upload-labs 1-11关 详解

最新推荐文章于 2024-04-06 16:19:48 发布
最新推荐文章于 2024-04-06 16:19:48 发布
阅读量262 收藏
点赞数 1
分类专栏: 网络安全 文章标签: php 服务器 安全 Powered by 金山文档
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_53409748/article/details/129231580
版权

实验环境:win10下phpstudy 搭建

【Pass-01】

可以看到需要上传一张图片

这里尝试上传一个1.php发现被拦截

查看源代码,发现只允许上传图片格式

打开bp抓包,修改后缀为php:

上传成功

【Pass-02】

查看源代码

可以看到,后端PHP代码只对content-type进行了检查

使用bp抓包,修改上传的PHP的content-type为image/png

上传成功

【Pass-03】

结合源码我们可以看出这关设置了文件后缀名黑名单,禁止上传后缀名为php的文件

我们尝试通过扩展名绕过,可以尝试phtml,php3,php4, php5, pht后缀名都可以绕过,但是前提是要在配置文件里面有这样的一句话

AddType application/x-httpd-php .php .phtml .php3 .php4

该句代码的意思是将.php、.php3、.php4当作php文件

上传后缀为php3的文件

上传成功

【Pass-04】

源码中可以看到限制了几乎全部的webshell文件的后缀

但是没有限制.htaccess文件

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

.htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置.通过htaccess文件,可以实现:网页301重定向、自定义404页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能

双引号里面是要上传的文件

先上传.htaccess文件,再上传jpg文件:

【Pass-05】

在源码中可以看到,过滤了绝大多数后缀的文件,包括.htaccess

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

因为该环境上传目录存在php文件(readme.php)

先上传.user.ini

作用域是当前文件夹和当前文件夹中的子文件;包含指定的文件,显示在页面上

.user.ini内容

auto_prepend_file=1.jpg

再上传1.jpg

最后查看readme.php文件

【Pass-06】

分析源码,可以看到少了大小写的判定

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

修改上传文件后缀名1.Php

上传成功

【Pass-07】

分析源码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

本关相比较前两关少了一步首尾去空的步骤,这样的话我们可以采取空格绕过

抓包上传.php 文件(.php+空格)

上传成功

【Pass-08】

分析源码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

相比较前几关,本关少了删除文件末尾的.

抓包上传.php. 文件

上传成功

【Pass-09】

分析源码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

发现本关少了去除字符串::$DATA的一步

在php+windows的情况下:如果文件名+"::$DATA"会把::$DATA之后的数据当成文件流处理,不会检测后缀名.且保持"::$DATA"之前的文件名。

抓包上传,修改后缀为.php::$DATA:

上传成功

【Pass-10】

分析源码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

先将首尾去空,又去除了::$DATA又转换为小写,再删去末尾的点。

构造一个执行完函数后缀为.php的文件

可以使用1.php. . (点+空格+点+空格)进行绕过

deldot()函数从后向前检测,当检测到末尾的第一个点时会继续它的检测,但是遇到空格会停下来

抓包上传:

上传成功:

【Pass-11】

分析源码:

发现设置了黑名单

尝试上传一个文件查看结果:

可以看到上传的php文件后缀被修改为空:

双写绕过:伪造后缀为1.pphphp 这样解析完成后就会把中间的php修改为空

抓包上传:

上传成功

²⁰⁰²₀₂.₀₁T̶B̶
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
upload-labs-master.zip
06-22
文件上传漏洞小游戏靶场upload-labs-master/upload-labs-master/upload-labs-master/upload-labs-master
Upload-labs通手册.pdf
08-06
Upload-labs通手册
安装upload-labs
10-22
安装upload-labs
UPLOAD-LABS详细解题步骤
05-17
UPLOAD-LABS详细解题步骤
upload-labs19-20以及总结1
08-08
第一步:直接上传php文件,保存名称填成PHP第二步:抓包分析可以看到filename是文件本来的名称,而save_name是传递的参数,此处改为PHP可以绕过
upload-labs11(双写后缀名绕过)通思路
zyh1588的博客
11-17 495
小白回顾文件上传靶场第十一
upload-labs(11~12)通笔记
Sheng_GuoFu的博客
12-12 524
在url中%00表示ascii码中的0,而0作为特殊字符保留,表示字符结束,也就是说,在保存文件的时候,如果路径参数(例:$img_path)中出现了%00,就会认为路径到这里就已经结束了,从而忽略后面一系列的参数,比如,此时,路径参数的后半部分就会被%00给截断,从而变成使用%00截断有两个要求:1、php的版本 < 5.3.42、php.ini中的magic_quotes_gpc的状态为Off。
upload-labs靶场-Pass-11-思路以及过程
weixin_44257023的博客
01-16 2551
开始前的小准备 upload-labs靶场 是PHP环境运行的,所以我准备了一个PHP脚本和一张图片 图片好准备,PHP脚本如果不想写的话可以用我的这个获取当前时间的PHP脚本 <?php header("content-type:text/html;charset=utf-8"); date_default_timezone_set("PRC");//设置时区 echo "当前时间为:"; $today = date("Y-m-d D h:i:s A "); echo $today; ?
文件上传漏洞-uploadlabs靶场11~20解析
黄乔国PHP
03-19 1133
在现代互联网的web应用程序中,上传文件是一种常见的功能,因为它有助于提高业务效率,比如社交网站中,允许用户上传图片、视频、头像和许多其他类型的文件。然而向用户提供的功能越多,web应用受到攻击的风险就越大,如果web应用存在文件上传漏洞,那么恶意用户就可以利用文件上传漏洞将可执行脚本程序上传到服务器中,获取网站的权限,或者进一步危害服务器
upload-labs11-16
qq_46527080的博客
12-25 411
第十一(双写) 源码分析 他这个是直接将上边数组存在的后缀名替换为空了,所以我们可以双写上传 抓包防包 发现上传成功了 第十二(get型%00截断) 源码分析 白名单机制,但是$img_path直接拼接,因此可以利用%00截断绕过。 可以使用00截断,php后空格十六进制的20改为00 条件:php版本小于5.3.4 2、php.ini的magic_quotes_gpc为OFF状态 知识点:这里利用的是00截断。move_uploaded_file函数的底层实现类似于C语言,遇到0x00会截断。 抓包分
WEB渗透学习-upload-labs靶场
04-20
upload-labs为WEB渗透中文件上传漏洞专项练习靶场,内涵各种文件上传漏洞类型,采用卡制,一共21,由易到难,适合刚接触该漏洞的新手巩固练习
upload-Labs靶场“11-15”教程
钟言的博客
03-04 6620
本篇为文件上传漏洞靶场的第11到15教程,详细内容包含了一、第十一 %00截断GET上传 1、源码分析 2、%00截断GET上传 第十二 %00截断POST上传 1、源码分析 2、%00截断POST上传-。第十三 文件头检测绕过 1、源码分析 2、文件头检测绕过 四、第+四 图片检测绕过上传 1、源码分析 2、图片马绕过上传五、第十五 图片检测绕过上传 1、源码分析 2、图片马绕过上传等等内容
Upload LABS Pass-11
热门推荐
wangyuxiang946的博客
07-05 1万+
第十一在服务端使用了白名单 , 但文件保存路径外漏 , 可以使用00截断 准备一个 11.php 文件 , 内容为一句话木马 <?php eval($_POST[-7]);?> 上传 11.php 文件 , 并使用代理( 此处使用 Burp Suite)拦截请求 修改路径,添加%00 , %00会被转译成00 , Windows解析到00会当成结束符而停止解析 比如 1.php%00.jpg 会被解析成 1.php ,%00后的内容不会解析 文件后缀修改...
upload-labs文件上传靶场实验通教程攻略
Thunderclap的博客
10-07 6422
实验环境 系统环境:windows2003 软件:phpstudy2016 apache+php版本:php 5.2.17 apache 2.4.3 magic_quotes_gpc = Off php.ini中开启extension=php_exif.dll 其他配置均为默认 靶场链接:https://github.com/c0ny1/upload-labs 第一 前端JS...
文件上传漏洞——upload-labs文件包链接及通详解过程、代码注释
小羊的博客
09-07 961
Pass-01 前端验证绕过 页面另存为本地文件,更改前端限制 闭浏览器js代码禁用 使用代理拦截上传 方法1:页面另存为本地文件,用记事本打开,找到文件上传类型,添加所要上传的文件类型,保存并打开修改过的页面,再上传就成功啦。 方法2:浏览器中闭JavaScript代码解析则可。 方法3:使用Burp Suit代理,拦截,将所有JS限制删除,再上传phpinfo.php文件。(三种方法原理一样) Pass-02 MIME-...
全网最全upload_labs通过教程,有详细解题思路
最新发布
m0_63615772的博客
04-06 738
没有经过过滤,先判断合不合法加. 加.空格 都可以绕过前面的各种方法总结。
文件上传绕过upload-labs-master通11-15
per_se_veran_ce的博客
09-11 725
第十一 尝试上传1.php文件,发现如下提示,为白名单 查看源码 路径拼接 只允许.jpg .png .gif类型的文件 0x00截断:基于一个组合逻辑漏洞造成的,通常存在于构造上传文件路径的时候   test.php(0x00).jpg   test.php%00.jpg   路径/upload/1.php(0x00),文件名1.jpg,结合/upload/1.php(0x...
upload-labs搭建及前11教程
墨子辰的博客
01-29 1279
使用phpstudy搭建Uploads-labs 链接:https://pan.baidu.com/s/1lMRBVdQyFuKOgNlWPUoSSQ 提取码:8mmv 下载后,解压修改名字:upload-labs,然后移动到phpstudy网站目录:phpstudy\www(根据自己的网站目录决定),若网站根目录下存在多个目录,记得打开允许目录列表,打开方法:其他选项菜单—phpStudy设置—允许目录列表。在upload-labs目录下创建一个upload文件夹 启动phpstudy在浏览器输入
upload-labs-master 文件上传 第十一和十二
dd_c1d的博客
08-25 1826
继续! 第十一(pass-11) 上源码! 大家可以看到这里有个str_ireplace()函数,详情可以自行百度,简单来说就是把黑名单里的内容给置换为""。注意这里不是空格!就是空!!就是什么都没有。我们先上传测试一下,方便大家理解。 我们直接复制图片地址,当然也可以看一下上传目录来判断。 发现后缀没了,那是因为原本的.php被str_ireplace()函数变为空了。 这里我们发现他的防护规则写的的确生效了,但是有个致命的问题,和前面的卡一样,没有写循环!...
upload-labs第十九
08-23
upload-labs的第十九是通过上传图片马来实现攻击。在这个卡中,与第17相比,增加了对后缀名的检测,禁止直接上传php文件。所以你需要上传一个图片马并使用文件包含来访问它。具体的步骤与第17类似,你可以上传一个名为22.gif的文件,然后进行抓包并进行攻击。这样就可以成功通第十九。 <span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* *2* *3* [upload-labs详解1-19全解(最全最详细一看就会)](https://blog.csdn.net/qq_53003652/article/details/129969951)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 100%"] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值