WP-Insomni hacker's Teaser 2019 l33t-hoster

题目复现

https://github.com/Tiaonmmn/insomniteaser_2019_l33t_hoster

1
2
3
4
git clone https://github.com/Tiaonmmn/insomniteaser_2019_l33t_hoster.git
cd insomniteaser_2019_l33t_hoster/
docker-compose up -d
docker run -d -p 1000:80 insomniteaser_2019_l33t_hoster:latest

访问 http://[Your IP]:1000 即可

题目解析

查看源码获得提示,访问 /?source 得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<?php
if (isset($_GET["source"]))
die(highlight_file(__FILE__));

session_start();

if (!isset($_SESSION["home"])) {
$_SESSION["home"] = bin2hex(random_bytes(20));
}
$userdir = "images/{$_SESSION["home"]}/";
if (!file_exists($userdir)) {
mkdir($userdir);
}

$disallowed_ext = array(
"php",
"php3",
"php4",
"php5",
"php7",
"pht",
"phtm",
"phtml",
"phar",
"phps",
);


if (isset($_POST["upload"])) {
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die("yuuuge fail");
}

$tmp_name = $_FILES["image"]["tmp_name"];
$name = $_FILES["image"]["name"];
$parts = explode(".", $name);
$ext = array_pop($parts);

if (empty($parts[0])) {
array_shift($parts);
}

if (count($parts) === 0) {
die("lol filename is empty");
}

if (in_array($ext, $disallowed_ext, TRUE)) {
die("lol nice try, but im not stupid dude...");
}

$image = file_get_contents($tmp_name);
if (mb_strpos($image, "<?") !== FALSE) {
die("why would you need php in a pic.....");
}

if (!exif_imagetype($tmp_name)) {
die("not an image.");
}

$image_size = getimagesize($tmp_name);
if ($image_size[0] !== 1337 || $image_size[1] !== 1337) {
die("lol noob, your pic is not l33t enough");
}

$name = implode(".", $parts);
move_uploaded_file($tmp_name, $userdir . $name . "." . $ext);
}

echo "<h3>Your <a href=$userdir>files</a>:</h3><ul>";
foreach(glob($userdir . "*") as $file) {
echo "<li><a href='$file'>$file</a></li>";
}
echo "</ul>";

?>
AbelChe wechat
扫码加微信
Donate here!!!
0%