文件上传(是个功能):把自己电脑上面的文件传到服务器上面
任意文件上传才是漏洞
文件上传核心:
1、能传的上去(服务器上面)
2、能被解析(你的木马会被执行)
3、你要能访问的到你传上去的文件(只有在网站根目录下你才能访问的到)
文件上传传上去的木马文件需要在网站根目录下,如果你能访问到你传上去的图片,例如头像,基本上就是在根目录下,因为在一般情况下,不在网站根目录里的东西,你是访问不到的
解析:你传上去的文件被当做后端脚本执行
我们进入靶场:
第一关:前端验证
我们直接上传一个1.php,发现网站做了防护,不允许上传php文件,由于前端是在我们自己的浏览器上面运行的,所以相当于没有校验
我们打开Burp,将刚才的1.php后缀改为1.jpg,点击上传文件,然后抓包,将后缀再改为1.php,然后放包,复制刚才上传的图片路径,访问,可以看到成功上传webshell
第二关:后端校验--Content-Type
我们上传一个图片,Burp抓包,可以看到这个Content-Type类型为image/jpeg
我们上传一个php,Burp抓包,可以看到Content-Type这个类型为application/octet-stream
我也可以按照第一关的方法来直接修改这个类型,上传1.php,Content-Type类型修改为image/jpeg,可以直接上传成功
第三关:黑名单
查看源码可以知道,他屏蔽了.asp、.aspx、.jsp、.php这些文件后缀
但是默认情况下 .phtml .php3 .php4 .php5这些都有可能会被当作.php执行
jspx ispf都有可能会被当作.jsp执行
asa cer aspx 都有可能会被当作.asp执行
我们直接将文件后缀改为响应格式就好了
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第四关:.htaccess文件绕过
我们查看源码可以看到,他屏蔽了所有有可能被当做php,jsp代码执行的文件后缀 ,所以这时候我们可以先上传一个.htaccess文件,然后在上传一个图片马
".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
.htaccess(Apache特有):针对某个文件夹有单独的策略,下图是文件内容,这个意思是把.JPG后缀的文件当做php来执行
.htaccess功能:
文件夹密码保护、用户自定义重定向、自定义404页面、扩展名伪静态化、禁止特定IP地址的用户、只允许特定IP地址的用户、禁止目录列表
我们发现无法将文件名命名为.htaccess ,那么该怎么办?
可以使用cmd的重命名 ren 17.txt .htaccess
第五关:后缀大小写绕过
查看源码发现把.htaccess文件也屏蔽了,我们上传文件,改文件后缀
.php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess
第六关:文件后缀空绕过
windows末位自动去空,利用burp抓包,将文件后缀改为.php空格,即可成功上传
第七关:文件后缀点绕过
windows末位自动去点,利用burp抓包,将文件后缀改为.php.,即可成功上传
第八关:::$DATA(Windows文件流绕过)
windows文件流绕过,利用burp抓包,将文件后缀改为.php::$DATA
第九关:构造文件后缀绕过
无源码较难 ,我们查看源码,可以看到他过滤的顺序和方式,strrchr()查找指定字符在字符串中最后一次出现的位置,从右面开始,所以我们可以根据这个过滤的顺序和方式来构造文件后缀,1.php.空格.,我们上传文件,将后缀改为这样
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第十关:双写文件后缀绕过
str_ireplace() 替换字符串中的一些字符(不区分大小写)
str_ireplace($deny_ext," ",$file_name) 上传的文件里面出现黑名单里的东西,就替换为空
那如果我们写一个pphphp呢,是不是就被替换为了php,我们可以直接把文件后缀改为pphphp,即可上传成功
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}