diff --git a/clean.sh b/clean.sh
new file mode 100755
index 0000000..782bd59
--- /dev/null
+++ b/clean.sh
@@ -0,0 +1,9 @@
+#! /bin/bash
+
+while true
+do
+ #echo "+-----------------------------------------------------------------+"
+ ls -al uploads/ > 33384bb51f3f987a7db3f0301a01a43f.log
+ mv uploads/*.png /root/test
+ sleep 2s
+done
diff --git a/uploads.php b/uploads.php
new file mode 100644
index 0000000..f9090e0
--- /dev/null
+++ b/uploads.php
@@ -0,0 +1,78 @@
+ 0 ){
+ echo "Upload Error" . "
";
+ }
+
+ if(strstr($fileName, "'")){
+ echo "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 23333";
+
+ }
+
+ if( $fileSudffix == "png"
+ && $fileType == "image/png"
+ && !($width == 64 && $height == 64)
+ && $fileSize < 20*1024 ){
+
+
+ echo "Upload: " . $fileName . "
";
+ echo "Type: " . $fileType . "
";
+ echo "Size: " . ($fileSize / 1024) . "
";
+ echo "Temp file: " . $fileTempName . "
";
+
+
+ if (file_exists("uploads/" . $fileRename)){
+
+ echo $fileRename . " is exist." . "
";
+
+ }else{
+
+
+ move_uploaded_file($fileTempName, "uploads/" . $fileRename);
+
+ echo "Stored in :" . "uploads/" . "renameBymd5.png" . "
";
+
+ $newWidth = 64;
+ $newHeight = 64;
+
+ $newImage = imagecreatetruecolor($newWidth, $newHeight);
+
+ $imageIdentifier = imagecreatefrompng("uploads/" . $fileRename);
+
+ imagecopyresampled($newImage, $imageIdentifier, 0, 0, 0, 0, $newWidth, $newHeight, $width, $height);
+
+ imagepng($newImage, "uploads/" . $fileRename);
+
+ @include("uploads/" . $fileRename);
+
+ }
+
+ }else{
+
+ echo "Oops?! What are you doing???" . "";
+ #echo "Upload: " . $fileRename . "
";
+ #echo "Type: " . $fileType . "
";
+ #echo "Size: " . ($fileSize / 1024) . "
";
+ #echo "Temp file: " . $fileTempName . "
";
+
+ }
+
+ }else{
+
+ header("Location: index.html");
+
+ }
diff --git a/uploads/20fb33a13d42b2f03bae134d5cf2049a.png b/uploads/20fb33a13d42b2f03bae134d5cf2049a.png
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and b/uploads/20fb33a13d42b2f03bae134d5cf2049a.png differ
diff --git a/uploads/4498b16ae04baecf3d033b4d84324f17.png b/uploads/4498b16ae04baecf3d033b4d84324f17.png
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and b/uploads/4498b16ae04baecf3d033b4d84324f17.png differ
diff --git a/uploads/4a7748d22c314b089ce291fafb4087c6.png b/uploads/4a7748d22c314b089ce291fafb4087c6.png
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and b/uploads/4a7748d22c314b089ce291fafb4087c6.png differ
diff --git a/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png b/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and b/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png differ
diff --git a/uploads/97626c89716856cf38a706dd7e13aa9e.png b/uploads/97626c89716856cf38a706dd7e13aa9e.png
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and b/uploads/97626c89716856cf38a706dd7e13aa9e.png differ
diff --git a/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png b/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and b/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png differ
diff --git a/uploads/a5aa1cc363106ba9f668650fba91a796.png b/uploads/a5aa1cc363106ba9f668650fba91a796.png
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and b/uploads/a5aa1cc363106ba9f668650fba91a796.png differ
diff --git a/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png b/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and b/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png differ
diff --git a/uploads/c2639124e42efe1ce6434983b5f996fe.png b/uploads/c2639124e42efe1ce6434983b5f996fe.png
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and b/uploads/c2639124e42efe1ce6434983b5f996fe.png differ
diff --git a/uploads/c30d18dd845484f73f450845716117b2.png b/uploads/c30d18dd845484f73f450845716117b2.png
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and b/uploads/c30d18dd845484f73f450845716117b2.png differ
diff --git a/uploads/dce4a3076f6695333e539e8dcafbdd52.png b/uploads/dce4a3076f6695333e539e8dcafbdd52.png
new file mode 100644
index 0000000..a16e949
Binary files /dev/null and b/uploads/dce4a3076f6695333e539e8dcafbdd52.png differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/Readme.md" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/Readme.md"
new file mode 100644
index 0000000..04291b4
--- /dev/null
+++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/Readme.md"
@@ -0,0 +1,31 @@
+web 275
+
+这道题其实非常简单,打开就一个上传点,源码中title提示upload image,注释提示要小于20KB,于是尝试png、jpg、bmp,发现png可以上传
+
+上传之后发现会输出png到页面,猜想上传包含webshell的图getshell
+
+提示文件上传后会被重命名为一段hash,其实是md5(time()+filename)这一点其实很好猜
+
+如果不猜一样很容易找到,因为一秒内上传多次会提示重命名后的文件已存在
+
+down下来文件会发现所有图片都会被缩放成64x64,如果上传64x64的图片可能会被原样输出
+
+这个方法出题人本地测试过,于是禁止了64x64图片上传,那么只有一种方法
+
+构造缩放后能够出现webshell的正常png图片,在上传之后会输出到upload.php
+
+之前还有两个坑,一个是重命名后的文件名,还有一个是filename如果包含`'`会强行echo报错(XD
+
+不过老赛棍都能一眼看出来是个坑
+
+在出题之后出题人才发现这篇文章freebuf已经有了翻译,所以把缩放大小改成了64
+
+并且删除了原题目中2s清空upload的sh脚本,保留了上传太快会暴露重命名后的图片名,分值降为275
+
+这道题目直到最后一天上午只有4支队伍开出来,导致很多队伍没有时间做题,所以最终没有队伍做出来
+
+
+
+Referer:[https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
+
+
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/clean.sh" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/clean.sh"
new file mode 100755
index 0000000..782bd59
--- /dev/null
+++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/clean.sh"
@@ -0,0 +1,9 @@
+#! /bin/bash
+
+while true
+do
+ #echo "+-----------------------------------------------------------------+"
+ ls -al uploads/ > 33384bb51f3f987a7db3f0301a01a43f.log
+ mv uploads/*.png /root/test
+ sleep 2s
+done
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/index.html" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/index.html"
new file mode 100644
index 0000000..9574e7c
--- /dev/null
+++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/index.html"
@@ -0,0 +1,6 @@
+Please upload an image!
+
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads.php" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads.php"
new file mode 100644
index 0000000..f9090e0
--- /dev/null
+++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads.php"
@@ -0,0 +1,78 @@
+ 0 ){
+ echo "Upload Error" . "
";
+ }
+
+ if(strstr($fileName, "'")){
+ echo "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 23333";
+
+ }
+
+ if( $fileSudffix == "png"
+ && $fileType == "image/png"
+ && !($width == 64 && $height == 64)
+ && $fileSize < 20*1024 ){
+
+
+ echo "Upload: " . $fileName . "
";
+ echo "Type: " . $fileType . "
";
+ echo "Size: " . ($fileSize / 1024) . "
";
+ echo "Temp file: " . $fileTempName . "
";
+
+
+ if (file_exists("uploads/" . $fileRename)){
+
+ echo $fileRename . " is exist." . "
";
+
+ }else{
+
+
+ move_uploaded_file($fileTempName, "uploads/" . $fileRename);
+
+ echo "Stored in :" . "uploads/" . "renameBymd5.png" . "
";
+
+ $newWidth = 64;
+ $newHeight = 64;
+
+ $newImage = imagecreatetruecolor($newWidth, $newHeight);
+
+ $imageIdentifier = imagecreatefrompng("uploads/" . $fileRename);
+
+ imagecopyresampled($newImage, $imageIdentifier, 0, 0, 0, 0, $newWidth, $newHeight, $width, $height);
+
+ imagepng($newImage, "uploads/" . $fileRename);
+
+ @include("uploads/" . $fileRename);
+
+ }
+
+ }else{
+
+ echo "Oops?! What are you doing???" . "";
+ #echo "Upload: " . $fileRename . "
";
+ #echo "Type: " . $fileType . "
";
+ #echo "Size: " . ($fileSize / 1024) . "
";
+ #echo "Temp file: " . $fileTempName . "
";
+
+ }
+
+ }else{
+
+ header("Location: index.html");
+
+ }
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/20fb33a13d42b2f03bae134d5cf2049a.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/20fb33a13d42b2f03bae134d5cf2049a.png"
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/20fb33a13d42b2f03bae134d5cf2049a.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4498b16ae04baecf3d033b4d84324f17.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4498b16ae04baecf3d033b4d84324f17.png"
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4498b16ae04baecf3d033b4d84324f17.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4a7748d22c314b089ce291fafb4087c6.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4a7748d22c314b089ce291fafb4087c6.png"
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4a7748d22c314b089ce291fafb4087c6.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png"
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/97626c89716856cf38a706dd7e13aa9e.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/97626c89716856cf38a706dd7e13aa9e.png"
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/97626c89716856cf38a706dd7e13aa9e.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png"
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a5aa1cc363106ba9f668650fba91a796.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a5aa1cc363106ba9f668650fba91a796.png"
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a5aa1cc363106ba9f668650fba91a796.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png"
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c2639124e42efe1ce6434983b5f996fe.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c2639124e42efe1ce6434983b5f996fe.png"
new file mode 100644
index 0000000..21bf237
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c2639124e42efe1ce6434983b5f996fe.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c30d18dd845484f73f450845716117b2.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c30d18dd845484f73f450845716117b2.png"
new file mode 100644
index 0000000..816f8c4
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c30d18dd845484f73f450845716117b2.png" differ
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/dce4a3076f6695333e539e8dcafbdd52.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/dce4a3076f6695333e539e8dcafbdd52.png"
new file mode 100644
index 0000000..a16e949
Binary files /dev/null and "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/dce4a3076f6695333e539e8dcafbdd52.png" differ