我习惯这个地方称为代码部分漏洞。(如果不对请各位师傅指出)
代码漏洞产生的原因:由于代码对我们上传文件的信息过滤不严格,我们就可以对文件上传部分进行漏洞的注入
基础要求
php代码审计基础
javascript基础
upload-labs漏洞环境搭建
burp 使用
未完成部分:二次渲染 条件竞争 ( 利用文件夹命名漏洞)
将代码部分漏洞做一个分类
一、前段代码漏洞:js过滤漏洞
题目:labs-1
绕过方式:2种方式进行绕过(有总结)
二、后端代码漏洞:
一、黑名单部分
1、特殊解析后缀
2、.htaccess解析
3、大小写绕过
4、点绕过
5、空格绕过
6、::$DATA绕过
7、配合解析漏洞
8、双后缀名绕过
二、白名单部分
1、mime信息绕过
2、%00截断
3、0x00截断
4、0x0a截断
其他部分:文件头检测。二次渲染。条件竞争。突破getimagesize。突破exif_imagesize。
1、mime信息绕过 labs-2
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
//就是这个
F
I
L
E
S
函
数
将
信
息
进
行
过
滤
i
f
(
(
_FILES函数将信息进行过滤 if ((
FILES函数将信息进行过滤if((_FILES[‘upload_file’][‘type’] == ‘image/jpeg’) || (
F
I
L
E
S
[
′
u
p
l
o
a
d
f
i
l
e
′
]
[
′
t
y
p
e
′
]
=
=
′
i
m
a
g
e
/
p
n
g
′
)
∣
∣
(
_FILES['upload_file']['type'] == 'image/png') || (
FILES[′uploadfile′][′type′]==′image/png′)∣∣(_FILES[‘upload_file’][‘type’] == ‘image/gif’)) {
$temp_file = $_FILES[‘upload_file’][‘tmp_name’];
$img_path = UPLOAD_PATH . ‘/’ .
F
I
L
E
S
[
′
u
p
l
o
a
d
f
i
l
e
′
]
[
′
n
a
m
e
′
]
i
f
(
m
o
v
e
u
p
l
o
a
d
e
d
f
i
l
e
(
_FILES['upload_file']['name'] if (move_uploaded_file(
FILES[′uploadfile′][′name′]if(moveuploadedfile(temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = ‘上传出错!’;
}
} else {
$msg = ‘文件类型不正确,请重新上传!’;
}
} else {
$msg = UPLOAD_PATH.‘文件夹不存在,请手工创建!’;
}
}
了解一下$_FILES函数的知识
$_FILES数组内容如下:
$_FILES[‘myFile’][‘name’] 客户端文件的原名称。
$_FILES[‘myFile’][‘type’] 文件的 MIME 类型,需要浏览器提供该信息的支持,例如"image/gif"。
$_FILES[‘myFile’][‘size’] 已上传文件的大小,单位为字节。
$_FILES[‘myFile’][‘tmp_name’] 文件被上传后在服务端储存的临时文件名,一般是系统默认。可以在php.ini的upload_tmp_dir 指定,但 用 putenv() 函数设置是不起作用的。
$_FILES[‘myFile’][‘error’] 和该文件上传相关的错误代码。[‘error’] 是在 PHP 4.2.0 版本中增加的。下面是它的说明:(它们在PHP3.0以后成了常量)
我们用burp包抓一下,修改一下mime 直接进行绕过
原:
改:
2、labs-03 特殊解析后缀绕过
源代码
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(’.asp’,’.aspx’,’.php’,’.jsp’);
//对后缀名进行了过滤
f
i
l
e
n
a
m
e
=
t
r
i
m
(
file_name = trim(
filename=trim(_FILES[‘upload_file’][‘name’]);
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);
f
i
l
e
e
x
t
=
s
t
r
t
o
l
o
w
e
r
(
file_ext = strtolower(
fileext=strtolower(file_ext); //转换为小写
f
i
l
e
e
x
t
=
s
t
r
i
r
e
p
l
a
c
e
(
′
:
:
file_ext = str_ireplace('::
fileext=strireplace(′::DATA’, ‘’,
f
i
l
e
e
x
t
)
;
/
/
去
除
字
符
串
:
:
file_ext);//去除字符串::
fileext);//去除字符串::DATA
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
//对我们的文件名进行重命名处理
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
这里的后缀名过滤的不完全 所以可以用特殊后缀名进行代替:php5、php3等等
特殊后缀名:
这里接个文章:https://blog.csdn.net/weixin_43571641/article/details/83755712
让我们知道为什么apache 不能解析 php5
这里文件已经上传成功但是为什么打开,明天来解释一下。
3、labs-04 .htaccess上传漏洞
.htaccess是apache服务器中的一个配置文件,不是上传的文件的黑名单之内 ,所以.htaccess文件是可以上传成功。
使用条件:apache才能使用
.htaccess解释:https://blog.csdn.net/whatiwhere/article/details/84453810(文章里对。htaccess 有详细的解释)
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
//黑名单内容更加丰富
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
f
i
l
e
n
a
m
e
=
t
r
i
m
(
file_name = trim(
filename=trim(_FILES[‘upload_file’][‘name’]);
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);
f
i
l
e
e
x
t
=
s
t
r
t
o
l
o
w
e
r
(
file_ext = strtolower(
fileext=strtolower(file_ext); //转换为小写
f
i
l
e
e
x
t
=
s
t
r
i
r
e
p
l
a
c
e
(
′
:
:
file_ext = str_ireplace('::
fileext=strireplace(′::DATA’, ‘’,
f
i
l
e
e
x
t
)
;
/
/
去
除
字
符
串
:
:
file_ext);//去除字符串::
fileext);//去除字符串::DATA
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //收尾去空
怎么使用.htaccess
AddType application/x-httpd-php .jpg(可修改) 将这句话复制到文本中以后缀名 .htaccess方式保存 进行文件上传
然后上传我们的 php文件。 在burp中将一句话文件attack.php后缀名改为 .png
上传成功到服务器的.htaccess文件里的代码可以让 .jpg后缀名文件格式的文件名以 php格式解析 所以我们把yijuhua.php文件的后缀名改为.jpg格式,让.htaccess文件解析 yijuhua.jpg文件里的php代码 ,使木马上传成功。
5、labs-05 黑名单——也是.htaccess 绕过
代码:$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
f
i
l
e
n
a
m
e
=
t
r
i
m
(
file_name = trim(
filename=trim(_FILES[‘upload_file’][‘name’]);
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);
f
i
l
e
e
x
t
=
s
t
r
t
o
l
o
w
e
r
(
file_ext = strtolower(
fileext=strtolower(file_ext); //转换为小写
f
i
l
e
e
x
t
=
s
t
r
i
r
e
p
l
a
c
e
(
′
:
:
file_ext = str_ireplace('::
fileext=strireplace(′::DATA’, ‘’,
f
i
l
e
e
x
t
)
;
/
/
去
除
字
符
串
:
:
file_ext);//去除字符串::
fileext);//去除字符串::DATA
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //首尾去空
与labs-04进行对比代码部分一致 做法相同
6、labs-06 黑名单 大小写绕过
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
f
i
l
e
n
a
m
e
=
t
r
i
m
(
file_name = trim(
filename=trim(_FILES[‘upload_file’][‘name’]);
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);
f
i
l
e
e
x
t
=
s
t
r
i
r
e
p
l
a
c
e
(
′
:
:
file_ext = str_ireplace('::
fileext=strireplace(′::DATA’, ‘’,
f
i
l
e
e
x
t
)
;
/
/
去
除
字
符
串
:
:
file_ext);//去除字符串::
fileext);//去除字符串::DATA
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //首尾去空
与labs-04对比发现少了转换小写代码
直接进行大小写替换绕过
在burp里修改一句话文件 attack.php 的后缀名 .phP
上传发现问题 在访问图片地址是会弹出500(明天解决)
7、labs-07 点绕过
题目代码:
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = $_FILES[‘upload_file’][‘name’];
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);
f
i
l
e
e
x
t
=
s
t
r
t
o
l
o
w
e
r
(
file_ext = strtolower(
fileext=strtolower(file_ext); //转换为小写
f
i
l
e
e
x
t
=
s
t
r
i
r
e
p
l
a
c
e
(
′
:
:
file_ext = str_ireplace('::
fileext=strireplace(′::DATA’, ‘’,
f
i
l
e
e
x
t
)
;
/
/
去
除
字
符
串
:
:
file_ext);//去除字符串::
fileext);//去除字符串::DATA
少了一行收尾去空代码
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //首尾去空
用burp抓到数据后
在php 后面加一个空格
原理:利用系统对文件判断的漏洞进行注入 举例:我们在创建txt文件时 是不能在文件类型末尾加上空格的,就算加上空格 系统也会将文件判断为 txt
8、labs-08 这里与我们.htaccess绕过方式相识 (看看还有没有其他的绕过方式)
还有另外一个注意的地方:
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点 缺失
代码:
if (isset($_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
f
i
l
e
n
a
m
e
=
t
r
i
m
(
file_name = trim(
filename=trim(_FILES[‘upload_file’][‘name’]);
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);
f
i
l
e
e
x
t
=
s
t
r
t
o
l
o
w
e
r
(
file_ext = strtolower(
fileext=strtolower(file_ext); //转换为小写
f
i
l
e
e
x
t
=
s
t
r
i
r
e
p
l
a
c
e
(
′
:
:
file_ext = str_ireplace('::
fileext=strireplace(′::DATA’, ‘’,
f
i
l
e
e
x
t
)
;
/
/
去
除
字
符
串
:
:
file_ext);//去除字符串::
fileext);//去除字符串::DATA
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
利用点的缺失
9、labs-09 ::
D
A
T
A
绕
过
i
f
(
i
s
s
e
t
(
DATA绕过 if (isset(
DATA绕过if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
f
i
l
e
n
a
m
e
=
t
r
i
m
(
file_name = trim(
filename=trim(_FILES[‘upload_file’][‘name’]);
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);
f
i
l
e
e
x
t
=
s
t
r
t
o
l
o
w
e
r
(
file_ext = strtolower(
fileext=strtolower(file_ext); //转换为小写
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES[‘upload_file’][‘tmp_name’];
i
m
g
p
a
t
h
=
U
P
L
O
A
D
P
A
T
H
.
′
/
′
.
d
a
t
e
(
"
Y
m
d
H
i
s
"
)
.
r
a
n
d
(
1000
,
9999
)
.
img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).
imgpath=UPLOADPATH.′/′.date("YmdHis").rand(1000,9999).file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = ‘上传出错!’;
}
} else {
$msg = ‘此文件类型不允许上传!’;
}
} else {
KaTeX parse error: Expected 'EOF', got '}' at position 42: …在,请手工创建!'; }̲ } 缺失 ::DATA 去除字符串
借助文章理解:https://blog.csdn.net/weixin_44032232/article/details/109005766
原理:Windows文件流特性绕过
使用方式:
10、labs-10
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
f
i
l
e
n
a
m
e
=
t
r
i
m
(
file_name = trim(
filename=trim(_FILES[‘upload_file’][‘name’]);//移除字符串两侧的字符
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’);//查找点 在文件名中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符
f
i
l
e
e
x
t
=
s
t
r
t
o
l
o
w
e
r
(
file_ext = strtolower(
fileext=strtolower(file_ext); //转换为小写
f
i
l
e
e
x
t
=
s
t
r
i
r
e
p
l
a
c
e
(
′
:
:
file_ext = str_ireplace('::
fileext=strireplace(′::DATA’, ‘’,
f
i
l
e
e
x
t
)
;
/
/
去
除
字
符
串
:
:
file_ext);//去除字符串::
fileext);//去除字符串::DATA
f
i
l
e
e
x
t
=
t
r
i
m
(
file_ext = trim(
fileext=trim(file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
代码分析: $temp_file =
F
I
L
E
S
[
′
u
p
l
o
a
d
f
i
l
e
′
]
[
′
t
m
p
n
a
m
e
′
]
;
上
传
命
名
拼
接
的
是
.
_FILES['upload_file']['tmp_name']; 上传命名拼接的是.
FILES[′uploadfile′][′tmpname′];上传命名拼接的是.file_name; 不是 $file_ext
f
i
l
e
n
a
m
e
=
d
e
l
d
o
t
(
file_name = deldot(
filename=deldot(file_name);//删除文件名末尾的点
f
i
l
e
e
x
t
=
s
t
r
r
c
h
r
(
file_ext = strrchr(
fileext=strrchr(file_name, ‘.’)
有
i
m
g
p
a
t
h
=
U
P
L
O
A
D
P
A
T
H
.
′
/
′
.
img_path = UPLOAD_PATH.'/'.
imgpath=UPLOADPATH.′/′.file_name 这里上传命名之后拼接的是 .
f
i
l
e
n
a
m
e
不
是
.
file_name不是.
filename不是.file_ext; //上传的是原文件名
结合windows和其他操作系统的特性 我们依次绕过一下这几种过滤
绕过方式:xxx.php. .(中间有空格)
11、labs-11 双写绕过
代码:
is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if (isset(
msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(“php”,“php5”,“php4”,“php3”,“php2”,“html”,“htm”,“phtml”,“pht”,“jsp”,“jspa”,“jspx”,“jsw”,“jsv”,“jspf”,“jtml”,“asp”,“aspx”,“asa”,“asax”,“ascx”,“ashx”,“asmx”,“cer”,“swf”,“htaccess”,“ini”);
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
php代码分析:
trim() 函数移除字符串两侧的空白字符或其他预定义字符。
str_ireplace() 函数替换字符串中的一些字符(不区分大小写)。
f i l e n a m e = s t r i r e p l a c e ( file_name = str_ireplace( filename=strireplace(deny_ext,"", $file_name); 将黑名单里的内容替换成空
这里将我们过滤文件名替换成空格 但是过滤值做了一次 (如果做一个递归的循环来判断是否有php等文件 那就直接jj)
白名单
12、白名单 %00绕过
%00绕过的使用条件:(1)php版本必须小于5.3.4
(2)打开php的配置文件php-ini,将magic_quotes_gpc设置为Off
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if(isset(
msg=null;if(isset(_POST[‘submit’])){
$ext_arr = array(‘jpg’,‘png’,‘gif’);
f
i
l
e
e
x
t
=
s
u
b
s
t
r
(
file_ext = substr(
fileext=substr(_FILES[‘upload_file’][‘name’],strrpos(
F
I
L
E
S
[
′
u
p
l
o
a
d
f
i
l
e
′
]
[
′
n
a
m
e
′
]
,
"
.
"
)
+
1
)
;
i
f
(
i
n
a
r
r
a
y
(
_FILES['upload_file']['name'],".")+1); if(in_array(
FILES[′uploadfile′][′name′],".")+1);if(inarray(file_ext,$ext_arr)){
$temp_file = $_FILES[‘upload_file’][‘tmp_name’];
$img_path =
G
E
T
[
′
s
a
v
e
p
a
t
h
′
]
.
"
/
"
.
r
a
n
d
(
10
,
99
)
.
d
a
t
e
(
"
Y
m
d
H
i
s
"
)
.
"
.
"
.
_GET['save_path']."/".rand(10, 99).date("YmdHis").".".
GET[′savepath′]."/".rand(10,99).date("YmdHis").".".file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
文章参考:https://www.cnblogs.com/tac2664/p/14293043.html
代码分析: $img_path =
G
E
T
[
′
s
a
v
e
p
a
t
h
′
]
.
"
/
"
.
r
a
n
d
(
10
,
99
)
.
d
a
t
e
(
"
Y
m
d
H
i
s
"
)
.
"
.
"
.
_GET['save_path']."/".rand(10, 99).date("YmdHis").".".
GET[′savepath′]."/".rand(10,99).date("YmdHis").".".file_ext;
解读:get方式提取save_path地址 + 随机时间戳 +文件后缀名
这里 就可以直接 用在save_path 里进行绕过
这里 地址变成:save_path=…/upload/attack.php%00截断
我上传之后显示上传错误,也就是文件上传是成功的但是在某个部分出问题
把php魔术引号关闭了
13、post提交方式+%00绕过
$is_upload = false;
m
s
g
=
n
u
l
l
;
i
f
(
i
s
s
e
t
(
msg = null; if(isset(
msg=null;if(isset(_POST[‘submit’])){
$ext_arr = array(‘jpg’,‘png’,‘gif’);
f
i
l
e
e
x
t
=
s
u
b
s
t
r
(
file_ext = substr(
fileext=substr(_FILES[‘upload_file’][‘name’],strrpos(
F
I
L
E
S
[
′
u
p
l
o
a
d
f
i
l
e
′
]
[
′
n
a
m
e
′
]
,
"
.
"
)
+
1
)
;
i
f
(
i
n
a
r
r
a
y
(
_FILES['upload_file']['name'],".")+1); if(in_array(
FILES[′uploadfile′][′name′],".")+1);if(inarray(file_ext,$ext_arr)){
$temp_file = $_FILES[‘upload_file’][‘tmp_name’];
$img_path =
P
O
S
T
[
′
s
a
v
e
p
a
t
h
′
]
.
"
/
"
.
r
a
n
d
(
10
,
99
)
.
d
a
t
e
(
"
Y
m
d
H
i
s
"
)
.
"
.
"
.
_POST['save_path']."/".rand(10, 99).date("YmdHis").".".
POST[′savepath′]."/".rand(10,99).date("YmdHis").".".file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传失败";
}
} else {
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
$img_path =
P
O
S
T
[
′
s
a
v
e
p
a
t
h
′
]
.
"
/
"
.
r
a
n
d
(
10
,
99
)
.
d
a
t
e
(
"
Y
m
d
H
i
s
"
)
.
"
.
"
.
_POST['save_path']."/".rand(10, 99).date("YmdHis").".".
POST[′savepath′]."/".rand(10,99).date("YmdHis").".".file_ext;
这里我们的提交方式改变了 上一个题是get方式提交
解释get与post有什么不同
在get中已经对%00进行编译
在post中 不能对%00进行编译 我们就得自己添加
文件上传成功
14.图片马
15.突破getimagesize
getimagesize函数是干什么的:php中规定getimagesize是获取图片信息
16、
17、
pass-18 分析代码。二次渲染:先将文件上传到服务器,服务器再选择保存或删除。
这里只是一个代码问题, 在文件移动之前没有对文件进行过滤处理
条件竞争:利用的是系统的占用。配合逻辑上的问题
这一关卡的逻辑出现了一些问题 ,在过滤之前就将 文件 移动到 服务器中
重命名的函数
条件竞争资源占用的问题
那我们怎么解决:
二次渲染可能不会出现漏洞,漏洞是因为代码的写法有问题
pass-18 分析代码。
用burp不断发包 intruder 不断发包功能 字典设置为number
设置一个不断变化的数据包:x-for。。。。
pyloads
然后通过浏览器不断访问webshell的地址
pass-19 分析代码。
1、利用文件名绕过(本题 是黑名单绕过)。利用%00截断
2、利用文件夹的名称绕过。将我们的文件上传 利用文件夹形式
upload/upload-18.php/.
pass-20 分析代码
利用文件夹绕过加数组问题进行绕过
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
