upload - labs (上)
Pass - 01:
1.嘗試上傳一個php檔案:aaa.php,發現只允許上傳某些圖片型別,用bp抓包,發現http請求都沒通過burp就彈出了不允許上傳的提示框,這表明驗證點在前端,而不在服務端
2.按F12產看具體JS程式碼,發現checkFile()函式判斷上傳檔案型別,並在判斷函式中新增php或者刪掉該函式,或者瀏覽器禁用js後進行上傳
3.上傳成功,
關鍵原始碼:
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("請選擇要上傳的檔案!");
return false;
}
//定義允許上傳的檔案型別
var allow_ext = ".jpg|.png|.gif";
//提取上傳檔案的型別
var ext_name = file.substring(file.lastIndexOf("."));
//判斷上傳檔案型別是否允許上傳
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "該檔案不允許上傳,請上傳 " + allow_ext + "型別的檔案,當前檔案型別為:" + ext_name;
alert(errMsg);
return false;
}
}
Pass - 02:
1.上傳一個php檔案,顯示檔案型別不正確,要求重新上傳,
2.檢視原始碼,發現只對Content-Type進行了過濾判斷,利用Burp Suite修改Content-Type型別為 image/jpeg進行修改繞過,
3.上傳成功,
關鍵原始碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '檔案型別不正確,請重新上傳!';
}
} else {
$msg = UPLOAD_PATH.'資料夾不存在,請手工建立!';
}
}
Pass - 03:
1.上傳一個php檔案,上傳失敗並出現回顯,
2.上傳aaa.php檔案並進行抓包,修改php字尾名,如php5,放行
3.上傳成功,
關鍵原始碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除檔名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '不允許上傳.asp,.aspx,.php,.jsp字尾檔案!';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}
補充:
不允許上傳.asp,.aspx,.php,.jsp字尾檔案,但是可以上傳其他任意字尾。比如說:.phtml .phps .php5 .pht
,但如果上傳的是.php5這種型別檔案的話,如果想要被當成php執行的話,需要有個前提條件,即Apache的httpd.conf有如下配置程式碼
AddType application/x-httpd-php .php .phtml .phps .php5 .pht
AddType 指令:
AddType 指令
作用:在給定的副檔名與特定的內容型別之間建立對映
語法:AddType MIME-type extension [extension] ...
AddType指令在給定的副檔名與特定的內容型別之間建立對映關係。MIME-type指明瞭包含extension副檔名的檔案的媒體型別。
AddType 是與型別表相關的,描述的是副檔名與檔案型別之間的關係。
此處黑名單沒有過濾.htaccess字尾,故此處也可上傳.htaccess檔案進行繞過。注: .htaccess檔案生效前提條件為1.mod_rewrite模組開啟。2.AllowOverride All
.htaccess檔案是Apache伺服器中的一個配置檔案,它負責相關目錄下的網頁配置。構造.htaccess檔案,內容如下:
通過htaccess檔案,可以實現:網頁301重定向、自定義404錯誤頁面、改變副檔名、允許/阻止特定的使用者或者目錄的訪問、禁止目錄列表、配置預設文件等功能IIS平臺上不存在該檔案,該檔案預設開啟,啟用和關閉在httpd.conf檔案中配置。
AddType application/x-httpd-php .jpg
這裡程式碼的意思可以讓 .jpg字尾名檔案格式的檔名以php格式解析,因此達到了可執行的效果。所以我們可以把要上傳的php檔案的字尾名改為.jpg格式從而繞過
Pass - 04:
1.上傳php檔案,發現不允許,檢視提示,過濾了大部分的檔案字尾,
2.利用.htacess繞過,建立以此為字尾的檔案並寫入以下內容,
SetHandler application/x-httpd-php
3.然後所有檔案都會解析為php檔案,上傳圖片馬,上傳成功,
關鍵程式碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除檔名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此檔案不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}
Pass - 05:
1.上傳php檔案,上傳失敗,
2.觀察原始碼發現多了.htacess過濾,但此處程式碼沒有將檔名統一轉成小寫,故可以通過大小寫繞過
3.上傳成功
關鍵程式碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除檔名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此檔案型別不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}
Pass - 06:
1.上傳php檔案,不允許上傳,
2.產看原始碼,將檔案字尾名統一進行了小寫轉換,但是沒有去除檔名首尾的空格。所以此處可以利用windows系統的命名規則進行繞過
Win下xx.jpg[空格] 或xx.jpg.這兩類檔案都是不允許存在的,若這樣命名,windows會預設除去空格或點
此處會刪除末尾的點,但是沒有去掉末尾的空格,因此上傳一個.php[空格]檔案即可
3.上傳成功
關鍵程式碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除檔名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此檔案型別不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}
Pass - 07:
1.檢視原始碼,發現相比於Pass-06程式碼,加上了首尾去空,但是卻少了尾部去點。故和上面Pass-06一樣,利用windows檔案命名規則繞過。
2.上傳成功
關鍵程式碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//刪除檔名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此檔案不允許上傳';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}
Pass - 08:
1.檢視原始碼,是黑名單過濾,但是沒有對字尾名進行去”::$DATA”處理,利用windows特性,可在後綴名中加” ::$DATA”繞過:
2.上傳成功
關鍵程式碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此檔案型別不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}
補充:
在php+windows的情況下:如果檔名+"::$DATA"會把::$DATA之後的資料當成檔案流處理,不會檢測字尾名.且保持"::$DATA"之前的檔名。
Pass - 09:
1.檢視原始碼,這裡的程式碼邏輯是先刪除檔名末尾的點,再進行首尾去空。都只進行一次。故可以構造點空格點進行繞過,也就是字尾名改為aaa.php. .
,也是利用了Windows的特性。
(從第三關到第九關,如果目標伺服器是windows系統的話,均可用點空格點繞過。)
2.上傳成功,
關鍵程式碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除檔名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此檔案型別不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}
Pass - 10:
同Pass - 09。
關鍵程式碼:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除檔名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此檔案型別不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '資料夾不存在,請手工建立!';
}
}