtl" style="float:left;margin-right:10px;width:170px;"/>
+                <input class="upload_btn" type="submit" name="submit" value="确定上传"/>
+            </form>
+            <div id="msg">
+                <?php 
+                    if($msg != null){
+                        echo "提示11：".$msg;
+                    }
+                ?>
+
+            </div>
+            <div id="img">
+                <?php
+                    if($is_upload){
+                        echo '<img src="'.$img_path.'" width="250px" />';
+                    }
+                ?>
+            </div>
+        </li>
+	    <?php 
+	        if($_GET['action'] == "show_code"){
+	            include 'show_code.php';
+	        }
+	    ?>
+	</ol>
+</div>
+
+<?php
+include '../footer.php'
+?>
+
+
+<script type="text/javascript">
+    function checkFile() {
+        var file = document.getElementsByName('upload_file')[0].value;
+        if (file == null || file == "") {
+            alert("请选择要上传的文件!");
+            return false;
+        }
+        //定义允许上传的文件类型
+        var allow_ext = ".jpg|.png|.gif";
+        //提取上传文件的类型
+        var ext_name = file.substring(file.lastIndexOf("."));
+        //判断上传文件类型是否允许上传
+        if (allow_ext.indexOf(ext_name) == -1) {
+            var errMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name;
+            alert(errMsg);
+            return false;
+        }
+    }
+</script>

Pass-01/show_code.php

@@ -0,0 +1,23 @@
+<li id="show_code">
+    <h3>代码</h3>
+<pre>
+<code class="line-numbers language-javascript">function checkFile() {
+    var file = document.getElementsByName('upload_file')[0].value;
+    if (file == null || file == "") {
+        alert("请选择要上传的文件!");
+        return false;
+    }
+    //定义允许上传的文件类型
+    var allow_ext = ".jpg|.png|.gif";
+    //提取上传文件的类型
+    var ext_name = file.substring(file.lastIndexOf("."));
+    //判断上传文件类型是否允许上传
+    if (allow_ext.indexOf(ext_name + "|") == -1) {
+        var errMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name;
+        alert(errMsg);
+        return false;
+    }
+}
+</code>
+</pre>
+</li>

Pass-01/wp.markdown

@@ -0,0 +1,53 @@
+## 解题wp   (By:独立团孙德胜Alan)
+
+本Pass是客户端过滤，可以通过禁用JS的方式绕过！
+
+#### 1.打开第一关
+
+![](.\img\1.png)
+
+#### 2.上传一个普通的shell.php文件
+
+```php
+<?php @eval($_POST('Alan'));?>
+```
+
+![](.\img\2.png)
+
+#### 提示不允许上传
+
+![](.\img\3.png)
+
+#### 3.分析代码
+
+![](.\img\4.jpg)
+
+#### 前端JS校验
+
+#### 4.对于前端js验证的绕过方法较为简单，我们可以将要上传的php文件改后缀名为jpg|png|gif,绕过js验证后，再用burp更改上传请求。或者浏览器禁用js后进行上传。
+
+![](.\img\4.png)
+
+![](.\img\5.png)
+
+#### 5.使用工具Burpsutie拦截，修改后缀名为.php
+
+#### 修改图片内容为一句话木马的内容：
+
+```
+<?php @eval($_POST('Alan'));?>
+```
+
+![](.\img\6.png)
+
+#### 使用重放包功能上传Alan.php：
+
+![](.\img\7.png)
+
+![](.\img\8.png)
+
+#### 6.上传成功！
+
+![](.\img\9.png)
+
+#### 7.使用webshell连接工具连接即可。

Pass-02/helper.php

@@ -0,0 +1,16 @@
+<?php
+include "../Parsedown.php";
+$Parsedown = new Parsedown();
+$Parsedown->setBreaksEnabled(true);
+$Parsedown->setSafeMode(true);
+$Parsedown->setMarkupEscaped(true);
+
+if($_GET['action'] == 'get_prompt'){
+
+    $file=file('wp.markdown'); //返回数组的内容
+        foreach($file as $v){
+                echo $Parsedown->text($v);
+
+    }
+}
+?>

Pass-02/index.php

@@ -0,0 +1,65 @@
+<?php
+include '../config.php';
+include '../head.php';
+include '../card.php';
+
+$is_upload = false; 
+$msg = "提示内容";
+if (isset($_POST['submit'])) {
+    if (file_exists(UPLOAD_PATH)) {
+        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
+            $temp_file = $_FILES['upload_file']['tmp_name'];
+            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];          
+            if (move_uploaded_file($temp_file, $img_path)) {
+                $is_upload = true;
+            } else {
+                $msg = '上传出错！';
+            }
+        } else {
+            $msg = '文件类型不正确，请重新上传！';
+        }
+    } else {
+        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建！';
+    }
+}
+?>
+
+
+    <ol>
+        <li>
+            <h3>任务</h3>
+            <p>test内容</p>
+        </li>
+        <li>
+            <h3>上传区</h3>
+            <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
+                <p>请选择要上传的图片：<p>
+                <input class="input_file" type="file" name="upload_file"  dir="rtl" style="float:left;margin-right:10px;width:170px;"/>
+                <input class="upload_btn" type="submit" name="submit" value="确定上传"/>
+            </form>
+            <div id="msg">
+                <?php 
+                    if($msg != null){
+                        echo "提示：".$msg;
+                    }
+                ?>
+            </div>
+            <div id="img">
+                <?php
+                    if($is_upload){
+                        echo '<img src="'.$img_path.'" width="250px" />';
+                    }
+                ?>
+            </div>
+        </li>
+        <?php 
+            if($_GET['action'] == "show_code"){
+                include 'show_code.php';
+            }
+        ?>
+    </ol>
+</div>
+
+<?php
+include '../footer.php';
+?>

Pass-02/show_code.php

@@ -0,0 +1,8 @@
+<li id="show_code">
+    <h3>代码</h3>
+<pre>
+<code class="line-numbers language-php">$is_upload = false;
+//提示代码
+</code>
+</pre>
+</li>

Pass-02/wp.markdown

@@ -0,0 +1,26 @@
+## 解题wp(By:独立团孙德胜Alan)
+本pass在服务端对数据包的MIME进行检查！
+
+## 1.打开第二关
+
+![](./img/1.png)
+
+## 2.上传一个普通的shell.php文件
+
+```
+<?php @eval($_POST('Alan'));?>
+```
+
+![](./img/2.png)
+
+#### 提示不允许上传。
+
+### 3.分析代码
+
+![](./img/3.png)
+
+#### 发现原来是检测了Content-Type头，于是我们可以通过修改头的方式绕过。
+
+### 4.对于验证了MIME的问题，我们可以使用Burpsutie抓包，修改Content-Type，绕过验证。
+
+![](./img/4.png)

Pass-03/helper.php

@@ -0,0 +1,16 @@
+<?php
+include "../Parsedown.php";
+$Parsedown = new Parsedown();
+$Parsedown->setBreaksEnabled(true);
+$Parsedown->setSafeMode(true);
+$Parsedown->setMarkupEscaped(true);
+
+if($_GET['action'] == 'get_prompt'){
+
+    $file=file('wp.markdown'); //返回数组的内容
+        foreach($file as $v){
+                echo $Parsedown->text($v);
+
+    }
+}
+?>

Pass-03/index.php

@@ -0,0 +1,73 @@
+<?php
+include '../config.php';
+include '../common.php';
+include '../head.php';
+include '../card.php';
+
+$is_upload = false;
+$msg = null;
+if (isset($_POST['submit'])) {
+    if (file_exists(UPLOAD_PATH)) {
+        $deny_ext = array('.asp','.aspx','.php','.jsp');
+        $file_name = trim($_FILES['upload_file']['name']);
+        $file_name = deldot($file_name);//删除文件名末尾的点
+        $file_ext = strrchr($file_name, '.');
+        $file_ext = strtolower($file_ext); //转换为小写
+        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
+        $file_ext = trim($file_ext); //收尾去空
+
+        if(!in_array($file_ext, $deny_ext)) {
+            $temp_file = $_FILES['upload_file']['tmp_name'];
+            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
+            if (move_uploaded_file($temp_file,$img_path)) {
+                 $is_upload = true;
+            } else {
+                $msg = '上传出错！';
+            }
+        } else {
+            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';
+        }
+    } else {
+        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
+    }
+}
+?>
+
+    <ol>
+        <li>
+            <h3>任务</h3>
+            <p>上传一个<code>webshell</code>到服务器。</p>
+        </li>
+        <li>
+            <h3>上传区</h3>
+            <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
+                <p>请选择要上传的图片：<p>
+                <input class="input_file" type="file" name="upload_file"/>
+                <input class="button" type="submit" name="submit" value="上传"/>
+            </form>
+            <div id="msg">
+                <?php 
+                    if($msg != null){
+                        echo "提示：".$msg;
+                    }
+                ?>
+            </div>
+            <div id="img">
+                <?php
+                    if($is_upload){
+                        echo '<img src="'.$img_path.'" width="250px" />';
+                    }
+                ?>
+            </div>
+        </li>
+        <?php 
+            if($_GET['action'] == "show_code"){
+                include 'show_code.php';
+            }
+        ?>
+    </ol>
+</div>
+
+<?php
+include '../footer.php';
+?>