Rock's blog

兴趣是最好的老师

0%

[HarekazeCTF2019]Avatar Uploader 1

Posted on

[HarekazeCTF2019]Avatar Uploader 1

梳理程序功能

  • 登录功能(无验证)
    • 登录后可上传头像
    • 保存在/uploads文件夹下
  • 更换主题
    • 访问的是theme.php

其他注意点

  • cookie是jwt格式

扫描一下目录并尝试文件上传

都试了一下,看来是不行

看一眼wp发现此题要看题目给出的源码

https://github.com/TeamHarekaze/HarekazeCTF2019-challenges/tree/master/avatar_uploader_1/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
// check file type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$type = finfo_file($finfo, $_FILES['file']['tmp_name']);
finfo_close($finfo);

// check file width/height
$size = getimagesize($_FILES['file']['tmp_name']);
if ($size[0] > 256 || $size[1] > 256) {
  error('Uploaded image is too large.');
}
if ($size[2] !== IMAGETYPE_PNG) {
  // I hope this never happens...
  error('What happened...? OK, the flag for part 1 is: <code>' . getenv('FLAG1') . '</code>');
}

upload.php中的finfo_file()getimagesize()分别对传入的图像进行验证。

finfo_file()只会通过图像前几个字节判断文件类型,getimagesize()还会读取文件宽高属性

1
2
3
4
5
6
7
8
9
10
Array
(
    [0] => 961
    [1] => 640
    [2] => 2
    [3] => width="961" height="640"
    [bits] => 8
    [channels] => 3
    [mime] => image/jpeg
)

所以需要删去上传的png图像的宽高数据,只保留前几个字节即可

image-20220216203025802

image-20220216203047619