前言
题解
上传限制png,还会检测尺寸,发包看不到反馈,挺烦的
原来题目还给了源码,
源码
upload.php
<?php
error_reporting(0);
require_once('config.php');
require_once('lib/util.php');
require_once('lib/session.php');
$session = new SecureClientSession(CLIENT_SESSION_ID, SECRET_KEY);
// check whether file is uploaded
if (!file_exists($_FILES['file']['tmp_name']) || !is_uploaded_file($_FILES['file']['tmp_name'])) {
error('No file was uploaded.');
}
// check file size
if ($_FILES['file']['size'] > 256000) {
error('Uploaded file is too large.');
}
// check file type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$type = finfo_file($finfo, $_FILES['file']['tmp_name']);
finfo_close($finfo);
if (!in_array($type, ['image/png'])) {
error('Uploaded file is not PNG format.');
}
// check file width/height
$size = getimagesize($_FILES['file']['tmp_name']);
if ($size[0] > 256 || $size[1] > 256) {
error('Uploaded image is too large.');
}
if ($size[2] !== IMAGETYPE_PNG) {
// I hope this never happens...
error('What happened...? OK, the flag for part 1 is: <code>' . getenv('FLAG1') . '</code>');
}
// ok
$filename = bin2hex(random_bytes(4)) . '.png';
move_uploaded_file($_FILES['file']['tmp_name'], UPLOAD_DIR . '/' . $filename);
$session->set('avatar', $filename);
flash('info', 'Your avatar has been successfully updated!');
redirect('/');解析
在这拿flag
重点是绕过这里
finfo_file()主要是识别PNG文件十六进制下的第一行信息,若保留文件头信息,破坏掉文件长宽等其余信息,也就可以绕过getimagesize()函数的检验
随便找个图片,删掉多余的东西
上传一下,结束。
测试了下,就第一行,一个字符都不能多,多了就会变成octet-stream
弄本地环境的时候,谷歌浏览器不知道抽什么风,明明设置好了hosts,一会可以,一会有跳转到莫名其妙的网站,隐声模式有没问题,火狐,phpstorm,edge也可以。换了个网址,得,开始隐私错误,越来越想放弃chrome了。
![刷题笔记:[RoarCTF 2019]Simple Upload](/medias/featureimages/57.jpg)
![刷题笔记:[ISITDTU 2019]EasyPHP](/medias/featureimages/74.jpg)