Upload-labs

最新推荐文章于 2024-05-13 09:16:48 发布
最新推荐文章于 2024-05-13 09:16:48 发布
阅读量182 收藏
点赞数 1
分类专栏: 漏洞靶场 文章标签: 文件上传 web 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43872099/article/details/102771924
版权

Pass-01

源码分析
function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

使用js在前端对上传的文件后缀名进行验证

Bypass

增加.php后缀即可

在这里插入图片描述

Pass-02

源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
    }
}

在服务端对文件的MIME类型进行验证

Bypass

抓包修改为image/jpeg即可

在这里插入图片描述

Pass-03

源码分析
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空

在这里插入图片描述

黑名单机制,禁止上传’.asp’、’.aspx’、’.php’、’.jsp’后缀名的文件

Bypass

将文件后缀名修改为’.php3’、’.php4’、’.php5’、’.phtml’等即可

Pass-04

源码分析
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

黑名单几乎过滤了所有有问题的文件后缀,除了.htaccess,可以重写文件解析规则绕过

Bypass

新建文本文档,写入SetHandler application/x-httpd-php再另存为.htaccess文件

之后就可以上传图片马,并且可以被服务器解析,成功bypass

在这里插入图片描述

Pass-05

源码分析
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

同样是黑名单机制,加上了.htaccess,但是没有大小写限制

Bypass

修改文件后缀名为.PHP即可成功bypass

在这里插入图片描述

Pass-06

源码分析
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DAT

代码中增加了$file_ext = strtolower($file_ext);将大写转换为小写

但是却没有了$file_ext = trim($file_ext); //首尾去空导致可以空格绕过

Bypass

抓包,在文件名后增加一个空格再放行,成功bypass

在这里插入图片描述

Pass-07

源码分析
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

代码中移除了$file_name = deldot($file_name);//删除文件名末尾的.

可以利用Windows特性,自动删除文件名末尾的’.’

Bypass

抓包,在文件名后增加一个 . 再放行,成功bypass

在这里插入图片描述

Pass-08

源码分析
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空

对比上一题,去除了 $file_ext = str_ireplace('::$DATA', '', $file_ext);

Bypass

抓包,在文件名后增加’::$DATA’再放行即可

在这里插入图片描述

Pass-09

源码分析
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

黑名单定义的很完全,但是过滤却只有一次,并没有递归下去

Bypass

根据过滤规则依次构造payload,抓包将文件后缀修改为’.php. .’,最后的结果为’.php.’

在这里插入图片描述

Pass-10

源码分析
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);

将deny_ext中定义的问题后缀名替换为空格,同样只有一次过滤

Bypass

双写绕过,抓包后将文件后缀名改为’.pphphp’,过滤后得到’.php’

在这里插入图片描述

Pass-11

源码分析
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr))
{
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
    if(move_uploaded_file($temp_file,$img_path))
    {
        $is_upload = true;
    }
    else
    {
        $msg = '上传失败!';
    }
}

白名单只允许jpg、png、gif上传,但是文件存储时img_path为“文件名.白名单后缀名”拼接

Bypass

抓包,%00截断拼接的后缀名再放行即可。但是需要满足两个条件:

  • php版本小于5.3.4
  • php的magic_quotes_gpc为OFF状态

在这里插入图片描述

Pass-12

源码分析
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr))
{
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
    if(move_uploaded_file($temp_file,$img_path))
    {
        $is_upload = true;
    }
    else
    {
       $msg = "上传失败";
    }
}

上一关$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

而现在是$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

由GET请求改为POST请求,而POST请求不会像GET对%00进行自动解码。

Bypass

抓包发送到repeater,在十六进制数中将空格对应的20修改为00

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-LeVkh9sU-1572182625089)(asserts/pass12.png)]

= G E T [ ′ s a v e p a t h ′ ] . " / " . r a n d ( 10 , 99 ) . d a t e ( " Y m d H i s " ) . " . " . _GET['save_path']."/".rand(10, 99).date("YmdHis").".". GET[savepath]."/".rand(10,99).date("YmdHis").".".file_ext;```

而现在是$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

由GET请求改为POST请求,而POST请求不会像GET对%00进行自动解码。

Bypass

抓包发送到repeater,在十六进制数中将空格对应的20修改为00

在这里插入图片描述

Upload-Lab第18关:巧用条件竞争,轻松绕过上传限制!
didiplus
08-24 931
进入第18关后,通过提示发现这一关与之前的挑战有所不同。线索似乎隐藏在源码中。接下来,让我们一起审计和分析代码,寻找突破口。}else{$msg = "只允许上传.jpg|.png|.gif类型文件!}else{$msg = '上传出错!从源码来看,服务器首先将上传的文件保存下来,然后将文件的后缀名与白名单进行对比。如果文件扩展名是jpgpng或gif中的一种,就会对文件进行重命名。如果不符合这些扩展名,unlink()函数会删除该文件。
upload-labs 18
LuckySec
11-09 1407
题目 查看代码 分析,本关对文件后缀名做了白名单判断, 然后一步一步检查文件大小、文件是否存在等等, 将文件上传后,对文件重新命名 同样存在条件竞争的漏洞。 不断利用burp发送上传图片马的数据包,由于条件竞争, 程序会出现来不及rename的问题,从而上传成功 ...
upload-labs18关
qq_46527080的博客
12-25 2456
漏洞介绍 条件竞争漏洞是一种服务器端的漏洞,是由于开发者设计应用程序并发处理时操作逻辑不合理而造成。当应用面临高并发的请求时未能同步好所有请求,导致请求与请求之间产生等待时出现逻辑缺陷。该漏洞一般出现在与数据库系统频繁交互的位置,例如金额同步、支付等较敏感操作处。另外条件竞争漏洞也会出现在其他位置,例如文件的操作处理等。 首先将文件上传到服务器,然后检测文件后缀名,如果不符合条件,就删掉,典型的“引狼入室”。 第十八关(条件竞争) 源码分析 首先准备一个创建shell的php <?php fputs
upload-labs】————18、Pass-17
Fly_鹏程万里
08-15 724
查看源代码: 竞争条件:这里先将文件上传到服务器,然后通过rename修改名称,再通过unlink删除文件,因此可以通过条件竞争的方式在unlink之前,访问webshell。 首先在burp中不断发送上传webshell的数据包 之后不断在浏览器中刷新,刷新,在刷新。。。。。,你会看到下面的结果: ...
upload_labs_pass18_条件竞争
qq_51550750的博客
04-12 3902
pass18 第18关和前面14-17关(要求上传图片马)不同,直接要求上传一个webshell 提示: 源码: $is_upload = false; $msg = null; if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_name = $_FILES['upload_file']['name']; $temp_file = $_FILES['upload_file']['tmp
安装upload-labs
10-22
安装upload-labs 安装upload-labs是网安入门教程系列的一部分,旨在帮助初学者学习文件上传漏洞的基础知识和实践经验。在这篇文章中,我们将一步步指导您如何安装upload-labs靶场,以便更好地学习文件上传漏洞。 ...
upload-labs靶场
最新发布
09-09
upload-labs靶场
WEB渗透学习-upload-labs靶场
04-20
**WEB渗透学习-upload-labs靶场详解** 在网络安全领域,特别是Web渗透测试中,了解和掌握文件上传漏洞是至关重要的技能。"upload-labs"靶场是一个专为学习和实践文件上传漏洞设计的平台,它提供了21个关卡,从基础...
靶场合集,集合了upload-labs、sqli-labs、dvwa、小蜜蜂、皮卡丘5个靶场.zip
01-14
靶场,是指为信息安全人员提供实战演练、渗透测试和攻防对抗等训练环境的虚拟或实体场地。在不同的领域中,靶场扮演着重要的角色,尤其是在网络安全领域,靶场成为培养和提高安全专业人员技能的重要平台。...
upload-labs
weixin_30497527的博客
11-18 136
upload-labs是一个和sqli-labs类似的靶场平台,只不过是一个专门学习文件上传的。整理的很好,虽然并不能将服务器解析漏洞考虑进去,但毕竟一个靶场不可能多个web容器吧,关键是思路很重要,github地址:https://github.com/c0ny1/upload-labs 感觉这个思路图做的很好,测试的时候大体流程可以按照这个来,同时将服务器特性以及中间件的解析漏洞考虑进...
文件上传upload-labs 第18关 条件竞争
YYYYU_ZHIZZZ的博客
11-08 688
文件上传靶场练习条件竞争
upload-labs靶场通关指南(18-19关)
永远是少年
09-16 1101
今天继续给大家介绍渗透测试相关知识,本文主要内容是upload-labs靶场通关指南(18-19关)。 一、第18关 二、第19关
upload-labs 18-21关 详解 (完结)
qq_53409748的博客
03-02 1114
upload-labs 18-21关 详解 (完结)
[网络安全]upload-labs Pass-18 解题详析_upload-labs18关条件竞争
2401_84972676的博客
05-13 455
创建一个允许上传的文件扩展名数组$ext_arr,包括了允许上传的图片类型(jpg、png、gif)。根据定义的上传路径UPLOAD_PATH和文件名生成待存储的文件路径$upload_file。在移动成功的情况下,使用in_array函数检查文件扩展名是否在允许上传的类型数组中。如果文件扩展名不在允许上传的类型数组中,记录错误信息$msg,并删除已上传的文件。如果有,则开始处理文件上传。如果文件扩展名在允许上传的类型数组中,生成一个随机的文件名。msg为空,来初始化文件上传的状态和错误信息。
upload-labs通关手册
怪味巧克力的博客
04-20 997
最近在练习文件上传,同事记录一下自己练习的过程,既能帮助自己以后复习,同事也能帮到初学者。 主要用到的工具是Burpsuite。首先我们应该明白上传文件的目的是什么,通过上传文件讲web后门上传并成功解析。 Pass-01 首先查看源码 通过源码可以看到,第一关是在本地前段进行验证,使用的是前端JS脚本,所以呢,你让它不起作用不就完了,前端我们是可以修改的,在前端JS函数中加上.php文件,然后...
文件上传绕过upload-labs-master通关16-20
per_se_veran_ce的博客
09-12 998
第十六关 这一关对后缀名和文件类型啥的都进行了很严格的控制,而且在后面还对图片进行了二次编译。 原理:将一个正常显示的图片,上传到服务器。寻找图片被渲染后与原始图片部分对比仍然相同的数据块部分,将Webshell代码插在该部分,然后上传。具体实现需要自己编写Python程序,人工尝试基本是不可能构造出能绕过渲染函数的图片webshell的。 那么,怎么找到相同的部分呢?需要一个HxD的软件,下...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值