平时我们在做渗透测试的时候,除了挖掘一些常见的漏洞的时候,文件上传点一定是我们要着重注意的。很多站都会提供头像上传,附件上传的功能点,这些点都是我们可以利用的。通过这些点我们可以上传我们的webshell文件,进一步的获取服务器的权限,为我们更进一步打入内网做下基础。所以,文件上传的各种绕过姿势,大家一定要熟练掌握。
upload-labs 1-10
pass-1 前端js校验
本关知识点:前端JS代码校验后缀名,白名单。
代码:
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
绕过方法:
1.一切在前端的校验都是纸老虎,一戳就破。所以我们可以在浏览器中禁用掉JS,让浏览器对JS不支持,导致JS失效。这样的话前端的JS校验代码也就没用了。
- 禁用火狐浏览器的JS,其他浏览器就不做演示了,每个浏览器都不太相同,可以自行去百度搜索。
- 第二种方法就是删掉文件上传点所在的form标签中的 onsubmit属性,同样可以使前端校验失效。但是注意每次刷新一下后,属性会复原,需要重新删除。
2.绕过前端的校验后,我们就可以任意上传脚本了,我们上传一个一句话木马。上传完后,我们可以从源代码中找到木马上传后的路径。然后用菜刀或者蚁剑来连接。
3.前端检测必须是图片的后缀,那么我们可以先把木马后缀改为jpg,然后BP拦截后,修改文件名的后缀,也可以绕过前端检测。
pass-2 后端检测MIME
本关知识点:后端检测MIME类型,头部字段为content-type
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
绕过方法:
我们从上边的后端检测代码中可以看出后端是检测上传文件的MIME类型,只允许图片类型的文件上传。
既然后端是检测mime类型的,我们可以使用BP在中间代理拦截之后,修改报文中的MIME类型,一次来骗过后端,绕过检测。
-
将箭头中的值改为 iamge/jpg
-
最后我们用菜刀连接一句话木马。
pass-3 黑名单 .php5后缀绕过
本关知识点:后端黑名单,不允许上传 .asp .aspx .jsp .php的后缀。可以上传 .php5 .phps .pht后缀,但是要想使这几个后缀被PHP执行需要在Apache的http.conf文件中添加下边的配置:
AddType application/x-httpd-php .php .phtml .php5 .pht .phps
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
- 刚开始在这关的时候,想到Windows下后缀名不能以 . 和空格为最后的后缀,如果以这两个为最后的后缀,Windows系统会自动把最后的删除掉,也可以绕过黑名单。然后就看了一下源码,发现源码里边去空格,转小写,去最后的点,然后就放弃了这个思路。同时我们可以看到上传上去的文件,会被重命名,这个也是文件上传漏洞的一种防御方式,进行一定复杂程度的重命名。
绕过思路:
1.利用 .php5 .phps .pht等后缀去绕过后缀,因为本机的Apache的配置文件里边没有配置 AddType application/x-httpd-php .php .phtml .php5 .pht .phps 这句话,所以我自己就在配置文件中把这句话加上了。
pass-4 黑名单 .htaccess文件
本关知识点:第四关我们通过查看源码发现后端使用的是黑名单,黑名单基本包括了常见的脚本后缀,封堵非常的严格。BUT 没有过滤 .htacces后缀。
-
.htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过htaccess文件,可以实现:网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能IIS平台上不存在该文件,该文件默认开启,启用和关闭在httpd.conf文件中配置。
-
注: .htaccess文件生效前提条件为1.mod_rewrite模块开启。2.AllowOverride All
我们可以在文件中写入下边两句话中的一种,第一句的意思是指让当前文件夹下的jpg后缀的文件交给PHP来执行,可以利用图片马。第二句的意思其实和第一句差不多,只是更加精确的匹配到我们的图片木马。
AddType application/x-httpd-php .jpg
<FilesMatch "17kkk.jpg">SetHandler application/x-httpd-php`</FilesMatch>`
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
绕过思路:先上传一个图片木马,然后我们再上传一个.htaccess文件让我们的图片木马能让PHP解释器去执行。
- 上传到后台的文件
- 成功解析jpg文件
pass-5 黑名单 大小写绕过
本关知识点:本关是在第四关黑名单基础上,同时也过滤了.htaccess。但是通过观察源码,发现后端在取到后缀后,没有转小写,所以本关就是大小写后缀绕过。
源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
绕过思路:大小写后缀 .PhP绕过
pass-6 黑名单 空格绕过
本关知识点:Windows下xx.php[空格]和xx.php.以这种格式的后缀是不允许存在的,如果存在了,Windows也会自动帮你把后边的空格和点给删除。我们观察源码,同样是黑名单,但是没有把后缀中最后的空格给过滤掉,所以可以利用BP拦截后,在文件后缀加一个空格,可以绕过后端检测。
源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
绕过思路:文件名后边加空格,该利用方法仅在Windows下有效。
- 上传成功
pass-7 黑名单 点绕过
本关知识点:上一关是空格绕过,所以这关轮到“.”绕过了
源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
绕过思路:后缀名加“.”绕过检测
- Windows系统已经自动将“.”给删了
pass-8 ::$DATA
本关知识点:这关自己涉及到一个知识点,就是在php+windows的情况下:如果文件名+":: D A T A " 会 把 : : DATA"会把:: DATA"会把::DATA之后的数据当成文件流处理,不会检测后缀名.且保持"::$DATA"之前的文件名。
源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
绕过思路:info.php::$DATA
- 上传成功
pass-9 空格点空格配合绕过一次检测
本关知识点: .【空格】.绕过 ,本关过滤了所以可用的后缀,去空格,去点,去除::DATA。但使我们通过观察下边的代码对于空格和点的过滤只有一次,所以我们可以利用这个构造文件名为 xx.php.[空格]. 绕过检测。
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
绕过思路:点【空格】点绕过
- 上传成功
- 上传的文件,加的点和空格都被过滤和被Windows系统给删掉了。
pass-10 后缀双写绕过
本关知识点:双写绕过,通过代码我们可以看到没有过滤空格和点,Windows环境下,这关其实可以通过加点绕过,但是这个应该是针对Linux环境下的。所以这关的思路还是要放在
f
i
l
e
n
a
m
e
=
s
t
r
i
r
e
p
l
a
c
e
(
file_name = str_ireplace(
filename=strireplace(deny_ext,"", $file_name);这句代码上, str_ireplace()函数是不区分大小写的,但是他会把非法的后缀给换成空格。所以我们可以构造 .pphphp这样的后缀绕过。
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
绕过思路:.pphphp双写绕过
- 上传成功
- 后台上传的文件
文件上传的知识点,这次是用upload-labs这个靶场的,大家可以去GitHub搜,自己在本地搭建环境练习。这篇文章是前十关的解析。后十关更新后会加上链接。
2353
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
