DAY14:Upload-labs 通关教程
Pass-01、客户端 JS 检测
试着传了一个 php 发现浏览器弹窗 JS 提示,那么直接上 bp,勾选 Remove all JavaScript,对页面进行刷新,在进行上传。
上传成功。蚁剑连接getshell
Pass-02、MIME 文件类型检测
超文本标记语言.html文件: text/html
普通文本.txt文件: text/plain
PDF文档.pdf: application/pdfPNG
图像.png: image/png
GIF图像.gif: image/gif
MPEG文件.mpg、.mpeg: video/mpeg
二进制流: application/octet-stream
$_FILE['upload_file']['type'] #获取上传文件的MIME-Type类型
这里我们可以通过 bp 抓包修改 Content-type 文件类型来进行绕过上传,具体可以修改为什么根据其允许类型修改
f (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
这里我们看到允许jpeg、png、gif 类型上传。直接上传 php 文件。
将 application/octet-stream 改为 image/gif
发包,上传成功,蚁剑连接getshell
Pass-03、后缀名修改绕过
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
根据代码发现,本关不允许上传第一行代码后缀,空格绕过,文件流格式绕过,大小写绕过,点后缀绕过,但是,我们有很多种不同后缀名的 php :
php、php2、php3、php5、phtml
随意修改名字上传即可。
蚁剑连接 getshell
Pass-04、apache配置 .htaccess 解析文件方式绕过
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
通过一个.htaccess文件调用php的解析器去解析一个文件名中只要包含"as.png"这个字符 串的任意文件,所以无论文件名是什么样子,只要包含"as.png"这个字符串,都可以被以php的 方式来解析,一个自定的.htaccess文件就可以以各种各样的方式去绕过很多上传验证机制。
新建一个 .htaccess 文件名,内容为
SetHandler application/x-httpd-php
意思是将上传的所有文件以 php 方式解析,即 php 格式。
那么首先上传 .htaccess 文件 。接下来上传图片马。
图片马制作方式:
准备一张纯净图片和写好的一句话代码,在此目录下打开终端输入下面的代码:
copy name1.jpg/b + name2.php name3.jpg
可以看到解析成功,蚁剑连接geishell
Pass-05、大小写绕过
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
本关禁止使用点后缀绕过、空格绕过、文件流传输绕过,考虑使用大小写绕过,
windows系统下,对于文件名中的大小写不敏感,Linux系统下,对于文件名中的大小写敏感。
可以上传文件名为 111. PhP 文件名上传成功,上传111.PHP 成功
蚁剑连接getshell
Pass-06、空格绕过
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
审代码,容易发现是空格绕过
windows系统中,对于文件名中空格会被作为空处理,程序中的监测代码却不能自动删除空格,从而绕过黑名单,针对这样的情况需要用到bp截断httpp请求后,修改对应文件名+添加空格
1.php + 空格
上传成功,蚁剑连接 getshell
Pass-07、. 号绕过
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
根据代码分析得出可以进行点后缀绕过
1.php + .
解析成功,蚁剑连接 getshell
Pass-08、路径拼接绕过
windows系统下,如果上传的文件名中text.php::$DATA会在服务器上生成一个text.php文件,其中内容和所上传文件内容相同,并被解析
1.php + ::$DATA
上传成功,蚁剑连接 getshell
Pass-09、路径拼接绕过
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
本关禁止点后缀,大小写,::$DATA,空格,等绕过
可以进行考虑路径拼接绕过
1.php .+ 空格 +.
上传成功,蚁剑连接getshell
Pass-10、后缀名双写绕过
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
1.p+ php +hp
经过过滤得到文件名 1.php
蚁剑连接 getshell
Pass-11、路径00截断(POST型)
白名单判断,但$img_path是直接拼接,因此可以利用%00截断绕过
截断条件:php版本小于5.3.4,php的magic_quotes_gpc为OFF状态
%00是一个url编码,url发送到服务器后就被服务器解码,这时还没有传到验证函数,也 就是说验证函数里接收到的不是%00字符,而是%O0解码后的内容,即解码成了Ox00,比如
https://localhost/upfile/?file=test.txt
此时输出的是test.txt 加上%00
https://localhost/upfile/?file=test.php%00.txt
此时输出的是test.php,绕过了后 缀限制,可以上传webshell
上传成功,进入路径发现1.php 后有个一无法编码的字符,去掉,即可 getshell,蚁剑连接。
Pass-12、路径名00截断(post)
因为POST不会像GET对%00进行自动解码,所以需要在二进制中进行修改
路径上添加空格在 hex中将 相应行数后改为 00 特殊编码然后 run,上传成功
对路径中 1.php 后特殊符号删除,访问成功,蚁剑连接 getshell
Pass-13、文件头解析绕过
图片马:上文已经教了如何制作
源码读取前2个字节判断上传文件的类型,判断通过后,便重新给文件赋予新的后缀名
构造:include.php?file=upload/shell.jpg , include 会以本文的形式读取 shell.jpg 的内容,这样存在于 shell.jpg 里的一句话木马就
可以执行
只检查文件头的类型,写上 GIF89a 可解析为 gif 文件,上传后,根据include 函数的特性,上传图片马,找到 include.php 的路径,使用文件包含漏洞即可访问,蚁剑连接 getshell
Pass-14、文件内容检测
image_type_to_extension 根据指定的图像类型返回对应的后缀名
方法同上,使用 include 函数,检查文件体的类型
蚁剑连接 getshell
Pass-15、文件内容检测
方法同上
Pass-16、图片二次渲染,内容检测
is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.'/'.basename($filename);
// 获得上传文件的扩展名
$fileext= substr(strrchr($filename,"."),1);
//判断文件后缀与类型,合法才进行上传操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "该文件不是jpg格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagejpeg($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "该文件不是png格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagepng($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "该文件不是gif格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagegif($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else{
$msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
}
}
同上,需要处理好的图片这里网上搜搜就好啦(能抵挡两次图片渲染代码依旧健在)
Pass-17、文件内容检测
同上,使用 include.php