热门标签
热门文章
- 1菜刀或蚁剑连接sqlserver2008失败 500错误 解决方法_蚁剑 连接mssql
- 2网络安全中的机器学习5大误解,我知道三个
- 3Gin项目实战07-middleware(接口设置超时时间)及原理剖析_gin 实战
- 4探索 Android App Bundle_app bundle explorer 是什么
- 5经验分享:C++ error:‘syscall’ was not declared in this scope
- 6人工智能之战:Gemini的人工智能驱动的Google Bard vs ChatGPT vs Grok vs Copilot-他们能为你做什么
- 7(C语言课程设计)学生选修课程系统设计_学生选修课系统设计c语言课程设计
- 8计算机专业如何写毕业论文-八大技巧_论文数据库表需要全部放上去吗
- 9大型语言模型综述/总结 LLM A Survey of Large Language Models_大语言模型综述的综述
- 10Java 中 引用拷贝、浅拷贝、深拷贝
当前位置: article > 正文
★文件上传漏洞与Upload-labs靶场分析实战_上传漏洞靶场
作者:weixin_40725706 | 2024-05-27 08:58:44
赞
踩
上传漏洞靶场
网站常用后缀名
phpphp3php5phtmlaspasacdxceraspxashxshtml
小知识:防火墙常见函数
<?php$a=" Wo jin tian lai LE! ";$b=trim($a); //trim() 首尾去空函数echo $b; //Wo jin tian lai LE!?>
<?php$b=deldot($a); // 删除文件名末尾的点echo $b; //?>
<?php$a="wenjian.php"$b=strrchr($a,'.'); //寻找相应位置并且输出及其之后的内容echo $b; //.php?>
<?php$a="HAHA ni hao";$b=strtolower($a); //全部转为小写echo $b; //haha ni hao?>
<?php$a="abcdefg";$b=str_ireplace("b","x",$a); //在$a身上 用x替换becho $b; //axcdefg?>
Pass-01
前端验证 JS验证(用java script去验证)
特点:查看页面源代码 可以查看到相应的script下的function函数
function checkFile() {var file = document.getElementsByName('upload_file')[0].value;if (file == null || file == "") {alert("请选择要上传的文件!");return false;}//定义允许上传的文件类型var allow_ext = ".jpg|.png|.gif";//提取上传文件的类型var ext_name = file.substring(file.lastIndexOf("."));//判断上传文件类型是否允许上传if (allow_ext.indexOf(ext_name + "|") == -1) {var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;alert(errMsg);return false;}}
方法1:burp抓包绕过前端改木马的格式即可
方法2:前端html代码中找到checkfile() 函数 在var allow_ext=".jpg|.png|.gif|.php" 编辑添加php允许上传即可
方法3:删除前端中的on_click=checkfile() 函数 这样直接就可以把文件格式校验给删除掉了
方法4:火狐浏览器右上角直接关闭当前网页js的功能 禁用js就可以绕过验证了
Pass-02 MIME校验(拦截文件类型)
小知识
php默认的文件类型是:application/octet-stream
$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '文件类型不正确,请重新上传!';}} else {$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';}}
//可以把图片和一句话木马隐写合并 也可以传空图片格式 在burp中增加一句话木马的内容
方法1:burp抓包,修改Content-Type(文本类型) 为image/jpeg格式 之后就可以成功上传php了 不需要改后缀 这题没有校验这个
Pass-03 文件名解析绕过 (黑名单,其中的后缀都不允许上传)
小知识:
.php .php3 pht phtml php4都可以当作php执行如何在Apache服务器中调整解析:Apache-->httpd.conf--->搜索AddType--->添加 AddType application/x-httpd-php .php .pht .phtml
$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array('.asp','.aspx','.php','.jsp');$file_name = trim($_FILES['upload_file']['name']); //首尾去空$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; //随机数命名if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}}
方式1:可以上传时修改格式为php1--php9 或者phtml 有可能会成功解析
php1没有解析仅是文字显示 php5也没有解析 php9也没有解析
改格式为pht 之后上传完成功 也可以顺利被执行
phtml上传成功 同时也成功解析了 可以直接操作
Pass-04 .htaccess文件绕过
小知识(实战不推荐使用这种方法,会把文件夹下所有你指定的东西当作php执行)
.htaccess是一个纯文本文件,里面存放着Apache服务器配置相关的一些指令,类似于Apache站点配置文件,只支持本目录(/upload)可以访问控制,url规则等等。
#define width 1337#define height 1337<FilesMatch "123pinfo.jpg">SetHandler application/x-httpd-php</FilesMatch>这里的意思就是将123pinfo.jpg按照php来解析构造好文件后,将其改名为.htaccess(linux下改为htaccess 抓包改名加点) 先上传123pinfo.jpg 再上传.htaccess文件 再去访问123pinfo.jpg 即可得到phpinfo界面
.htaccess文件是php的解析文件 根据文件写的规则,会把相应的东西当作php执行//所有123pinfo.jpg都当作php来执行<FilesMatch "123pinfo.jpg">SetHandler application/x-httpd-php</FilesMatch>//所有文件名中含有haha字样的文件都当作php来执行<FilesMatch "haha">SetHandler application/x-httpd-php</FilesMatch>
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //收尾去空
-
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }}
方法1:先修改好.htaccess文件(如果规则是图片用php解析的话)并上传(可以直接文件名不加后缀 传相应的名字和jpg后缀也可以)
然后上传图片格式的文件木马 里面有php一句话木马 也可以burp中添加一句话木马语句
之后访问图片地址就可以对其进行php的方式解析了
方法2:.htaccess文件中 FileMatch直接写haha 直接上传的文件名可以是a.haha 这样haha也可以被当做php执行 同样可行
Pass-05 文件包含漏洞绕过/文件后缀名大小写绕过
小知识:windows系统不区分大小写 linux系统严格区分大小写
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //首尾去空
-
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }}
方法1:文件包含漏洞绕过(php的文件包含会将任何一个文件当做php来执行)
条件:httpd.conf中开启改为 allow_url_include=1
(1)将php木马的后缀改成jpg等图片格式然后上传成功 如haha.jpg
(2)开始进行文件包含即可
本地文件包含http://127.0.0.1/include.php?file=./upload/haha.jpg
//远程文件包含 http://127.0.0.1/include.php?file=http://127.0.0.1/upload/haha.jpg
方法2:大小写绕过
haha.phP文件名即可过滤掉
Pass-06 windows空格绕过
小知识:
相比之下少了一个首尾去空的函数windows空格绕过文件后缀名不允许存在空格 如果存在 windows会自动把空格去掉
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
- $file_name = $_FILES['upload_file']['name'];
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file,$img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件不允许上传';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }}
用burp抓包haha.php文件 上传后在php后面加个空格再上传就可以了 主要是绕过服务器上传的限制 并不影响windows那边的文件后缀
Pass-07 windows点绕过
windows系统的后缀不允许存在点 如果有会自动删除特殊文件名绕过:(点绕过/空格绕过)比如发送的http包里把文件名改成test.asp. 或者 test.asp_ (下划线为空格)这种命名方式在windows系统中是不被允许的,所以需要在burp中修改再上传,然后绕过验证之后,会被windows系统自动去掉后面的点和空格但要注意unix/linux系统没有这个特性
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }}
上传haha.php 之后burp抓包 把文件名改成 haha.php. 这样上传成功以后 windows服务器那里会自动改成haha.php 成功绕过服务器限制
Pass-08 windows ::$DATA绕过
::$DATA 是windows的NTFS文件系统中的默认属性::$DATA 绕过方式:针对的目标系统是windows 表示以流的形式进行绕过会把::$DATA本身及其之后的内容当作数据流 仅保留::$DATA之前的文件名内容
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }}
上传的时候将文件名改成 123.php::$DATA即可上传成功
上传成功后访问时直接把::$DATA忽视即可 直接访问相应的php结尾的文件
Pass-09 windows追加执行(点空格组合绕过,追加绕过)
程序是从上到下执行的 所以它拦截多少次 只要有次数,我们就多一次就行
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }}
方法1:点空格点绕过 burp抓包修改文件名为xxx.php. . 上传之后空格和点被过滤还剩下一个点 正好绕过服务器限制
方法2:用burp抓包放到Repeater模块中,抓包修改文件名为haha.php:.jpg 后上传成功
但是是空xxx.php的文件
再次修改文件名为:haha.>>> 然后上传 此时是在其中写入内容
也就是上传的是 xxx.php:.jpg 会生成xxx.php的文件 再次上传xxx.>>> 就会在文件中写入代码
Pass-10 双写绕过
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
-
-
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = str_ireplace($deny_ext,"", $file_name);
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }}
filename=haha.pphphp
Pass-11 GET路径绕过(%00截断) (GET请求和POST请求可以同时发生)(GET请求中遇到%00 其及其后面的内容都会被注释 忽略不计)
burp抓包分析发现 POST型提交头中有一个save_path=../upload/ 可以被用于GET提交参数不妨尝试修改这个GET的参数 save_path=../upload/haha.php 将其修改为一个php文件 但是文件没有子目录 所以没办法上传成功根据SQL注入的思想 可以把后续的部分给注释掉 这样就相当于存储文件了 在GET中可以通过%00 进行注释截断但是可以修改上传目录是/upload/123.php 之后上传的是图片文件两个文件的后缀就可以进行拼接 123.phpxbw.jpg所以如果修改上传目录是 /upload/123.php%00那么xbw.jpg就会被%00给注释掉 拼接完文件名就是123.php 也就实现了绕过%00是url编码 由ascii码转化而来的 其可以截断后缀 其本身解析完也是不可见的
$is_upload = false;$msg = null;if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);//strrpos用于定位点所在的位置(如果是针对的是最后一个点 也就是点最后一次出现的地方)//之后借助substr 也就是从点后面的第一个位置开始剪切出来到$file_ext中if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = '上传出错!';}} else{$msg = "只允许上传.jpg|.png|.gif类型文件!";}}
save_path=../upload/haha.php%00.jpg //%00后面的内容也不重要 能绕过服务器就行
filename=m.jpg //文件名不重要
修改完提交即可 相应文件的内容会直接传输到haha.php 可以直接访问
Pass-12 POST路径绕过 (%00截断 先url编码再上传)
小知识:
%xx的情况 POST不会像GET那样对其进行解码 尤其是%00
- $is_upload = false;
- $msg = null;
- if(isset($_POST['submit'])){
- $ext_arr = array('jpg','png','gif');
- $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
- if(in_array($file_ext,$ext_arr)){
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
-
- if(move_uploaded_file($temp_file,$img_path)){
- $is_upload = true;
- } else {
- $msg = "上传失败";
- }
- } else {
- $msg = "只允许上传.jpg|.png|.gif类型文件!";
- }}
方法1:这关的save_path相比于第11关位置发生了变化而已(出现在了post请求正文中)
此时在post正文 url编码不能被解析 所以需要借助burp对其进行一次url解码 URL-Decode
再次上传也就成功了
../upload/haha.php%00.jpg 然后把%00圈起来右键 Convert selectiong->URL->URL decode
filename="m.jpg"
方法2:修改目录为 /upload/123.php 123
修改hex 把20修改成00也可以上传成功
Pass-13 图片木马文件头验证绕过
首先制作一个简单的图片木马:GIF89a<?php phpinfo() ?>
function getReailFileType($filename){$file = fopen($filename, "rb");$bin = fread($file, 2); //只读2字节fclose($file);$strInfo = @unpack("C2chars", $bin);$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);$fileType = '';switch($typeCode){case 255216:$fileType = 'jpg';break;case 13780:$fileType = 'png';break;case 7173:$fileType = 'gif';break;default:$fileType = 'unknown';}return $fileType;}$is_upload = false;$msg = null;if(isset($_POST['submit'])){$temp_file = $_FILES['upload_file']['tmp_name'];$file_type = getReailFileType($temp_file);if($file_type == 'unknown'){$msg = "文件未知,上传失败!";}else{$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传出错!";}}}
1.上传相应的图片木马绕过检测 gif89a
2.通过文件包含去执行相应的图片木马
http://127.0.0.1/include.php?file=./upload/xxx(图片马上传后的名字)xx.gif
Pass-14 图片木马文件头验证绕过
首先制作一个简单的图片木马:GIF89a<?php phpinfo() ?>
- function isImage($filename){
- $types = '.jpeg|.png|.gif';
- if(file_exists($filename)){
- $info = getimagesize($filename);
- $ext = image_type_to_extension($info[2]);
- if(stripos($types,$ext)>=0){
- return $ext;
- }else{
- return false;
- }
- }else{
- return false;
- }}
-
- $is_upload = false;
- $msg = null;
- if(isset($_POST['submit'])){
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $res = isImage($temp_file);
- if(!$res){
- $msg = "文件未知,上传失败!";
- }else{
- $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
- if(move_uploaded_file($temp_file,$img_path)){
- $is_upload = true;
- } else {
- $msg = "上传出错!";
- }
- }}
方法1:
1.上传相应的图片木马绕过检测 gif89a
2.通过文件包含去执行相应的图片木马
http://127.0.0.1/include.php?file=./upload/xxx(图片马上传后的名字)xx.gif
Pass-15 图片木马文件头验证绕过
首先制作一个简单的图片木马:GIF89a<?php phpinfo() ?>
- function isImage($filename){
- //需要开启php_exif模块
- $image_type = exif_imagetype($filename);
- switch ($image_type) {
- case IMAGETYPE_GIF:
- return "gif";
- break;
- case IMAGETYPE_JPEG:
- return "jpg";
- break;
- case IMAGETYPE_PNG:
- return "png";
- break;
- default:
- return false;
- break;
- }}
-
- $is_upload = false;
- $msg = null;
- if(isset($_POST['submit'])){
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $res = isImage($temp_file);
- if(!$res){
- $msg = "文件未知,上传失败!";
- }else{
- $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
- if(move_uploaded_file($temp_file,$img_path)){
- $is_upload = true;
- } else {
- $msg = "上传出错!";
- }
- }}
方法1:
1.上传相应的图片木马绕过检测 gif89a
2.通过文件包含去执行相应的图片木马
http://127.0.0.1/include.php?file=./upload/xxx(图片马上传后的名字)xx.gif
Pass-16 渲染图片马的绕过/穷举爆破上传
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])){
- // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
- $filename = $_FILES['upload_file']['name'];
- $filetype = $_FILES['upload_file']['type'];
- $tmpname = $_FILES['upload_file']['tmp_name'];
-
- $target_path=UPLOAD_PATH.'/'.basename($filename);
-
- // 获得上传文件的扩展名
- $fileext= substr(strrchr($filename,"."),1);
-
- //判断文件后缀与类型,合法才进行上传操作
- if(($fileext == "jpg") && ($filetype=="image/jpeg")){
- if(move_uploaded_file($tmpname,$target_path)){
- //使用上传的图片生成新的图片
- $im = imagecreatefromjpeg($target_path);
-
- if($im == false){
- $msg = "该文件不是jpg格式的图片!";
- @unlink($target_path); //删除
- }else{
- //给新图片指定文件名
- srand(time());
- $newfilename = strval(rand()).".jpg";
- //显示二次渲染后的图片(使用用户上传图片生成的新图片)
- $img_path = UPLOAD_PATH.'/'.$newfilename;
- imagejpeg($im,$img_path);
- @unlink($target_path);
- $is_upload = true;
- }
- } else {
- $msg = "上传出错!";
- }
-
- }else if(($fileext == "png") && ($filetype=="image/png")){
- if(move_uploaded_file($tmpname,$target_path)){
- //使用上传的图片生成新的图片
- $im = imagecreatefrompng($target_path);
-
- if($im == false){
- $msg = "该文件不是png格式的图片!";
- @unlink($target_path);
- }else{
- //给新图片指定文件名
- srand(time());
- $newfilename = strval(rand()).".png";
- //显示二次渲染后的图片(使用用户上传图片生成的新图片)
- $img_path = UPLOAD_PATH.'/'.$newfilename;
- imagepng($im,$img_path);
-
-
- @unlink($target_path);
- $is_upload = true;
- }
- } else {
- $msg = "上传出错!";
- }
-
- }else if(($fileext == "gif") && ($filetype=="image/gif")){
- if(move_uploaded_file($tmpname,$target_path)){
- //使用上传的图片生成新的图片
- $im = imagecreatefromgif($target_path);
- if($im == false){
- $msg = "该文件不是gif格式的图片!";
- @unlink($target_path);
- }else{
- //给新图片指定文件名
- srand(time());
- $newfilename = strval(rand()).".gif";
- //显示二次渲染后的图片(使用用户上传图片生成的新图片)
- $img_path = UPLOAD_PATH.'/'.$newfilename;
- imagegif($im,$img_path);
-
-
- @unlink($target_path);
- $is_upload = true;
- }
- } else {
- $msg = "上传出错!";
- }
- }else{
- $msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
- }}
方法1:上传一个已经被渲染的图片木马,然后通过文件包含漏洞把文件包含进来就可以了
方法2:
BUG点:通过后缀和类型审核以后,会先把文件放到服务器上,再进行判断
可以通过burp抓包 进入爆破模块不停的对随便一个参数穷举 速度足够快的话文件就会约等于一直在服务器
只要传的足够快 服务器就删除不过来,当来不及删除的东西留下了了 我们就可以去访问相应的木马文件了
Pass-17 穷举爆破上传(条件竞争之竞争删除)
- $is_upload = false;$msg = null;
-
- if(isset($_POST['submit'])){
- $ext_arr = array('jpg','png','gif');
- $file_name = $_FILES['upload_file']['name'];
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $file_ext = substr($file_name,strrpos($file_name,".")+1);
- $upload_file = UPLOAD_PATH . '/' . $file_name;
-
- if(move_uploaded_file($te mp_file, $upload_file)){
- if(in_array($file_ext,$ext_arr)){
- $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
- rename($upload_file, $img_path);
- $is_upload = true;
- }else{
- $msg = "只允许上传.jpg|.png|.gif类型文件!";
- unlink($upload_file);
- }
- }else{
- $msg = '上传出错!';
- }}
代码逻辑:首先把文件移动到文件夹中,然后再进行判断
穷举逻辑和16题一样
漏洞点:文件是先成功上传以后再判断是否符合要求,不符合要求再去删除。而不是之前那种先判断后决定要不要上传,所以存在漏洞。
包放到爆破模块去,随便标记一个无关紧要的内容,然后开始攻击,有概率删除不成功。
Pass-18 条件竞争之竞争重命名
代码越多 做的事情就越多 频率很快 服务器就会来不及处理 就会出现条件竞争从而上传成功
原理:文件传上去 之后帮我们进行重命名如果看到代码中出现 .7z .zip .rar .gz 这种压缩类型的文件php有可能会自动解压 把里面的代码放出来
//index.php$is_upload = false;$msg = null;if (isset($_POST['submit'])){require_once("./myupload.php");$imgFileName =time(); //以当前的时间对文件进行命名$u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);$status_code = $u->upload(UPLOAD_PATH);switch ($status_code) {case 1:$is_upload = true;$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;break;case 2:$msg = '文件已经被上传,但没有重命名。';break;case -1:$msg = '这个文件不能上传到服务器的临时文件存储目录。';break;case -2:$msg = '上传失败,上传目录不可写。';break;case -3:$msg = '上传失败,无法上传该类型文件。';break;case -4:$msg = '上传失败,上传的文件过大。';break;case -5:$msg = '上传失败,服务器已经存在相同名称文件。';break;case -6:$msg = '文件无法上传,文件不能复制到目标目录。';break;default:$msg = '未知错误!';break;}}//myupload.phpclass MyUpload{..................var $cls_arr_ext_accepted = array(".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",".html", ".xml", ".tiff", ".jpeg", ".png" );................../** upload()**** Method to upload the file.** This is the only method to call outside the class.** @para String name of directory we upload to** @returns void**/function upload( $dir ){$ret = $this->isUploadedFile();if( $ret != 1 ){return $this->resultUpload( $ret );}$ret = $this->setDir( $dir );if( $ret != 1 ){return $this->resultUpload( $ret );}$ret = $this->checkExtension();if( $ret != 1 ){return $this->resultUpload( $ret );}$ret = $this->checkSize();if( $ret != 1 ){return $this->resultUpload( $ret );}// if flag to check if the file exists is set to 1if( $this->cls_file_exists == 1 ){$ret = $this->checkFileExists();if( $ret != 1 ){return $this->resultUpload( $ret );}}// if we are here, we are ready to move the file to destination$ret = $this->move();if( $ret != 1 ){return $this->resultUpload( $ret );}// check if we need to rename the fileif( $this->cls_rename_file == 1 ){$ret = $this->renameFile();if( $ret != 1 ){return $this->resultUpload( $ret );}}// if we are here, everything worked as planned :)return $this->resultUpload( "SUCCESS" );}..................};
方法1:在很多php服务中 .7z有时候也会被执行成.php的文件(1)burp抓包 send to reapeater(2)filename="m.php.7z"(3)不断burp抓包提交 速度够快 有可能服务器会出现来不及重命名的情况 这样就上传成功了(4)m.php.7z 上传成功(5)http://127.0.0.1/upload/m.php.7z 服务器如果把压缩包当php执行 此时也就可以运行成功了方法2:通过文件包含漏洞去包含相应上传的文件也可以执行
Pass-19
$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = $_POST['save_name'];$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);if(!in_array($file_ext,$deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' .$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;}else{$msg = '上传出错!';}}else{$msg = '禁止保存为该类型文件!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}}
Pass-20 burp抓包超级绕过 数组代码审计
move_upload_file函数会忽略/. 出现在linux中php reset()函数 //把数组内部指针重置到第一个元素
- <?php
- $people=array("Bill","Steve","Mark","David");
- echo current($people)."<br>"; //Bill
- echo next($people)."<br>"; //Steve
- echo reset($people); //Bill
- ?>
分析过程:输入相应的内容后经过几重绕过。首先是MIME检测,输入的内容在burp中已经修改过了MIME 所以绕过第一重检测第二重是提交内容的检验 由于burp包中已经是save_name[0] save_name[2]的数组形式 所以is_array($file)=1 所以if语句不会执行 绕过第二重之后end($file)是提交的save_name[2] 也就是jpg 成功绕过第三重限制第四重 由于没有传入save_name[1] 所以这个部分不存在 所以count($file)=2 $file[count($file)-1]=$file[2] 也就是不存在 空格那么此时的$file_name=upload-20.php. (php后面是点和空格)传入windows后 点和空格都不会被识别 所以最终的文件名字是upload-20.php三道坎:1.文件格式验证 2.文件名分割 3.文件名合并
$is_upload = false;$msg = null;if(!empty($_FILES['upload_file'])){//检查MIME$allow_type = array('image/jpeg','image/png','image/gif');if(!in_array($_FILES['upload_file']['type'],$allow_type)){$msg = "禁止上传该类型文件!";}else{//检查文件名//如果提交的不是数组 那么用点把其分割成数组 如果不是数组 那么跳过这步$file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];if (!is_array($file)) {$file = explode('.', strtolower($file)); //文件名小写 然后用点进行分割//如果传的是haha.php.jpg 分割完file数组里面有三个 一个是haha 一个是php 一个是jpg}$ext = end($file); //拿到了数组的最后一个数组 也就是后缀名$allow_suffix = array('jpg','png','gif');if (!in_array($ext, $allow_suffix)) {$msg = "禁止上传该后缀文件!";}else{$file_name = reset($file) . '.' . $file[count($file) - 1]; //reset()函数 取数组的第一个东西$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' .$file_name;if (move_uploaded_file($temp_file, $img_path)) {$msg = "文件上传成功!";$is_upload = true;} else {$msg = "文件上传失败!";}}}}else{$msg = "请选择要上传的文件!";}
Content-Disposition: form-data; name="upload_file"; filename="haha.php"Content-Type: image/jpegGIF89a<?php phpinfo()?>-----------------------------200222961522119Content-Disposition: form-data; name="save_name[0]"upload-20.php-----------------------------200222961522119Content-Disposition: form-data; name="save_name[2]"jpg
- <?php
-
- //检查MIME
- $allow_type = array('image/jpeg','image/png','image/gif');
- if(!in_array($_FILES['upload_file']['type'],$allow_type)){
- $msg = "禁止上传该类型文件!";
- }else{
- //检查文件名
- $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
- //$file数组0--upload-20.php/ 1--null 2--jpg
-
- //如果不是数组,用.来把$file变成数组,如果本来就是数组,跳过此步骤
- if (!is_array($file)) {
- //文件名小写,然后用.进行分割
- $file = explode('.', strtolower($file));
- }
-
- //拿到了数组的最后一个数据
- $ext = end($file);//jpg
- $allow_suffix = array('jpg','png','gif');
- if (!in_array($ext, $allow_suffix)) {
- $msg = "禁止上传该后缀文件!";
- }else{
- //upload-20.php
- $file_name = reset($file) . '.' . $file[count($file) - 1];
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH . '/' .$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $msg = "文件上传成功!";
- $is_upload = true;
- } else {
- $msg = "文件上传失败!";
- }
- }
-
- ?>
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/weixin_40725706/article/detail/630816
推荐阅读
相关标签
