前言

在这里插入图片描述
文件上传漏洞靶场Upload-labs,在github上下载后部署在win10本地,php版本为5.2.17,测试环境使用Kali虚拟机

1
https://github.com/c0ny1/upload-labs

Pass-01

在这里插入图片描述

首先尝试上传一句话木马up.php文件发现上传失败,并提示只允许.jpg|.png|.gif类型,但是我们的burp并没有抓到这个包,于是判断此处的限制为前端验证,我们直接查看源代码
在这里插入图片描述
将此处判断文件类型的语句修改,即可正常绕过前端验证
在这里插入图片描述
成功上传后界面出现了刚刚上传的图片,由于上传的是php文件,所以无法正常解析成图片
在这里插入图片描述

右键点击复制图像地址即可得到文件上传的路径,在蚁剑中直接连接
在这里插入图片描述

Pass-02

在这里插入图片描述
先尝试能否直接上传up.php,提示文件类型不正确
在这里插入图片描述
我们在抓到的包中尝试修改Content-Type为image/jpeg,继续上传
在这里插入图片描述
成功上传,复制路径后蚁剑连接

Pass-03

在这里插入图片描述
上传up.php后提示不允许以上后缀,我们尝试后缀改写绕过,将php改写为php5,成功上传,依旧可以被解析为php

(此处与不同环境的apache配置文件有关,配置文件中需要有下面这句话才可以成功)

1
AddType application/x-httpd-php .php .phtml .phps .php5 .pht

Pass-04

在这里插入图片描述

本题使用以上几种方法均无法上传up.php,黑名单过滤的十分严密,基本只允许上传图片格式,但值得注意的是,黑名单中并没有.htaccess,于是我们可以选择上传.htaccess文件,既然只允许上传jpg文件,我们就上传jpg格式的一句话,再利用我们上传的.htaccess将jpg解析为php,构造如下文件

在这里插入图片描述
在这里插入图片描述
再直接上传jpg格式的一句话,并用蚁剑连接

Pass-05

本题相当刁钻,黑名单包括转换,大小写,空格,还有点号,几乎所有php文件都上传不了,并且拒绝上传 .htaccess 文件,源代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",
".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",
".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",
".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",
".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

黑名单中没有的后缀名有 .php7 以及 .ini,此处应该使用 .user.ini解析漏洞,思路和.htaccess有些相似
使用 .user.ini 解析漏洞需要三个前提条件:
①服务器后端语言为php
②文件上传目录中有可利用的php文件
③服务器使用CGI/FastCGI模式

这个漏洞非常少见,限制条件也很多,感觉实战中并不好用

本关的提示为上传目录存在readme.php,可以利用这个php文件
在这里插入图片描述
我们先上传一个图片格式的一句话木马
在这里插入图片描述
再构造.user.ini如下,使目录下所有php文件都包含up.jpg,从而将恶意代码注入上传目录中已经存在的可利用php文件中
在这里插入图片描述
在这里插入图片描述
根据提示可知,目录下有readme.php,我们输入该文件的地址即可连接
在这里插入图片描述

Pass-06

在这里插入图片描述
直接大小写绕过

Pass-07

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

源代码没有去掉空格,直接在文件名末尾加空格绕过黑名单
(Linux不可以,只有在windows下能成功)
在这里插入图片描述

Pass-08

和上一题类似,本题没有去掉文件名末尾的点,故抓包后文件末尾加点绕过

Pass-09

在这里插入图片描述
源代码中没有去掉::$DATA,抓包在文件末尾加上后可绕过检测,但解析时会忽略::$DATA
在这里插入图片描述

Pass-10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

本题源码中能过滤的都过滤了,但可以知道deldot只会删除末尾的一个点,
故可以构造文件后缀php. .
在这里插入图片描述

Pass-11

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

本题源代码中str_ireplace会将黑名单中的函数替换为空,故双写绕过
在这里插入图片描述