目录
文件上传的思路有:
pass-01 前端js过滤
源码解析:
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name) == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
在这一关中,当用户点击上传文件时,会触发一个点击事件,调研js中的函数checkFile,先判断有没有选择文件,然后设置允许上传文件的格式,通过最后一个“ . ”获取上传文件的后缀,然后判断其是否在允许上传的范围。
利用:
方法一:因为这是在用js代码在前端进行校验,我们可以直接利用插件禁用script绕过上传
方法二:也可以将上传的文件后缀修改为合法后缀,然后抓包修改为原来的后缀
pass-02 修改MIME类型
源码解析:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
在进行文件上传时,浏览器会设置一个请求头Content-Type对上传文件的类型进行说明,而这一关在后台中采用$_FILES['upload_file']['type']对文件上传的类型(Content-Type)进行校验
利用:
上传一个shell.php文件,将Content-Type的application/octet-stream改为image/jpeg,即可上传成功
查看upload文件夹也可以发现shell.php文件,即上传成功
pass-03 换后缀别名过滤
源码解析:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.'); //去掉.加文件名称,只保留文件后缀
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//将file_ext中的字符串::$DATA替换成空
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
$deny_ext制定了黑名单,紧跟着六行将上传的文件后缀提取出来
$temp_file = $_FILES['upload_file']['tmp_name']获取文件被上传后在服务端储存的临时文件名
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; 待修改文件名
if (move_uploaded_file($temp_file,$img_path)) 移动即为修改
利用:
可直接将php改为php5|phtml|phps|pht等
前提是apache的httpd.conf中有如下配置代码:
AddType application/x-httpd-php .php .phtml .phps .php5 .pht
另外,在upload文件夹上也可以看到上传成功的文件
pass-04 htaccess利用
源码解析:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
这一关源码跟上一个类似,只不过黑名单的范围更大的,无法通过修改同义后缀直接进行文件上传
但是没有过滤htaccess,而当htaccess文件中存在以下配置时:
SetHandler application/x-httpd-php
会将所有的文件都当初php文件执行(前提条件:1.mod_rewrite模块开启。2.AllowOverride All
)
利用:
1上传htaccess文件
2抓包修改htaccess,去掉前面的文件名
3利用成功
附:开启前提条件
Apache/conf/conf.httpd
pass-05 .user.ini利用
源码解析:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
跟上一关类似,但这里将htaccess也过滤了,但是没有对文件进行复制式重命名,另外.ini文件也没有过滤
利用
1 上传一个.user.ini文件(用户自定义配置文件),此文件内容为auto_propend_file=1.jpg,即所有的php文件都包含一个1.jpg文件
2 将webshell命名为1.jpg
3 利用readme.p