upload-labs通关(Pass-06~Pass-10)

最新推荐文章于 2024-05-13 09:12:38 发布
最新推荐文章于 2024-05-13 09:12:38 发布
阅读量1.6k 收藏 6
点赞数 4
分类专栏: upload-labs # 文件上传/下载/包含 文章标签: php windows 网络安全 文件上传漏洞 upload-labs
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/elephantxiang/article/details/120642013
版权

目录

Pass-06

Pass-07

Pass-08 

Pass-09

Pass-10

Pass-06

上传sh.php失败,burp中将抓到的包send to repeater

修改filename为sh.xxx发现可以上传成功,说明是黑名单过滤

将报文send to intruder,按照Pass-03的套路爆破后缀名(upload-labs通关(Pass-01~Pass-05)_箭雨镜屋-CSDN博客) 

爆破结果用../upload过滤,发现只有如下后缀的文件上传成功

仔细查看Response报文后发现,有如下两个文件可以作为webshell(服务器是windows系统),也就是说本关可以双写::$DATA绕过,也可以用大写绕过

 用蚁剑尝试一下连接这两个shell。先试双写::$DATA的,如下图所示,可以连接成功

再试试大写绕过的。特别注意,我在我的环境上,用apache 2.4.39的时候连接失败,Response报文状态码500,用nginx 1.15.11是可以成功的,并且用蚁剑连接的时候,蚁剑中url地址的文件名后缀大小写无所谓。

代码分析:

比起之前的关卡,本关在用上传文件的文件名后缀和黑名单比较之前没有把文件后缀转换成小写,所以大写绕过黑名单过滤可以成功。

if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Pass-07

上传sh.php失败,burp中将抓到的包send to repeater

修改filename为sh.xxx发现可以上传成功,说明是黑名单过滤

将报文send to intruder,按照Pass-03的套路爆破后缀名,爆破结果用../upload过滤,发现只有如下后缀的文件上传成功

仔细观察Response报文后发现,本关可以双写::$DATA或者在文件名末尾加空格绕过(windows系统)

双写::$DATA的webshell之前演示过,就不演示了,演示一下以空格结尾的webshell,第22个payload是两个空格,第23个payload是一个空格,这里仅以22演示,其实也和之前关卡提到的文件名以0x88结尾差不多。

代码分析:

本关代码其实也没啥可分析的,本来黑名单就不安全,还分析个啥。。不过相比Pass-05,本关在用上传的文件的后缀和黑名单比较之前,没有把结尾的空格去掉,所以可以用空格绕过。

if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Pass-08 

上传sh.php失败,burp中将抓到的包send to repeater

修改filename为sh.xxx发现可以上传成功,说明是黑名单过滤

将报文send to intruder,按照Pass-03的套路爆破后缀名,爆破结果用../upload过滤,发现只有如下后缀的文件上传成功 

仔细观察Response报文后发现,本关可以通过在文件名末尾加.绕过(第20,第21个payload,windows系统)

虽然爆破结果中显示上传成功的文件名有../upload/sh.php.和../upload/sh.php..,但实际上服务器上的文件名是sh.php,所以用蚁剑连接的时候文件名末尾不需要加点(不过加点也不碍事)

代码分析:

不看代码都能猜到这关是把去掉文件名末尾的点的步骤删掉了。。。

if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

 

Pass-09

上传sh.php失败,burp中将抓到的包send to repeater

修改filename为sh.xxx发现可以上传成功,说明是黑名单过滤

将报文send to intruder,按照Pass-03的套路爆破后缀名,爆破结果用../upload过滤,发现只有如下后缀的文件上传成功 

仔细观察Response报文后发现,本关可以通过在文件名末尾加::$DATA来绕过(windows系统)

 

蚁剑连接的时候,文件后缀直接写.php就行,不要加::$DATA

代码分析:

不看代码都能猜到这关是把去掉字符串::$DATA的步骤删掉了。。。

if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Pass-10

上传sh.php失败,burp中将抓到的包send to repeater

修改filename为sh.xxx发现可以上传成功,说明是黑名单过滤

将报文send to intruder,按照Pass-03的套路爆破后缀名,爆破结果用../upload过滤,发现只有如下后缀的文件上传成功(说实话我的文件名后缀字典里面本来没有这关的解的,毕竟它稍微有点奇葩,后来对着代码缕了答案,把答案写到后缀字典里才有了下面的爆破结果……做upload-labs的一大收获可能就是后缀字典更充实了……所以其实emmm前面的好几关也可以用本关的方法) 

可以作为webshell的是sh.php. .(windows系统),上传成功后据说文件名是sh.php. ,但实际上服务器上文件名就是sh.php

 

代码分析:

首先trim()删除文件名末尾的多个空格,然后deldot()删除文件名末尾的多个点,strrchr()以第一个.为界取出后缀,strtolower()将后缀转化为小写,str_ireplace()去掉后缀中的一个::$DATA,最后trim()删除后缀末尾的多个空格。处理完的后缀与黑名单对比,如果后缀不在黑名单中,则上传后的文件名是去掉文件名末尾的空格,再去掉文件名末尾的点之后的文件名。

按照这个顺序倒推,就可以发现后缀.php. .(点空格点)是可以绕过黑名单检查的。

if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

 

仙女象
关注
  • 4
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
Upload-Labs-Pass-08
龙狼刺的博客
04-21 1123
一、相关知识 1、特殊符号绕过原理: Windows系统下,如果上传文件的文件名为test.php::$DATA,则会在服务器中生成一个为test.php文件,其中内容和所上传的文件内容相同,并被解析。 二、环境搭配 攻击机: kali IP: 192.168.0.112 靶机: Windows2008 IP: 192.168.0.130:9006 三、文件上传 1、创建webshell 格式:weevely generate 密码 ...
upload-labs通关(Pass06-Pass10)
m0_46467017的博客
08-15 476
首先trim()删除文件名末尾的多个空格,然后deldot()删除文件名末尾的多个点,strrchr()以第一个.为界取出后缀,strtolower()将后缀转化为小写,str_ireplace()去掉后缀中的一个::$DATA,最后trim()删除后缀末尾的多个空格。处理完的后缀与黑名单对比,如果后缀不在黑名单中,则上传后的文件名是去掉文件名末尾的空格,再去掉文件名末尾的点之后的文件名。按照这个顺序倒推,就可以发现后缀.php. .(点空格点)是可以绕过黑名单检查的。发现本关的代码与之前的代码少了。...
文件上传漏洞upload-labs1-19关详解
qq_51780583的博客
03-07 1877
upload-labs1-19关详解
[网络安全]upload-labs Pass-06 解题详析
最新发布
2401_84971713的博客
05-13 248
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!
Upload LABS Pass-10
热门推荐
wangyuxiang946的博客
07-03 1万+
uploadlabs10,upload labs 第十关在后端使用了黑名单 , 将匹配到的后缀名替换为空,使文件不能使用 , 但其只过滤了一遍 , 我们可以使用双写后缀名的方式绕过黑名单
upload-labs-master 文件上传 1到10关(适合小白,解释详细!)
dd_c1d的博客
08-24 2088
0x00前言 首先如果进行全真模拟正常渗透,是很难看见源码的也就是说正常渗透过程中没法看提示和源码,文件上传漏洞又不同别的漏洞,我们只能挨个方法试试,这里为了方便大家了解和更好的学习,我会给大家看源码知晓原理。这个靶场需要大家有一定的php代码审计能力(其实能简单看懂代码就行)这个靶场最终任务简单来说是成功上传你想上传的含有功能的恶意代码(php的),所以最后正常情况下肯定要上传xx.php(特殊的下面会说到),如何知道上传是否成功(通关!),有两种方法,第一种是直接访问我们的后门,第二种...
Upload-labs通关手册.pdf
08-06
Upload-labs通关手册
安装upload-labs
10-22
同时,upload-labs还提供了详细的课程讲解和write up(通关指南),可以帮助您更好地理解和掌握文件上传漏洞的防御方法。 结语 安装upload-labs是一个非常重要的步骤,它可以帮助您快速掌握文件上传漏洞的基础知识...
upload-labs通关手册
12-03
详细记录了upload-labs靶场的通关步骤,并且附带有caidao和burpsuite工具资源,非常适合初学者!!!
upload-labs-master.zip
06-22
文件上传漏洞小游戏靶场upload-labs-master/upload-labs-master/upload-labs-master/upload-labs-master
UPLOAD-LABS详细解题步骤
05-17
UPLOAD-LABS详细解题步骤 UPLOAD-LABS是一个网络安全靶场,旨在帮助用户练习文件上传的安全知识。该靶场提供了多个关卡,每个关卡都有一定的安全挑战和限制,旨在考验用户的安全知识和技术。 在开始之前,需要先...
upload-labs_pass10_点空点绕过_pass11_双写文件扩展名
qq_51550750的博客
04-11 306
关于靶场说几点:单纯用phpstudy 可能无法复现所有的漏洞,而且phpstudy中的php可能是线程不安全的,所以建议大家在自己本机或者虚拟机的中亲自搭建一下apache和php的环境,便于复现upload-labs的所有靶场环境。配置有问题的可以参考我写的这篇文章: https://blog.csdn.net/qq_51550750/article/details/124062273 pass10-观察源码,思路生成 看源码: $file_name = deldot($file_name);//删除
upload-labs通关攻略(更新中)
weixin_68070435的博客
03-13 2504
1.靶场介绍upload-labs是一个使用php语言编写,专注于文件上传漏洞的靶场。该靶场可以让练习者了解文件上传漏洞的原理、利用方法。
upload-labs文件上传漏洞(Pass-01~Pass-21)
sGanYu
10-09 3166
目录 pass-1(js前端绕过) pass-2(MiMe绕过) pass-3(黑名单绕过) pass-04(.htaccess文件上传) pass-05 pass-06(大小写绕过) pass-07(空格绕过) pass-08(windows特性加点绕过) pass-09(::$DATA绕过) pass-10(点空点绕过) pass-11(双写绕过) pass-12(GET请求00截断) pass-13(POST请求00截断) pass-14(头文件绕过、图片码绕过、文件包含)
BUUCTF做题Upload-Labs记录pass-01~pass-10
Goodric的博客
07-26 918
前端验证后缀。 传1.png 抓包改1.php 即可。
文件上传漏洞靶场upload-labs学习(pass6-pass10)
AFCC_的博客(Web_Dog)
03-06 3072
0X00 Pass6 第6关从后缀绕过的角度考察,源码为: $is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3"
Upload-labs文件上传漏洞(空格绕过)——Pass06
Zichel77的博客
07-27 986
0×00 题目描述 似乎可以使用Pass04文件改写?但是感觉应该不会那么简单 0×01 源码分析 $is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".
upload-labs pass06-12
hclimg的博客
07-31 379
pass-06: 查看提示: 还是黑名单限制,通过查看源代码,知道删除了文件名后面的., 但是并没有删除空格,所以通过上传一个后缀名再添加一个空格的文件去绕过黑名单,windoes在创建文件时会自动删掉最后的空格。 上传成功,访问图片链接 成功!!! pass-07: 查看提示: 查看源代码可知,服务器端把文件名后面的空格给删除了 Windows有个特性,就是如果文件名后缀以.或者空格结尾...
upload-labs】————7、Pass-06
Fly_鹏程万里
08-15 339
闯关界面 判断是前端检测还是后端检测: 之后查看源代码: 所有的文件后缀、大小写处理后过滤,但是对于后缀名却没有进行去除空格处理,这里可以通过在后缀名中加入空格绕过: 添加空格: 浏览器中访问: ...
upload-labs靶场通关pass04
09-14
要通过upload-labs靶场的pass04,您需要进行以下步骤: 1. 首先,上传一个符合格式的PHP脚本文件,并将其扩展名改为图片格式。根据引用中的描述,您需要将.htaccess文件上传到服务器。.htaccess文件是Apache服务器...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值