前言
文件上传漏洞靶场Upload-labs,在github上下载后部署在win10本地,php版本为5.2.17,测试环境使用Kali虚拟机
1
| https://github.com/c0ny1/upload-labs
|
Pass-01
首先尝试上传一句话木马up.php文件发现上传失败,并提示只允许.jpg|.png|.gif类型,但是我们的burp并没有抓到这个包,于是判断此处的限制为前端验证,我们直接查看源代码
将此处判断文件类型的语句修改,即可正常绕过前端验证
成功上传后界面出现了刚刚上传的图片,由于上传的是php文件,所以无法正常解析成图片
右键点击复制图像地址即可得到文件上传的路径,在蚁剑中直接连接
Pass-02
先尝试能否直接上传up.php,提示文件类型不正确
我们在抓到的包中尝试修改Content-Type为image/jpeg,继续上传
成功上传,复制路径后蚁剑连接
Pass-03
上传up.php后提示不允许以上后缀,我们尝试后缀改写绕过,将php改写为php5,成功上传,依旧可以被解析为php
(此处与不同环境的apache配置文件有关,配置文件中需要有下面这句话才可以成功)
1
| AddType application/x-httpd-php .php .phtml .phps .php5 .pht
|
Pass-04
本题使用以上几种方法均无法上传up.php,黑名单过滤的十分严密,基本只允许上传图片格式,但值得注意的是,黑名单中并没有.htaccess,于是我们可以选择上传.htaccess文件,既然只允许上传jpg文件,我们就上传jpg格式的一句话,再利用我们上传的.htaccess将jpg解析为php,构造如下文件
再直接上传jpg格式的一句话,并用蚁剑连接
Pass-05
本题相当刁钻,黑名单包括转换,大小写,空格,还有点号,几乎所有php文件都上传不了,并且拒绝上传 .htaccess 文件,源代码如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",
".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",
".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",
".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",
".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext);
$file_ext = str_ireplace('::$DATA', '', $file_ext);
$file_ext = trim($file_ext);
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
|
黑名单中没有的后缀名有 .php7 以及 .ini,此处应该使用 .user.ini解析漏洞,思路和.htaccess有些相似
使用 .user.ini 解析漏洞需要三个前提条件:
①服务器后端语言为php
②文件上传目录中有可利用的php文件
③服务器使用CGI/FastCGI模式
这个漏洞非常少见,限制条件也很多,感觉实战中并不好用
本关的提示为上传目录存在readme.php,可以利用这个php文件
我们先上传一个图片格式的一句话木马
再构造.user.ini如下,使目录下所有php文件都包含up.jpg,从而将恶意代码注入上传目录中已经存在的可利用php文件中
根据提示可知,目录下有readme.php,我们输入该文件的地址即可连接
Pass-06
直接大小写绕过
Pass-07
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext);
$file_ext = str_ireplace('::$DATA', '', $file_ext);
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
|
源代码没有去掉空格,直接在文件名末尾加空格绕过黑名单
(Linux不可以,只有在windows下能成功)
Pass-08
和上一题类似,本题没有去掉文件名末尾的点,故抓包后文件末尾加点绕过
Pass-09
源代码中没有去掉::$DATA,抓包在文件末尾加上后可绕过检测,但解析时会忽略::$DATA
Pass-10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext);
$file_ext = str_ireplace('::$DATA', '', $file_ext);
$file_ext = trim($file_ext);
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
|
本题源码中能过滤的都过滤了,但可以知道deldot只会删除末尾的一个点,
故可以构造文件后缀php. .
Pass-11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
|
本题源代码中str_ireplace会将黑名单中的函数替换为空,故双写绕过
