Upload-labs pass-01至10关

最新推荐文章于 2024-03-29 11:16:44 发布
最新推荐文章于 2024-03-29 11:16:44 发布
阅读量169 收藏
点赞数
文章标签: java 前端 javascript
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/yyw260187453/article/details/130044189
版权

Upload-labs pass-01至10关

文章目录

一、Pass-01

先看源码提示上说的是js前端校检先看看js
在这里插入图片描述
提示上说的是js前端校检先看看js
在这里插入图片描述
这里把checkfile()换成ture //意思就是跳过文件判断这个步骤
使用蚁剑链接
在这里插入图片描述

成功

二、Pass-02

看一下源码
在这里插入图片描述
提示:
本pass在服务端对数据包的MIME进行检查!
说明进行了后端过滤
在这里插入图片描述
说明需要将Content-Type:后面的数据换成image/png或者image/jpeg
修改成功后上传使用蚁剑连接
在这里插入图片描述

三、Pass-03

看看源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

分析源码黑名单验证但是不全可以使用其他版本的进行绕过
再看提示

在这里插入图片描述
不能传入。aspl.aspxl.phpl.jsp后缀的文件
我们可以先传入一个.htacess文件将传入的图片转换为php格式
.htacess文件内容为:SetHandler application/x-httpd-php
图片里面一句话记得加GIF89a
然后使用蚁剑连接就行了

四、Pass-04

在这里插入图片描述
上传一个.htaccess文件

原理:.htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置
SetHandler application/x-httpd-php,该语句会把所有文件当作php文件解析
AddType application/x-httpd-php .xxx该语句将.htaccess文件所在目录及其子目录中的后缀为.xxx的文件被Apache当做php文件解析

将一句话木马的文件头改为jpg上传
然后用蚁剑连一下

五、Pass-05

提示
在这里插入图片描述
看看源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我们先上传一个.user.ini文件,内容为auto_prepend_file=shell.jpg
表示该目录及其子目录下所有的php文件在执行时,自动在头部包含一个webshell.jpg文件。
然后上传一个包含一句话木马的shell.jpg文件即可使用蚁剑连接

六、Pass-06

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

.ini也被过滤掉了但源码中的转变小写没有了可以使用大写绕过
直接上传成功

七、Pass-07

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

发现内个去空格的过滤没了
可以使用空格绕过
bp抓包在末尾加个空格就行
在这里插入图片描述

八、Pass-08

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

没有了去点的操作使用点绕过
bp抓包加点就行
在这里插入图片描述

九、Pass-09

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

没有了去除字符串
在php+windows的情况下:如果文件名+:: D A T A 会把 : : DATA会把:: DATA会把::DATA之后的数据当成文件流处理,不会检测后缀名且保持:: D A T A 之前的文件名。利用 w i n d o w s 特性,可在后缀名中加 : : DATA之前的文件名。利用windows特性,可在后缀名中加:: DATA之前的文件名。利用windows特性,可在后缀名中加::DATA绕过

十、Pass-10

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

使用空格绕过bp抓包在后面加一个.空格.就可以上传了

Delancey.
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 2
    评论
Upload-labs Pass-01
a_running_snail_的博客
02-13 469
 源代码: function checkFile() { var file = document.getElementsByName('upload_file')[0].value; if (file == null || file == "") { alert("请选择要上传的文件!"); return false; } //定...
安装upload-labs
10-22
安装upload-labs 安装upload-labs是网安入门教程系列的一部分,旨在帮助初学者学习文件上传漏洞的基础知识和实践经验。在这篇文章中,我们将一步步指导您如何安装upload-labs靶场,以便更好地学习文件上传漏洞。 ...
upload-labs靶场-Pass-03-思路以及过程
weixin_44257023的博客
01-14 2348
开始前的小准备 upload-labs靶场 是PHP环境运行的,所以我准备了一个PHP脚本和一张图片 图片好准备,PHP脚本如果不想写的话可以用我的这个获取当前时间的PHP脚本 <?php header("content-type:text/html;charset=utf-8"); date_default_timezone_set("PRC");//设置时区 echo "当前时间为:"; $today = date("Y-m-d D h:i:s A "); echo $today; ?
Upload-labs 1-20靶场通攻略(全网最全最完整)
dragon的博客
03-15 4159
在github上找upload-labs-0.1环境,部署在小皮面板上也可以直接下载他的集成的环境。 Sethandler将该目录及子目录的所有文件均映射为php文件类型。 Addhandler使用 php5-script 处理器来解析所匹配到的文件。 AddType将特定扩展名文件映射为php文件类型。 简单来说就是,可以将我们所的文件都解析成php或者是特定的文件解析为php 当 PHP 在处理文件名或路径时,如果遇到 URL 编码的 %00,它会被解释为一个空字节(ASCII 值为 0)
文件上传漏洞upload-labs1-19详解
qq_51780583的博客
03-07 1979
upload-labs1-19详解
upload-labs通教程-pass01-12
最新发布
byll1024的博客
03-29 638
文件上传靶场练习通-upload-labs前12
upload-labs Pass-01(详解)
菜菜的博客
09-26 455
思路:发现了只能上传图片类型,我们可以使用burp来修改前端,来上传php一句话木马,或者在burp里上传的图片的文件后添加一句话木马。打开蚁剑,输入url地址http://192.168.7.56:1111/upload/7.php 输入一句话密码cmd,点击测试连接,点击添加。发现前端限制了我们只能上传.jpg .png .gif类型的文件。burp就会显示,下面很长而且看不懂的就是图片文件的内容。打开burp,打开抓包,浏览器先上传一张图片。就上传成功了,右键图片点击新建标签打开图像。
WEB渗透学习-upload-labs靶场
04-20
在网络安全领域,特别是Web渗透测试中,了解和掌握文件上传漏洞是至重要的技能。"upload-labs"靶场是一个专为学习和实践文件上传漏洞设计的平台,它提供了21个卡,从基础到高级,帮助新手逐步提升对这类漏洞的...
upload-labs-master.zip
06-22
【描述】描述中的 "文件上传漏洞小游戏靶场upload-labs-master/upload-labs-master/upload-labs-master/upload-labs-master" 显示这是一个针对文件上传漏洞的系列练习,通过多次嵌套的目录结构,可能旨在模拟不同...
upload-labs19-20以及总结1
08-08
Pass19中,开发者试图通过限制上传文件的扩展名来防止这种攻击,但是他们只检查了保存文件名(`save_name`)是否包含黑名单中的扩展名,而未检查实际上传文件的类型。 以下是该卡的主要知识点: 1. **文件名...
UPLOAD-LABS详细解题步骤
05-17
UPLOAD-LABS详细解题步骤 UPLOAD-LABS是一个网络安全靶场,旨在帮助用户练习文件上传的安全知识。该靶场提供了多个卡,每个卡都有一定的安全挑战和限制,旨在考验用户的安全知识和技术。 在开始之前,需要先...
uploads-labs靶场(1-10
m0_72676086的博客
03-16 1302
jpg文件要和.hataccess文件在同一个目录下。.hataccess文件。.hataccess绕过。
upload-labs通(Pass01-Pass05)
m0_46467017的博客
08-15 1713
我们在数据包中把后缀名改为.php. .,首先他发现有一个点,这时会把他去掉,又发现有一个空格,也会把它去掉,我们这时还有一个点,也就是.php. 由于他只是验证一次,所以不会在去掉我们的点。我们在数据包中把后缀名改为.php. .,首先他发现有一个点,这时会把他去掉,又发现有一个空格,也会把它去掉,我们这时还有一个点,也就是.php. 由于他只是验证一次,所以不会在去掉我们的点。本也有两种绕过方法:第一种是上传php文件,改Content-Type,第二种是上次合法后缀文件,改文件改后缀。...
upload-labs/Pass-01
m0_64593235的博客
04-21 98
upload-labs/Pass-01
upload-labs通Pass-01~Pass-05)
箭雨镜屋
10-07 2355
开始之前,准备好burpsuite,浏览器配置好代理。 Pass-01要求上传一个webshell,我选择了一个叫sh.php的文件并点击上传之后,跳出了一个弹框,提示当前文件类型不是允许上传的文件类型。 在burpsuite上proxy模块的http history中看了一下,并没有上传文件相的报文,说明弹框时文件格式没有经过后端校验。 查看网页源代码,发现文件类型和弹框是由前端JS代码校验的。 这至少有两种方法:浏览器disable JS,或者上传合法格式的文件,burp抓包
文件上传漏洞—upload-labs(Pass-01Pass-21)通大合集
qq_46874275的博客
03-22 1844
~目录~开始Pass-01 JS绕过Pass-02 Content-Type绕过Pass-03 部分黑名单绕过Pass-04 .htaccess绕过Post-05 .user.ini绕过 / .空格.绕过Post-06 大小写绕过Post-07 空格绕过Post-08 点绕过Post-09 ::$DATA绕过Post-10 .空格.绕过Post-11 双写绕过Post-12 GET型00截断绕过Post-13 POST型00截断绕过Post-14 图片马绕过Post-15 getimagesize()-图片
upload-labs文件上传漏洞(Pass-01~Pass-21)
sGanYu
10-09 3236
目录 pass-1(js前端绕过) pass-2(MiMe绕过) pass-3(黑名单绕过) pass-04(.htaccess文件上传) pass-05 pass-06(大小写绕过) pass-07(空格绕过) pass-08(windows特性加点绕过) pass-09(::$DATA绕过) pass-10(点空点绕过) pass-11(双写绕过) pass-12(GET请求00截断) pass-13(POST请求00截断) pass-14(头文件绕过、图片码绕过、文件包含)
Upload-labs Pass-03 黑名单限制 解析漏洞
baynk的博客
11-03 1977
Pass-03 黑名单限制 0x01 过程 直接上传php文件。 有黑名单提示了,这里反应了一段时间,同时还是去检查了下JS,确实是后端的黑名单限制。我这里传了一个jpg上去。 发现可以上传成功的,查看下图片的链接src="../upload/201911031519209854.jpg",发现进行了重命名,只以最后的后缀名为真正的后缀名,这里就只能去尝试看有没有任意后缀名上传,php,php...
Upload-labs文件上传漏洞——Pass01(详解)
Zichel77的博客
07-27 1244
0×00 题目描述 题目要求上传一个文件,格式为图片,而我们想要上传一个webshell就需要想办法绕过对后缀的限制。 0×01 法一:去除checkFile函数 F12打开开发者界面,发现在提交处存在验证函数checkFile() 删除前上传不成功报错 删除后,即可成功上传,无报错信息 右键复制图像地址,在浏览器中打开 上传成功 0×02 法二:抓包修改文件后缀名 ...
upload-labs pass6
07-28
- *1* [upload-labs靶场-Pass-06-思路以及过程](https://blog.csdn.net/weixin_44257023/article/details/122506927)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":...
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值