Skip to content

Commit

Permalink
添加Pass-20
Browse files Browse the repository at this point in the history
c0ny1 committed Jan 13, 2019
1 parent 90cb7de commit e7885e4
Showing 5 changed files with 141 additions and 2 deletions.
5 changes: 5 additions & 0 deletions Pass-20/helper.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<?php
if($_GET['action'] == 'get_prompt'){
echo 'Pass-20来源于CTF,请审计代码!';
}
?>
94 changes: 94 additions & 0 deletions Pass-20/index.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
<?php
include '../config.php';
include '../common.php';
include '../head.php';
include '../menu.php';


if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {

$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
//mime check
$allow_type = array('image/jpeg','image/png','image/gif');
if(!in_array($_FILES['upload_file']['type'],$allow_type)){
$msg = "禁止上传该类型文件!";
}else{
//check filename
$file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
if (!is_array($file)) {
$file = explode('.', strtolower($file));
}

$ext = end($file);
$allow_suffix = array('jpg','png','gif');
if (!in_array($ext, $allow_suffix)) {
$msg = "禁止上传该后缀文件!";
}else{
$file_name = reset($file) . '.' . $file[count($file) - 1];
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$msg = "文件上传成功!";
$is_upload = true;
} else {
$msg = "文件上传失败!";
}
}
}
}else{
$msg = "请选择要上传的文件!";
}

} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}



?>

<div id="upload_panel">
<ol>
<li>
<h3>任务</h3>
<p>上传一个<code>webshell</code>到服务器。</p>
</li>
<li>
<h3>上传区</h3>
<form enctype="multipart/form-data" method="post">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<p>保存名称:<p>
<input class="input_text" type="text" name="save_name" value="upload-20.jpg" /><br/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
<div id="img">
<?php
if($is_upload){
echo '<img src="'.$img_path.'" width="250px" />';
}
?>
</div>
</li>
<?php
if($_GET['action'] == "show_code"){
include 'show_code.php';
}
?>
</ol>
</div>

<?php
include '../footer.php';
?>
39 changes: 39 additions & 0 deletions Pass-20/show_code.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
<li id="show_code">
<h3>代码</h3>
<pre>
<code class="line-numbers language-php">$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
//检查MIME
$allow_type = array('image/jpeg','image/png','image/gif');
if(!in_array($_FILES['upload_file']['type'],$allow_type)){
$msg = "禁止上传该类型文件!";
}else{
//检查文件名
$file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
if (!is_array($file)) {
$file = explode('.', strtolower($file));
}

$ext = end($file);
$allow_suffix = array('jpg','png','gif');
if (!in_array($ext, $allow_suffix)) {
$msg = "禁止上传该后缀文件!";
}else{
$file_name = reset($file) . '.' . $file[count($file) - 1];
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$msg = "文件上传成功!";
$is_upload = true;
} else {
$msg = "文件上传失败!";
}
}
}
}else{
$msg = "请选择要上传的文件!";
}
</code>
</pre>
</li>
2 changes: 1 addition & 1 deletion config.php
Original file line number Diff line number Diff line change
@@ -8,5 +8,5 @@
//文件包含漏洞页面
define("INC_VUL_PATH",APP_URL_ROOT . "/include.php");
//设置上传目录
define("UPLOAD_PATH", "../upload/");
define("UPLOAD_PATH", "../upload");
?>
3 changes: 2 additions & 1 deletion menu.php
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@
<li><a id="Pass-16" href="<?php echo APP_URL_ROOT;?>/Pass-16/index.php">Pass-16</a></li>
<li><a id="Pass-17" href="<?php echo APP_URL_ROOT;?>/Pass-17/index.php">Pass-17</a></li>
<li><a id="Pass-18" href="<?php echo APP_URL_ROOT;?>/Pass-18/index.php">Pass-18</a></li>
<li><a id="Pass-19" href="<?php echo APP_URL_ROOT;?>/Pass-19/index.php">Pass-19</a></li>
<li><a id="Pass-19" href="<?php echo APP_URL_ROOT;?>/Pass-19/index.php">Pass-19</a></li>
<li><a id="Pass-20" href="<?php echo APP_URL_ROOT;?>/Pass-20/index.php">Pass-20</a></li>
</ul>
</div>

0 comments on commit e7885e4

Please sign in to comment.