uploads_labs前9题

最新推荐文章于 2024-05-22 09:15:15 发布
最新推荐文章于 2024-05-22 09:15:15 发布
阅读量183 收藏
点赞数
分类专栏: CTF 文章标签: php 前端 服务器
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_53568983/article/details/127767079
版权

upload-labs详解

1.代码使用的函数详解

2.uploads_labs

1.Pass-01

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));//截取文件后缀
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

如上为Pass-01核心代码,代码解释如上所示,前端只允许我们上传".jpg|.png|.gif"为后缀的文件,我们可以把一句话木马文件先改成".jpg|.png|.gif"为后缀的文件,抓包后再改回来

2.Pass-02

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) { //判断是否提交了
    if (file_exists($UPLOAD_ADDR)) { //判断文件路径是否存在
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) { //设置了白名单,只有 'image/jpeg'等文件后缀才可以上传,其他文件类型不可以上传
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
    }
}

如上为Pass-02核心代码,代码解释如上所示,后端只允许我们上传"image/jpeg "等类型的文件,我们可以上传一句话木马文件,并且抓包后把文件类型改成image/jpeg

  • 上传1.php:
    在这里插入图片描述
  • 更改类型:
    在这里插入图片描述

3.Pass-03

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');  //黑名单,就是不允许上传的文件的后缀
        $file_name = trim($_FILES['upload_file']['name']); //去除$_FILES['upload_file']['name']左右的空格
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');  //如果$file_name是1.php,取php
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
                 $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
                 $is_upload = true;
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

如上为Pass-03核心代码,代码解释如上所示,没有过滤php5,phtml等后缀,如果平台又可以解析php5,phtml(apacher 开启了AddType application/x-httpd-php .php .phtml),就可以上传后缀为php5,phtml的文件,和php一模一样的(解析的前提是修改httpd.conf,) 现在我的是php的环境,那我们能够用php4、php5,或者说是phtml的方式进行绕过,那当然,如果说我们是asp的环境,那我们可以用asa、cer、cdx,这样的后缀名,进行绕过,那如果说是我们aspx的,这种网站,我们能够用ashx、asmx、ascx、esms,那当我们遇到jsp的时候,我们可以用jspx、jspf,这种后缀名进行绕过

  • 上传phtml文件后缀的文件:
    在这里插入图片描述

4.Pass-04

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");  //几乎限制了所有脚本文件的上传,没有绕过.htaccess文件,可以先上传.htaccess构造.htaccess解析漏洞
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

如上操作请查看.htaccess漏洞图片马的使用

5.Pass-05

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); //绕过了部分脚本文件,并且下面在进行比对的时候没有进行全部大写,全部小写的代码,及缺少strtolower()
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

所以如上代码,我们可以上传木马文件,文件后缀为Php就可以绕过,由于windows和LInux一样,你大小写后都会自动变成小写,所以我们要在抓包的时候更改文件后缀
在这里插入图片描述

6.Pass-06

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

前两个也没什么不同,但是将所有的后缀都给过滤了,仔细看了看,发现这个题目没有对后缀名末尾做去空处理。也就是说这道题目的考点是空格绕过,所以文件抓包后在php后缀下加上空格再发送就可以了(注意目标服务器需要是apache服务器,nginx服务器则不能够这样)

7.Pass-07

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

这一题比前面三题来说,将所有改过滤的都过滤了,这下要想想其他的绕过方法了没有对后缀名末尾的点进行处理,利用windows特性,会自动去掉后缀名中最后的”.”,可在后缀名中加”.”绕过,这题的考点是.绕过。

8.Pass-08

 $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

看下这个题目,又将文件名末尾的点给删除了,在看看和上一个代码的差别,但是我们可以看到这个代码没有了::$DATA$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA也就是没了这一句,那我们把这个加到后面不就可以过滤了吗

图片

9.Pass-09

 $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

这次可狠了,前面所有可以利用的都给过滤了,分析下代码,先将首尾去空,又去除了::$DATA又转换为小写,再删去末尾的点。这样一来我们构造文件名,使其经过过滤后得到的还是php的文件名不就行了,所以就1.php. . 就可以绕过,也就是点+空格+点+空格绕过
在这里插入图片描述

安全天天学
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
2021-09-29 uploads_labs 18及部分关于网络的知识点
m0_51170293的博客
10-08 195
av:antivirus 杀毒 搭建靶场环境winhex 打开第18 上传此文件 <?php echo md5(1); fputs(fopen('ma.php','w'),'<?php @eval($_POST[cmd]); ?>'); ?> 用burp批量发 找到了自己需要的uploaddama.php.7z 说明 直接连ma.php 即可 直连线,即同一根网线的两端使用同样的线序 ,要么都是568A标准,要么都是568B标准。交叉线,即同一根网线的两段使用
upload-labs搭建及11关过关教程
墨子辰的博客
01-29 1275
使用phpstudy搭建Uploads-labs 链接:https://pan.baidu.com/s/1lMRBVdQyFuKOgNlWPUoSSQ 提取码:8mmv 下载后,解压修改名字:upload-labs,然后移动到phpstudy网站目录:phpstudy\www(根据自己的网站目录决定),若网站根目录下存在多个目录,记得打开允许目录列表,打开方法:其他选项菜单—phpStudy设置—允许目录列表。在upload-labs目录下创建一个upload文件夹 启动phpstudy在浏览器输入
uploads-labs深入学习
JasonCian的博客
07-07 1001
uploads-labs深入学习
文件上传漏洞靶场搭建(upload-labs)
Bluetuan的博客
12-29 799
在初步了解文件上传漏洞靶场搭建时发现经常使用uploads-labs作为现成靶场文件,这样一来就会大大降低搭建难度,同时搭建平台比较多,可以利用Linux、Window Sever 2008 R2、Docker等进行搭建,我在这里选择了使用自己电脑的Win11直接进行搭建,并未使用虚拟机。1.下载靶场代码,这是一个为了免去大家环境搭建的烦恼、基于phpstudy这个php集成环境搭建的、直接安装就能使用的靶场代码。4.点击启动即可启动靶场,此时界面可能会提示端口冲突,关闭该端口对应的服务即可。
upload_labs_pass17_二次渲染
qq_51550750的博客
04-12 912
pass17-源码分析 打开pass17,貌似和面的几关差不多(pass14,15,16都是图片马)。 看源码和提示: 提示: 即利用上传的图片生成了一张新的图片。 源码: $is_upload = false; $msg = null; if (isset($_POST['submit'])){ // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径 $filename = $_FILES['upload_file']['name']; $filetype = $_F
uploads-labs靶场(附源码分析)
东隅的博客
06-30 748
uploads-labs靶场(附源码分析)
upload-labs
weixin_44576725的博客
04-14 1508
upload-labs通关记录 upload-labs是收集ctf和渗透测试中文件上传遇到的各种漏洞的靶场,旨在通过关卡的形式来帮助大家对文件上传有个全面的了解。 项目地址:https://github.com/c0ny1/upload-labs Pass-01 选择本地1.php文件上传,打开burp抓包,还没抓到包页面就显示只能上传.jpg.png等类型文件,说明是前端JS判断。 这里有两种绕过方法: 打开浏览器的审查元素,找到文件上传的js代码,发现checkFile()函数,推测是这个函数进行
uploads-labs文件上传漏洞通关记录
Sea_Sand息禅
07-11 1030
Pass-01 js检测 1)抓包改名直接绕过。 2)控制台找到检测代码进行修改 Pass-02 后台对MIME进行检测,上传php文件,然后把content-type改为image/jpeg,然后发包马就传上去了。 ...
upload-labs安装及攻略
热门推荐
K_ShenH的博客
01-14 2万+
upload-labs靶场的安装搭建(windows) (1)首先当然是需要phpstudy的环境,所以要先下载安装phpstudy。 (2)然后到github的网址中下载源码的压缩包。 github网址:https://github.com/Tj1ngwe1/upload-labs (3)下载后解压缩到phpstudy目录下的WWW子文件夹中,这里要注意吧压缩包的名字改成upload-labs,不然靶场的页面会显示得不对。 (4)然后在输入url HTTPS:...
uploads_analysis_domain_script_
10-03
collect domain data
phoenix_live_view_uploads_bug_example
04-13
演示版 要启动Phoenix服务器: 使用mix deps.get安装依赖mix deps.get 使用npm install在assets目录中安装Node.js依赖项 使用mix phx.server启动Phoenix端点 现在,您可以从浏览器访问 。 准备好投入生产了吗?...
uploads_2021_TT2XRtool_Setup-V154.exe
10-03
uploads_2021_TT2XRtool_Setup-V154.exe
uploads_2021_TH11S-B Tool_V107 (1).exe
09-27
uploads_2021_TH11S-B Tool_V107 (1).exe
R_TBC_Uploads
04-01
R_TBC_Uploads
如何构建基因单倍型网络
hgz2020的博客
05-18 610
单倍型分析
PHP反射API与接口的动态分析
最新发布
APItesterCris的博客
05-22 238
PHP的反射(Reflection)API 提供了一种在运行时获取类和对象信息的能力,包括类的方法、属性、接口等。这对于动态分析、构建IDE的自动完成功能、或者进行复杂的元编程非常有用。以下是如何使用PHP反射API进行动态分析的示例代码。
【Web】CISCN 2024初赛 解(全)
uuzeray的博客
05-21 1047
这里注意细节,靶机发了两次请求,第一次我们就返回一个正常的图片,第二次请求就发一个302,php代码块要用html标签包裹。注意下面这段报错,因为加不了引号,开头是数字的话,就会将类型识别为数字,若后续出现了字符串就会报错。再打sqlite,指定tableName,加载写入的恶意so文件,反弹shell。最后注意要将获取的变量元组转字符串,再用逗号分隔,依次输出,从而绕过seed。考的python栈帧沙箱逃逸,获取到外部的栈帧,就可以用。因为ban了引号,考虑hex2bin,将数字转为字符串。
jenkins插件之xunit
made4971的博客
05-17 347
填写一下命令,这个命令是docker中执行phpunit单元测试,请根据你的实际情况调整php执行文件路径。一章中phpunit.xml中配置的junit生成结果的地址需要保持一致。在测试报告列填写reports/junit.xml , 注意此处地址和。您的项目 - 配置 - Build Steps, 新增。您的项目 - 配置 - 构建后操作, 新增。Build Step选择 执行SHELL。超时时间根据实际情况配置。搜索xunit并安装。
uploads-labs靶场搭建
08-22
1. 下载uploads-labs源代码:你可以从GitHub上找到uploads-labs的源代码,并将它下载到你的服务器或本地机器上。 2. 安装必要的依赖:uploads-labs使用了一些依赖库,你需要安装它们。通常来说,你需要安装Python和...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

安全天天学

你的鼓励是对我最大的鼓励

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值