⽂件上传漏洞是指由于程序员未对上传的⽂件进⾏严格的验证和过滤,⽽导致的⽤户可以越
过其本身权限向服务器上传可执⾏的动态脚本⽂件。如常⻅的头像上传,图⽚上传,oa 办公⽂
件上传,媒体上传,允许 ⽤户上传⽂件,如果过滤不严格,恶意⽤户利⽤⽂件上传漏洞,上传有
害的可以执⾏脚本⽂件到服务器中, 可以获取服务器的权限,或进⼀步危害服务器。
本文通过几个具体的关卡来学习如何分析漏洞并根据漏洞上传脚本文件来获取服务器信息。
执行环境 phpstudy,burp suite
关卡一
该网页通过js来验证上传文件的后缀名,只有文件后缀名是jpg,png,gif才可上传。
上传恶意文件的思路是要绕过js检测,可以将恶意文件后缀改成允许的后缀,然后通过抓包工具burp suite抓取post数据包,再改动数据报内的文件即可。
将文件名直接改成rsec.php即可。
脚本成功执行。
关卡二
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
}
}
这部分代码检测文件类型是否是 image/jpeg 或者 image/png ,该文件类型是通过content-type传输,但它可以在客户端修改,因此依然可以使用burp suite修改成符合要求的。
修改类型为image/jpeg 或者 image/png,即可成功上传。
关卡三
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}该网页上传模块为黑名单限制,在上传文件时获取文件后缀名,与程序中黑名单一一比对,若在黑名单中,则禁止上传。
本题解决方法特殊,需要在apache上修改配置,
开启 application/x-httpd-php 中
AddType application/x-httpd-php .php .phtml .php3 后缀名为
phtml 、php3 均被解析成 php
有的 apache 版本默认就会开启;
找到这种配置,把注释#删掉,开启配置。
后缀命为phtml就会被解析为php,那么在抓取的post数据包中修改文件后缀就可以。
关卡四
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
上传的⽂件后缀名在列表内禁⽌上传。包括了所有的执⾏脚本。但是没有过滤.htaccess。
.htaccess 文件是一种配置文件,它允许服务器管理员对Apache HTTP服务器进行基于目录的配置,而无需修改服务器全局配置文件(如httpd.conf或apache2.conf)
要 htaccess 的规则⽣效 则需要在 apache 开启 rewrite 重写模块,因为 apache 是多数都开启
这个模块,所以规则⼀般都⽣效;
<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>
该
.htaccess
将所有的jpg⽂件解析成php⽂件
先上传该文件,然后再上传jpg文件即可。
关卡五
有的上传模块,后缀名采⽤⿊名单判断,但是没有对后缀名的⼤⼩写进⾏严格判断,导致可以
更改后缀⼤⼩ 写可以被绕过。如 PHP、 Php、 phP、pHp ;
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
仔细阅读⿊名单,查看是否有被忽略的后缀名,当前可以使⽤ phP 绕过;
上传rsec5.jpg抓包后修改⽂件名为 rsec5.PHp
关卡六
可以在抓取的post数据包中直接在后缀名后加个空格。这样后缀名也不在黑名单中,所以也能成功上传。
关卡七
在windows系统中,文件后缀名末尾的 . 会被忽略,因此在上传文件时可在后缀名后加个 .
这样的后缀不在黑名单内,因此可以成功上传,而windows系统又会无视这个 . 因此可以正常运行这个恶意脚本。
关卡八
在Windows系统中,特别是当文件系统为NTFS时,存在一种特殊的文件流特性,它允许文件与额外的数据流(Alternate Data Streams, ADS)相关联。这些ADS可以被视为文件内的隐藏附加部分,通常用于存储元数据或附加信息,但也可以被用来隐藏恶意代码。如果服务器端代码没有正确地处理或检查文件名中的::$DATA字符串,攻击者可以利用这一NTFS特性来绕过文件类型检查。
可以直接在抓取的post数据包中文件名后添加::$DATA(如shell.php::$DATA)
关卡九
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
在上传模块,有的代码会把⿊名单的后缀名替换成空,例如 a.php 会把 php 替换成空,如上传代码中的str_ireplace函数,对于这种防御可以采用双写后缀名绕过,pphphp后缀即可。
由于初步开始相关学习,内容可能有错误之处,欢迎指正
扫一扫
914
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
