漏洞条件:文件可上传——知道文件上传路径——上传文件可以被访问——上传文件可以被执行
文件上传可控点:
Content-Length,即上传内容大小
MAX_FILE-SIZE,即上传内容的最大长度
filename,即上传文件名
Content-Type,即上传文件类型
请求包中的乱码字段,即是所上传文件的内容,有可能存在请求包中的可控点还有上传路径
一、漏洞代码
(1)后缀
upload.html
<html>
<head>
<title>文件列表绕过</title>
</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
<?php
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
$info=pathinfo($_FILES["file"]["name"]);
$ext=$info['extension'];//得到文件扩展名
if (strtolower($ext) == "php") {
exit("no allow php");
}
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
}
}
?>
直接上传php文件:
成功上传:
,
在浏览器访问上传的页面,按说这里apache会解析成php,我这里报了500错误。
查阅资料知道:apache与php的结合方式修改为fastcgi方式,测试会爆500错误,不存在这样的解析漏洞。
http://192.168.189.129:8086/houzhui/upload/1.php.xxxx(实际情况自己判断吧)
(2)js检测上传
<html>
<head>
<title>JS检查文件后缀</title>
</head>
<body>
<script type="text/javascript">
function selectFile(fnUpload) {
var filename = fnUpload.value;
var mime = filename.toLowerCase().substr(filename.lastIndexOf("."));
if(mime!=".jpg")
{
alert("请选择jpg格式的照片上传");
fnUpload.outerHTML=fnUpload.outerHTML;
}
}
</script>
<form action="upload.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" onchange="selectFile(this)" />
<br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
<?php
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
}
}
?>
3、截断(< php5.3.4,且gpc关闭)
<html>
<head>
<title>0x00绕过</title>
</head>
<body>
<form action="upload7.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /><br />
<label for="file">name:</label>
<input type="text" name="jieduan">
<br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
<?php
error_reporting(0);
$ext_arr = array('flv','swf','mp3','mp4','3gp','zip','rar','gif','jpg','png','bmp');
$file_ext = substr($_FILES['file']['name'],strrpos($_FILES['file']['name'],".")+1);
//exit($_FILES['file']['name']);
if(in_array($file_ext,$ext_arr))
{
$tempFile = $_FILES['file']['tmp_name'];
// 这句话的$_REQUEST['jieduan']造成可以利用截断上传
$targetPath = "upload/".$_REQUEST['jieduan'].rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($tempFile,$targetPath))
{
echo '上传成功'.'<br>';
echo '路径:'.$targetPath;
}
else
{
echo("上传失败");
}
}
else
{
echo("不允许的后缀");
}
?>
4、文件类型:
<html>
<head>
<title>Mime Type绕过</title>
</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
<?php
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
if (($_FILES["file"]["type"] != "image/gif") && ($_FILES["file"]["type"] != "image/jpeg")
&& ($_FILES["file"]["type"] != "image/pjpeg")){
exit($_FILES["file"]["type"]);
exit("不允许的格式");
}
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
}
}
?>
5、竞争条件
<html>
<head>
<title>竞争条件</title>
</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /><br />
<br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
<?php
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
//为了说明,这里直接让程序sleep 10s。
//sleep("10");
//unlink("upload/" . $_FILES["file"]["name"]);
}
}
?>