Upload-labs

最新推荐文章于 2024-04-16 21:25:53 发布
最新推荐文章于 2024-04-16 21:25:53 发布
阅读量837 收藏 14
点赞数 22
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_65144653/article/details/136014078
版权

Upload-labs

Upload-labs_Pass-01-->绕过前端校验

法一:关闭浏览器js的功能

法二:通过先上传合法的文件后缀,在通过抓包进行文件后缀修改

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

Upload-labs_Pass-02-->MIME验证

将Content-Type的内容改为:image/jpeg或者image/png或者image/gif,在proxy模块点击forward

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }
}

Upload-labs_Pass-03-->黑名单绕过

法一:利用apache的错误解析,httpd.conf,AddType application/x-httpd-php .php .phps .phtml .php3

法二:使用php3, php4, php5, phtml, phps 等后缀绕过

需要老版本:的PHP_study2016

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

老版本的bug:在httpd.conf文件当中将403行信息给取消注释

image-20240130000940212

之后再上传才有效果(有些浏览器可以解析出,有些直接爆源码)

image-20240130001100934

需要注意的是源码当中有将文件名给改变了,但可以通过抓包中的第二个包可以看见文件路径:

image-20240130001110779

Upload-labs_Pass-04-->黑名单绕过--.htaccess

上传.htaccess文件,.htaccess文件是一个分布式配置文件,提供了针对目录改变配置的方法,即在一个特定的文档目录中放置一个包含一个或多个指令的文件,以作用于此目录及其所有子目录。

httpd.conf是apache的系统配置文件,是全局配置文件,对整个web服务起作用

.htaccess是apache的系统配置文件,是局部配置文件,只对该文件所处目录及其目录下的文件起作用

.htaccess内容为:
<FilesMatch "04.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

先上传.htaccess文件(作用是将.jpg文件当成.php文件进行解析,只要我上传的图片名称在.htaccess文件当中即可)

image-20240130001522271

再上传04.jpg(一张含php脚本的.jpg文件)

image-20240130001537764

Upload-labs_Pass-05-->利用PHP和Windows环境的叠加特性

环境要求:PHP版本需要使用cgi模式,上传目录中需要有php文件

php.ini是php的系统配置文件,是全局配置文件,对整个web服务起作用

.user.ini是php的系统配置文件,是局部配置文件,只对该文件所处目录及其目录下的文件起作用

auto_prepend_file=shell.png 将文件包含在所有php文件的头部

auto_append_file=shell.png 将文件包含在所有php文件的结尾

利用PHP和Windows环境的叠加特性,以下符号在正则匹配时的相等性:
.......................................
双引号"  =  点号.
大于符号>  =  问号?
小于符号<  =  星号*
.......................................
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

流程:

先上传一个名为05.php:.jpg的文件,上传成功后会生成05.php的空文件,大小为0KB,然后将文件名改为05.<或05.<<<或05.>>>或05.>><后再次上传,重写05.php文件内容,Webshell代码就会写入原来的05.php空文件中。

1、先上传抓包,改名字(文件包含php脚本,也可以是空文件)

image-20240130001914793

改为为05.php:.jpg

image-20240130001937632

但我们发现是一个空文件,且名字变了(Windows环境特性)

image-20240130001950783

2、我们再上传文件(文件包含php脚本)(发现05.php内有内容了)

image-20240130002002228

在抓包中将名字修改为05.>>>

image-20240130002011745

3、浏览器查看05.php即可

Upload-labs_Pass-06-->大小写绕过

windows系统对大小写不敏感,in_array函数对大小写敏感。使用后缀名大小写绕过

直接上传06.Php即可

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Upload-labs_Pass-07-->空格绕过

利用windows系统不会保存末尾空格的特性。后缀名加空格绕过

利用Windows系统的文件名特性,文件名最后增加点或空格,写成”07.php “,上传后保存在Windows系统上的文件名最后的空格会被去掉。抓包结尾加个空格,绕过匹配规则

image-20240130002137931

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Upload-labs_Pass-08-->.绕过

利用Windows系统的文件名特性。

文件名最后增加点或空格,写成”08.php.“,上传后保存在Windows系统上的文件名最后的.会被去掉。

文件名后加点,改成07.php.

image-20240130002215397

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Upload-labs_Pass-09-->Windows文件流特性绕过

利用windows系统不会保存末尾::$DATA的特性

后缀名加::$DATA

Windows文件流特性绕过,上传09.php,在将文件名改成”09.php::$DATA“

image-20240130002317299

在打开(修改)后缀为.php的即可

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Upload-labs_Pass-10-->Windows文件流特性绕过

上传文件名后加上点+空格+点,改为”10.php. .“

image-20240130002353130

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Upload-labs_Pass-11-->双写文件名绕过

函数使用str_replace(),使用双写绕过。后缀名双写绕过,pphphp

文件名改成“11.pphphp”

image-20240130002724865

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

Upload-labs_Pass-12-->%00截断绕过

要求php版本较低

00截断,在php中,在保存文件时遇到%00,会自动截断后续的字符串。修改保存路径,并用%00截断后面的字符串

上传路径名%00截断绕过。上传的文件名写成12jpg,save_path改成../upload/1.php%00,最后保存下来的文件就是1.php%00只能用于php版本低于5.3的。

拼接上传路径: $img path=../upload/1.php/203821094121.png (1.php后面的%00不见了,因为他变成了hex值为00的结束字符,所以看不见)将上传的文件移动到新位置:move_uploaded_file函数在进行文件移动的时候,在读取$img path的值的时候,读到1.php的后面时,遇到了hex值为00的结束字符,他会认为$img_path的值读取完毕,这个时候$img_path=.../upload/1.php,最后上传的文件名为1.php,实现了00截断。

image-20240130002957115

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

Upload-labs_Pass-13-->%00截断绕过

要求php版本较低---->00截断

通过bp的hex修改post方式提交的参数

上传路径0x00绕过。利用Burpsuite的Hex功能将save_path改成../upload/1.php【二进制00】形式。输入%00,右键decode。 %00只能用于php版本低于5.3的。

image-20240130003050414

%00解码成二进制:

image-20240130003108387

Upload-labs_Pass-14-16-->图片马配合文件包含漏洞

copy normal.jpg /b + shell.php /a webshell.jpg

Upload-labs_Pass-17-->二次渲染

对图片进行了二次渲染,将原图片的编码进行了改造

将上传后和上传前的图片进行对比,在编码没有发生改变的位置插入一句话木马

copy normal.jpg /b + shell.php /a webshell.jpg

Upload-labs_Pass-18(条件竞争)

代码审计:(没有白名单,直接上传php文件)

$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允许上传.jpg|.png|.gif类型文件!";
            unlink($upload_file);
        }
    }else{
        $msg = '上传出错!';
    }
}

操作流程:

1、我们先准备一份写入的文件

image-20240130003351320

2、抓包

image-20240130003400108

放入爆破模块

image-20240130003407359

3、抓第二个包

我们知道了该服务器文件上传的位置在upload目录下,我们在该目录下访问fopen.php这个文件(这个文件就是我们刚刚上传的文件中写出的文件)

image-20240130003423459

放入爆破模块

image-20240130003434834

4、将这两个包进行无参爆破

第一个包

image-20240130003451089

第二个包

image-20240130003504061

5、我们看看upload这个目录下的文件(是没有fopen.php和temp.php这个文件)

image-20240130003518501

6、这个数据包同时进行爆破

image-20240130003533092

image-20240130003538745

image-20240130003545477

7、将包放掉,访问temp.php

image-20240130003556899

沫风港
关注
  • 22
    点赞
  • 14
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
安装upload-labs
10-22
安装upload-labs
upload-labs
m0_74606212的博客
03-06 131
upload-labs
upload-labs安装及攻略
热门推荐
K_ShenH的博客
01-14 2万+
upload-labs靶场的安装搭建(windows) (1)首先当然是需要phpstudy的环境,所以要先下载安装phpstudy。 (2)然后到github的网址中下载源码的压缩包。 github网址:https://github.com/Tj1ngwe1/upload-labs (3)下载后解压缩到phpstudy目录下的WWW子文件夹中,这里要注意吧压缩包的名字改成upload-labs,不然靶场的页面会显示得不对。 (4)然后在输入url HTTPS:...
upload-labs靶场
m0_62100902的博客
06-07 553
1 还是老样子,审查源码,寄,直接对文件头进行校验,那么之前的所有操作,不管是你改文件名也好,改路径也好,你的内容是不可能变的,所以之前的所以操作在这。2 观察之后的源码,取后缀名的流程为:去点,首尾去空,删除末尾的点,以末尾的点截取后缀名,后缀名大小写转换,去除末尾的字符串::$DATA,首尾去空。1 审查源码,ok,这里终于换成了白名单了,那么之前那些所有的操作在这里都挂掉了,因为之前的操作都是去对文件后缀名进行的操作,这里是白名单,无论如何。ps:每次上传成功的意思是上传并且6=phpinfo();
upload-labs2-13关
cike_y
08-22 1334
判断的是文件类型,那么上传思路是通过修改数据包的文件类型,然后上传成功
上传漏洞 Upload-Labs实战
浪子燕青的博客
02-25 5462
上传漏洞 Upload-Labs-1 Upload-labs是国内一个老哥c0ny1开源的上传漏洞靶子,下载地址 https://github.com/c0ny1/upload-labs 与sqli-labs有些类似,主要专注于上传漏洞这一块。 为了方便下载,已经保存到当前服务器下 下载地址 环境搭建 默认下载PHP+Mysql即可,如果之前有搭建过sqli-labs的话,直接把项目放在www目录下即可。 然后打开,这个时候网页会提示undefined index。。。。,这其实不是异常,而是PHP的提示
最新upload-labs文件上传漏洞靶场搭建安装,upload-labs Pass01-Pass20 二十关详解,靶场源码详解,upload-labs第一关到第二十关详解,一句话木马详细介绍
2302_80946742的博客
04-16 874
在开始打靶场之前,我们先来介绍一下一句话木马。一句话木马(One-liner Trojan 或 Webshell)是一种常见的网络安全攻击工具,通常用于Web服务器的非法控制。它称为“一句话”,因为攻击者只需在目标服务器上的一个可访问的Web页面中植入一小段代码,就可以实现对服务器的远程控制。这种木马通常以PHP、ASP、JSP等服务端脚本语言的形式出现,因为这些语言能够在服务器上执行。一句话木马的代码很简短,但功能却非常强大,能够接收远程命令并在服务器上执行这些命令。?
upload-labs题解
syy
04-24 2060
该文件不允许上传--前端认证(在前端已经被拦截了,没有上传到后端,所以无法第一时间进行抓包) 查看源码 发现前端对文件类型进行了过滤 解决方法: 在本地客户端禁用js.(用户点击上传按钮(submit)后,会触发js事件--onsubmit='return checkfile()";) 通过浏览器审查元素对网页代码的查看,删除onsubmit事件 作者采用了第二种方法,删除后,复制图像信息进行访问。 上传成功: 二、pass-02(C.
upload-labs-3
Lu__xiao的博客
02-24 4135
登陆第三关 查看源代码,发现是黑名单验证 黑名单验证是规定不允许上传的文件,但是如果黑名单定义不完整,我们也是可以实现绕过,这里我们可以使用.phtml .php5 .pht进行绕过.这里我们使用.php5进行绕过 成功绕过,放行 ...
使用docker进行upload-labs靶场的安装搭建
失心少年
07-03 2213
由于我是在kali上搭建,默认没有docker服务,这里就从按照docker开始讲解。
upload-labs19-20以及总结1
08-08
第一步:直接上传php文件,保存名称填成PHP第二步:抓包分析可以看到filename是文件本来的名称,而save_name是传递的参数,此处改为PHP可以绕过
upload-labs-master.zip
06-22
文件上传漏洞小游戏靶场upload-labs-master/upload-labs-master/upload-labs-master/upload-labs-master
upload-labs通关手册
12-03
详细记录了upload-labs靶场的通关步骤,并且附带有caidao和burpsuite工具资源,非常适合初学者!!!
upload-labs.zip
04-07
web渗透测试,upload-labs,上传文件漏洞利用和查找,网络安全
野狗优化算法DOA MATLAB源码, 应用案例为函数极值求解以及优化svm进行分类,代码注释详细,可结合自身需求进行应用
05-20
野狗优化算法DOA MATLAB源码, 应用案例为函数极值求解以及优化svm进行分类,代码注释详细,可结合自身需求进行应用
2107381120 王孟丽 实验2 (1).docx
05-20
2107381120 王孟丽 实验2 (1).docx
JavaScript_其他Meta JS项目使用的工具库集合.zip
05-20
JavaScript
asm-4.2.jar
最新发布
05-20
asm.jar的作用: 提到asm.jar的作用,那么最显著的莫过于计算机显示Android手机屏幕了;其次可以调整计算机上显示Android手机屏幕的大小。ASM 是一个Java字节码操纵框架。它可以直接以二进制形式动态地生成 stub 类或其他代理类,或者在装载时动态地修改类。ASM 提供类似于 BCEL 和 SERP 之类的工具包

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值