python基础
1.Python中是如何对变量赋值的?
a = 123
b = 'test'
print (a)
print (b)
2.Python中的字符串变量是如何拼接的
a = 123
b = 'test'
#print (a)
#print (b)
c = 'flag'
d = b+c
print (d)
3.Python中数字和字符串怎样拼接?
a = 123
b = 'test'
#print (a)
#print (b)
c = 'flag'
d = str(a)+c
print (d)
4.Python中如何打印出来我们的变量?
print (d)
5.Python中的条件判断语句是怎么写的?
a = 123
b = 'test'
#print (a)
#print (b)
#c = 'flag'
#d = str(a)+c
#print (d)
if (a == 123):
print ("ok")
6.Python中的for循环是怎么⽤的?
for i in range(0,10):
print (i)
7.python如何发起⽹络请求?
环境搭建
python -m pip install --upgrade pip
python -m pip install requests
文件上传漏洞
前端验证
⼀般来说,本地⽣成⼀个php⽂件,改名为.jpg
上传,抓包修改名称再放包
检测content-type
<?php
$is_upload = false;
$msg = null;
if (sset($_POST['submit'])) {#是否存在submit参数
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || (
$_FILES['upload_file']['type'] == 'image/png') || ($_FILES['uploa
d_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];#检查content-type
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file'
]['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '⽂件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'⽂件夹不存在,请⼿⼯创建!';
}
}
1.上传php⽂件,修改content-type为 image/jpg
2.上传jpg后缀,修改⽂件名
文件后缀黑名单绕过
<?php
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');#定义⼀个数组
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除⽂件名末尾的点 ⽐如123.php.
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为⼩写 PHp 变成php
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {//不再array⾥⾯就上传
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀⽂件!';
}
} else {
$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
}
}
除了php3,还有php5,php7,phtml,phps 详情看4
apache分布式配置文件
<?
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
"php1", ".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5",".pHp4", ".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx", ".jsw", ".jsv", ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jS
v",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx"
, ".asmx", ".cer", ".aSp", ".aSpx", ".aSa", ".aSax", ".aScx", ".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除⽂件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为⼩写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}
else {
$msg = '上传出错!';
}
}
else {
$msg = '此⽂件不允许上传!';
}
}
else {
$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
}
}
apache分布式配置⽂件
.htaccess
SetHandler application/x-httpd-php
默认只影响当前⽬录
大小写绕过
< ?
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
.sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除⽂件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //⾸尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}
else {
$msg = '上传出错!';
}
}
else {
$msg = '此⽂件类型不允许上传!';
}
}
else {
$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
}
}
后缀名加空格
< ? php
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
.sWf",".swf",".htaccess");
7 $file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除⽂件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为⼩写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}
else {
$msg = '上传出错!';
}
}
else {
$msg = '此⽂件不允许上传';
}
}
else {
$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
}
}
后缀加点
< ?
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
.sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为⼩写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//字符串::$DATA
$file_ext = trim($file_ext); //⾸
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true
}
else {
$msg = '上传出错!'
}
}
else {
$msg = '此⽂件类型不允许上传!'
}
}
else {
$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!'
}
}
利⽤windows特性,末尾的.删除
::$DATA
< ? $is_upload = false;
$msg = null;
if (isset($_POST['submit']))
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
.sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除⽂件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为⼩写
$file_ext = trim($file_ext); //⾸
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true
}
else {
$msg = '上传出错!'
}
}
else {
$msg = '此⽂件类型不允许上传!';
}
}
else {
$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!'
}
}
替换为空
< ?
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php", "php5", "php4", "php3", "php2", "html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext, "", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}
else {
$msg = '上传出错!';
}
}
else {
$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
}
}
双写绕过
00截断
< ?
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
$ext_arr = array('jpg', 'png', 'gif');
$file_ext = substr($_FILES['upload_file']['name'], strrpos($_FILES['upload_file']['name'], ".") + 1);
if (in_array($file_ext, $ext_arr)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}
else {
$msg = '上传出错!';
}
}
else {
$msg = "只允许上传.jpg|.png|.gif类型⽂件!";
}
}
1.php版本小于5.3.4的时候就存在00截断
123.php%00.jpg
xss漏洞
0x00
直接
0x01
⾥⾯任何东⻄都会当作⽂本不解析
闭合原来的标签
0x02
11">
闭合标签和属性
0x03
反引号当括号
0x04
<svg/οnlοad=alert(1)>
on系列事件⽀持html实体编码
0x05
在html⾥⾯,正常当注释
//
html的容错性