登陆网站&上传文件漏洞搭建&补洞
首先搭建环境:
多的不说直接上源码:
首先登陆页面:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>注册</title>
</head>
<body>
<div class="window">
<div class="content">
<div class="register">
<h3>注册</h3>
<form action="regcheck.php" method="post">
<div class="username">
<span>用户名</span>
<input type="text" placeholder="您的账户名和登录名" name="username"/>
</div>
<div class='password'>
<span>设置密码</span>
<input type="password" placeholder="建议至少使用两种字符组合" name="password"/>
<input type="submit" value="立即注册" id="btn" name="submit">
</form>
</div>
</div>
</div>
</body>
</html>
复制源码命名为: login.html
注册页面:
源码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>注册</title>
</head>
<body>
<div class="window">
<div class="content">
<div class="register">
<h3>注册</h3>
<form action="regcheck.php" method="post">
<div class="username">
<span>用户名</span>
<input type="text" placeholder="您的账户名和登录名" name="username"/>
</div>
<div class='password'>
<span>设置密码</span>
<input type="password" placeholder="建议至少使用两种字符组合" name="password"/>
<input type="submit" value="立即注册" id="btn" name="submit">
</form>
</div>
</div>
</div>
</body>
</html>
复制源码命名为:register.html
后端处理:
连接数据库
<?php
$sql=mysqli_connect("localhost","root","root","register");
if (!$sql){
die("链接失败:".mysql_err());
}
mysqli_select_db($sql,"register");
mysqli_query($sql,"set name gbk");
?>
命名为:conn.php
登陆验证后端:
<?php
include("conn.php");
$sql=mysqli_connect("localhost","root","17608846422cg","register");
if (!$sql){
die("链接失败:".mysql_err());
}
mysqli_select_db($sql,"register");
mysqli_query($sql,"set name gbk");
if (isset($_post["submit"])){
exit("非法访问");
}
$username=$_POST["login_username"];
$password=md5($_POST["login_pwd"]);
$che=mysqli_query($sql,"select id from register where username='$username' and password='$password' limit 1"
);
$result=mysqli_fetch_array($che);
if ($result) {
echo'登录成功';
echo "<a href='upload.php'>点击去往上传图片</a>";
exit();
}else{
echo'登录失败';
echo "<a href='login.html'>点击从新登陆</a>";
exit();
}
?>
复制源码文件命名为:longincheck.php
注册验证:
<?php
include("conn.php");
if (!isset($_POST['submit'])) {
exit("非法访问");
}
$username=$_POST['username'];
$password=$_POST['password'];
$password=md5($password);
$pwd=md5($pwd);
$result = mysqli_query($sql,"select * from register where username='$username' limit 1");
while($row = mysqli_fetch_array($result))
{
$name =$row["username"];
}
if($username == $name){
die("<a href='register.html'>用户名已经使用过了,点击重新注册</a>");
}
$sql1="INSERT INTO register(username,password) VALUES('$username','$password')";
if (mysqli_query($sql,$sql1)){
exit('恭喜你、注册成功!点击跳转<a href="login.html">登录</a>');
}else{
echo'对不起、注册失败!';
echo'点击返回:<a href="javascript:history.back(-1);">重试</a>';
}
?>
复制源码命令为: regcheck.php
文件上传部分:
源码:
<h1>丑陋的上传页面</h1>
<form method="post" action="" enctype="multipart/form-data">
<!--enctype="multipart/form-data"这样服务器就会知道,我们要传递一个文件,
--这样服务器可以知道上载的文件带有常规的表单信息。-->
<!--表单默认使用application/x-www-form-urlencoded来提交数据。-->
<input type="file" name="file"/>
<input type="submit" value="上传"/>
<!--服务器端的$_FILES[][]的第一个中括号值要与类型为file的name="file"的值保持一致-->
</form>
<?php
header("Content-type:text/html;charset=utf-8");
if (!is_dir("uploadFiles/")) {
mkdir("uploadFiles/");
}
if($_FILES['file']['name'] == ''){
die('请上传文件');
}
if (file_exists("uploadFiles/" . $_FILES["file"]["name"])) {
echo "文件已存在";
} else {
move_uploaded_file($_FILES["file"]["tmp_name"], "uploadFiles/" . $_FILES["file"]["name"]);
echo "文件已上传<br/>";
echo "文件路径:uploadFiles/".$_FILES["file"]["name"];
}
?>
复制源码命名为:upload.php
首先验证功能:
登陆界面:
点击来的注册页面:
进行用户注册:
admin的password
点击去登陆:
登陆成功点击去上床图片:
上传成功:
测试漏洞
首先登陆界面:
sql注入漏洞利用:
用户:admin’ or 1=1#
密码:1234(随便输入)
看到登陆成功:
文件上传漏洞:
直接上传PHP一句话木马
利用蚁剑连接:
漏洞修补:
sql注入过滤危险字符:
这里简单的过滤危险字符
foreach($_REQUEST as $key=>$value){
$_REQUEST[$key] = str_ireplace("'",'‘',$value);
$_REQUEST[$key] = str_ireplace('"','“',$value);
$_REQUEST[$key] = str_ireplace("select",'no_word',$value);
$_REQUEST[$key] = str_ireplace(".",'。',$value);
$_REQUEST[$key] = str_ireplace("(",'(',$value);
$_REQUEST[$key] = str_ireplace("or",'no_word',$value);
$_REQUEST[$key] = str_ireplace("and",'no_word',$value);
$_REQUEST[$key] = str_ireplace("|",'no_word',$value);
$_REQUEST[$key] = str_ireplace("&",'no_word',$value);
$_REQUEST[$key] = str_ireplace("#",'no_word',$value);
$_REQUEST[$key] = str_ireplace("-",'no_word',$value);
$_REQUEST[$key] = str_ireplace("+",'no_word',$value);
}
可以看到登陆失败
文件上传漏洞修复
直接用白名单:只允许
jpg,gif, jpeg, jpg, png
上传
$allowExts = array("gif", "jpeg", "jpg", "png","txt");
$temp = explode(".", $_FILES["file"]["name"]);
echo "后缀名:" . end($temp) . "<br>";
if (($_FILES["file"]["type"] == "image/gif" || $_FILES["file"]["type"] == "image/jpeg" || $_FILES["file"]["type"] == "image/jpg"|| $_FILES["file"]["type"] == "image/png") && (in_array(end($temp), $allowExts)) && $_FILES["file"]["size"] < (1024 * 1024)) {
if ($_FILES["file"]["error"]) {
echo "报错:" . $_FILES["file"]["error"];
} else {
if (!is_dir("uploadFiles/")) {
mkdir("uploadFiles/");
}
if (file_exists("uploadFiles/" . $_FILES["file"]["name"])) {
echo "文件已存在";
} else {
move_uploaded_file($_FILES["file"]["tmp_name"],
"uploadFiles/" . $_FILES["file"]["name"]);
echo "文件已上传";
}
}
}