Merge pull request #3 from hduisa/evilddog

merge evilddog

clean.sh

@@ -0,0 +1,9 @@
+#! /bin/bash 
+
+while true
+do
+	#echo "+-----------------------------------------------------------------+"
+	ls -al uploads/ > 33384bb51f3f987a7db3f0301a01a43f.log
+	mv uploads/*.png /root/test
+	sleep 2s
+done

uploads.php

@@ -0,0 +1,78 @@
+<?php
+
+	if (isset($_POST['upload'])){
+
+
+		$httpReferer = $_SERVER['HTTP_REFERER'];
+		$fileError = $_FILES["uploadfile"]["error"];
+		$fileName = $_FILES["uploadfile"]["name"];
+		$fileRename = md5( time() . $fileName ) . ".png";
+		$fileSize = $_FILES["uploadfile"]["size"];
+		$fileSudffix = substr(strrchr($fileRename, "."), 1);
+		$fileTempName = $_FILES["uploadfile"]["tmp_name"];
+		$fileType = $_FILES["uploadfile"]["type"];
+		$uploadDir = 'uploads/';
+		list($width, $height) = getimagesize($_FILES["uploadfile"]["tmp_name"]);
+
+		if($fileError > 0 ){
+			echo "Upload Error" . "<br/>";
+		}
+
+		if(strstr($fileName, "'")){
+			echo "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 23333";
+
+		}
+
+		if( $fileSudffix == "png" 
+			&& $fileType == "image/png" 
+			&& !($width == 64 && $height == 64)
+			&& $fileSize < 20*1024 ){
+
+
+			echo "Upload: " . $fileName . "<br/>";
+			echo "Type: " . $fileType . "<br/>";
+			echo "Size: " . ($fileSize / 1024) . "<br/>";
+			echo "Temp file: " . $fileTempName . "<br/>";
+
+
+			if (file_exists("uploads/" . $fileRename)){
+
+				echo $fileRename . " is exist." . "<br/>";
+
+			}else{
+
+
+				move_uploaded_file($fileTempName, "uploads/" . $fileRename);
+
+				echo "Stored in :" . "uploads/" . "renameBymd5.png" . "<br/>";
+
+				$newWidth = 64;
+				$newHeight = 64;
+
+				$newImage = imagecreatetruecolor($newWidth, $newHeight);
+
+				$imageIdentifier = imagecreatefrompng("uploads/" . $fileRename);
+
+				imagecopyresampled($newImage, $imageIdentifier, 0, 0, 0, 0, $newWidth, $newHeight, $width, $height);
+
+				imagepng($newImage, "uploads/" . $fileRename);
+
+				@include("uploads/" . $fileRename);
+
+			}
+
+		}else{
+
+			echo "Oops?! What are you doing???" . "<!-- H3i3 i5 n0 f1ag-->";
+			#echo "Upload: " . $fileRename . "<br/>";
+			#echo "Type: " . $fileType . "<br/>";
+			#echo "Size: " . ($fileSize / 1024) . "<br/>";
+			#echo "Temp file: " . $fileTempName . "<br/>";
+
+		}
+
+	}else{
+
+		header("Location: index.html");
+
+	}

长江防线固若金汤/Readme.md

@@ -0,0 +1,31 @@
+web 275
+
+这道题其实非常简单，打开就一个上传点，源码中title提示upload image，注释提示要小于20KB，于是尝试png、jpg、bmp，发现png可以上传
+
+上传之后发现会输出png到页面，猜想上传包含webshell的图getshell
+
+提示文件上传后会被重命名为一段hash，其实是md5(time()+filename)这一点其实很好猜
+
+如果不猜一样很容易找到，因为一秒内上传多次会提示重命名后的文件已存在
+
+down下来文件会发现所有图片都会被缩放成64x64，如果上传64x64的图片可能会被原样输出
+
+这个方法出题人本地测试过，于是禁止了64x64图片上传，那么只有一种方法
+
+构造缩放后能够出现webshell的正常png图片，在上传之后会输出到upload.php
+
+之前还有两个坑，一个是重命名后的文件名，还有一个是filename如果包含`'`会强行echo报错(XD
+
+不过老赛棍都能一眼看出来是个坑
+
+在出题之后出题人才发现这篇文章freebuf已经有了翻译，所以把缩放大小改成了64
+
+并且删除了原题目中2s清空upload的sh脚本，保留了上传太快会暴露重命名后的图片名，分值降为275
+
+这道题目直到最后一天上午只有4支队伍开出来，导致很多队伍没有时间做题，所以最终没有队伍做出来
+
+
+
+Referer:[https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
+
+

长江防线固若金汤/clean.sh

@@ -0,0 +1,9 @@
+#! /bin/bash 
+
+while true
+do
+	#echo "+-----------------------------------------------------------------+"
+	ls -al uploads/ > 33384bb51f3f987a7db3f0301a01a43f.log
+	mv uploads/*.png /root/test
+	sleep 2s
+done

长江防线固若金汤/index.html

@@ -0,0 +1,6 @@
+<title>Please upload an image!</title>
+<form enctype="multipart/form-data" action="uploads.php" method="POST">
+  <!--<input type="hidden" value="20480" name="MAX_FILE_SIZE" />-->
+  <input type="submit" name="upload" value="Send file" />
+  <input type="file" name="uploadfile" />
+</form>

长江防线固若金汤/uploads.php

@@ -0,0 +1,78 @@
+<?php
+
+	if (isset($_POST['upload'])){
+
+
+		$httpReferer = $_SERVER['HTTP_REFERER'];
+		$fileError = $_FILES["uploadfile"]["error"];
+		$fileName = $_FILES["uploadfile"]["name"];
+		$fileRename = md5( time() . $fileName ) . ".png";
+		$fileSize = $_FILES["uploadfile"]["size"];
+		$fileSudffix = substr(strrchr($fileRename, "."), 1);
+		$fileTempName = $_FILES["uploadfile"]["tmp_name"];
+		$fileType = $_FILES["uploadfile"]["type"];
+		$uploadDir = 'uploads/';
+		list($width, $height) = getimagesize($_FILES["uploadfile"]["tmp_name"]);
+
+		if($fileError > 0 ){
+			echo "Upload Error" . "<br/>";
+		}
+
+		if(strstr($fileName, "'")){
+			echo "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 23333";
+
+		}
+
+		if( $fileSudffix == "png" 
+			&& $fileType == "image/png" 
+			&& !($width == 64 && $height == 64)
+			&& $fileSize < 20*1024 ){
+
+
+			echo "Upload: " . $fileName . "<br/>";
+			echo "Type: " . $fileType . "<br/>";
+			echo "Size: " . ($fileSize / 1024) . "<br/>";
+			echo "Temp file: " . $fileTempName . "<br/>";
+
+
+			if (file_exists("uploads/" . $fileRename)){
+
+				echo $fileRename . " is exist." . "<br/>";
+
+			}else{
+
+
+				move_uploaded_file($fileTempName, "uploads/" . $fileRename);
+
+				echo "Stored in :" . "uploads/" . "renameBymd5.png" . "<br/>";
+
+				$newWidth = 64;
+				$newHeight = 64;
+
+				$newImage = imagecreatetruecolor($newWidth, $newHeight);
+
+				$imageIdentifier = imagecreatefrompng("uploads/" . $fileRename);
+
+				imagecopyresampled($newImage, $imageIdentifier, 0, 0, 0, 0, $newWidth, $newHeight, $width, $height);
+
+				imagepng($newImage, "uploads/" . $fileRename);
+
+				@include("uploads/" . $fileRename);
+
+			}
+
+		}else{
+
+			echo "Oops?! What are you doing???" . "<!-- H3i3 i5 n0 f1ag-->";
+			#echo "Upload: " . $fileRename . "<br/>";
+			#echo "Type: " . $fileType . "<br/>";
+			#echo "Size: " . ($fileSize / 1024) . "<br/>";
+			#echo "Temp file: " . $fileTempName . "<br/>";
+
+		}
+
+	}else{
+
+		header("Location: index.html");
+
+	}