BUUCTF

[MRCTF2020]你传你呢

知识点：文件上传
1.Apache服务器 上传.htaccess 文件，bp抓包

AddType application/x-httpd-php .jpg（将jpg当做PHP解析）

2.MIME类型验证绕过：修改Content-type为：image/jpeg
上传

再上传jpg,蚁剑连上，url

http://b29acfc2-511c-4e8d-9809-f6d603e67757.node3.buuoj.cn/upload/170cb926048a559363653af71ffd6476/1.jpg

拿flag
upload.php

<?php
session_start();
echo "
";
if(!isset($_SESSION['user'])){
    $_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
    $target_path  = getcwd() . "/upload/" . md5($_SESSION['user']);
    $t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
    $uploaded_name = $_FILES['uploaded']['name'];
    $uploaded_ext  = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
    $uploaded_size = $_FILES['uploaded']['size'];
    $uploaded_tmp  = $_FILES['uploaded']['tmp_name'];
 
    if(preg_match("/ph/i", strtolower($uploaded_ext))){
        die("鎴戞墝your problem?");
    }
    else{
        if ((($_FILES["uploaded"]["type"] == "
            ") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uploaded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"] < 2048)){
            $content = file_get_contents($uploaded_tmp);
			mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
			move_uploaded_file($uploaded_tmp, $t_path);
			echo "{$t_path} succesfully uploaded!";
        }
        else{
            die("鎴戞墝your problem?");
        }
    }
}
?>

[MRCTF2020]Ez_bypass

知识点：
1.md5

前者表示数值和类型完全相同， 后者表示值相同但类型不同，可以数组绕过，GET gg[]=1&id[]=2
2.is_numeric函数
该函数作用是检测变量是否为数字或数字字符串,是则返回ture，反之，则返回true，用hackbar POST提交$passwd=1234567+任意字符绕过

参考wp

[MRCTF2020]PYWebsite

查看源代码


看了别人的wp，关键词IP
X-Forwarded-For:127.0.0.1