当前位置:网站首页>DAY14:Upload-labs 通关教程

DAY14:Upload-labs 通关教程

2022-07-29 05:18:00 EdmunDJK

DAY14:Upload-labs 通关教程

Pass-01、客户端 JS 检测

请添加图片描述

试着传了一个 php 发现浏览器弹窗 JS 提示,那么直接上 bp,勾选 Remove all JavaScript,对页面进行刷新,在进行上传。

请添加图片描述

请添加图片描述

上传成功。蚁剑连接getshell

Pass-02、MIME 文件类型检测

超文本标记语言.html文件:     text/html
普通文本.txt文件:			 text/plain
PDF文档.pdf: 				application/pdfPNG
图像.png: 				image/png
GIF图像.gif: 				image/gif
MPEG文件.mpg、.mpeg: 		video/mpeg
二进制流:				  application/octet-stream

$_FILE['upload_file']['type']        #获取上传文件的MIME-Type类型

这里我们可以通过 bp 抓包修改 Content-type 文件类型来进行绕过上传,具体可以修改为什么根据其允许类型修改

f (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {

这里我们看到允许jpeg、png、gif 类型上传。直接上传 php 文件。

请添加图片描述

将 application/octet-stream 改为 image/gif

发包,上传成功,蚁剑连接getshell

Pass-03、后缀名修改绕过

$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空

根据代码发现,本关不允许上传第一行代码后缀,空格绕过,文件流格式绕过,大小写绕过,点后缀绕过,但是,我们有很多种不同后缀名的 php :

php、php2、php3、php5、phtml

随意修改名字上传即可。

请添加图片描述

蚁剑连接 getshell

Pass-04、apache配置 .htaccess 解析文件方式绕过

$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

​ 通过一个.htaccess文件调用php的解析器去解析一个文件名中只要包含"as.png"这个字符 串的任意文件,所以无论文件名是什么样子,只要包含"as.png"这个字符串,都可以被以php的 方式来解析,一个自定的.htaccess文件就可以以各种各样的方式去绕过很多上传验证机制。

新建一个 .htaccess 文件名,内容为

SetHandler application/x-httpd-php

意思是将上传的所有文件以 php 方式解析,即 php 格式。

那么首先上传 .htaccess 文件 。接下来上传图片马。

图片马制作方式:

准备一张纯净图片和写好的一句话代码,在此目录下打开终端输入下面的代码:

copy name1.jpg/b + name2.php  name3.jpg

请添加图片描述
请添加图片描述
请添加图片描述

可以看到解析成功,蚁剑连接geishell

Pass-05、大小写绕过

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

本关禁止使用点后缀绕过、空格绕过、文件流传输绕过,考虑使用大小写绕过,

windows系统下,对于文件名中的大小写不敏感,Linux系统下,对于文件名中的大小写敏感。

可以上传文件名为 111. PhP 文件名上传成功,上传111.PHP 成功
请添加图片描述

蚁剑连接getshell

Pass-06、空格绕过

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

审代码,容易发现是空格绕过

​ windows系统中,对于文件名中空格会被作为空处理,程序中的监测代码却不能自动删除空格,从而绕过黑名单,针对这样的情况需要用到bp截断httpp请求后,修改对应文件名+添加空格

1.php + 空格

请添加图片描述

上传成功,蚁剑连接 getshell

Pass-07、. 号绕过

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

根据代码分析得出可以进行点后缀绕过

1.php + .

请添加图片描述
请添加图片描述

解析成功,蚁剑连接 getshell

Pass-08、路径拼接绕过

​ windows系统下,如果上传的文件名中text.php::$DATA会在服务器上生成一个text.php文件,其中内容和所上传文件内容相同,并被解析

1.php  +  ::$DATA

请添加图片描述

上传成功,蚁剑连接 getshell

Pass-09、路径拼接绕过

 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

本关禁止点后缀,大小写,::$DATA,空格,等绕过

可以进行考虑路径拼接绕过

1.php .+ 空格 +.

请添加图片描述

上传成功,蚁剑连接getshell

Pass-10、后缀名双写绕过

$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);

1.p+ php +hp

经过过滤得到文件名 1.php
请添加图片描述

蚁剑连接 getshell

Pass-11、路径00截断(POST型)

白名单判断,但$img_path是直接拼接,因此可以利用%00截断绕过

截断条件:php版本小于5.3.4,php的magic_quotes_gpc为OFF状态

%00是一个url编码,url发送到服务器后就被服务器解码,这时还没有传到验证函数,也 就是说验证函数里接收到的不是%00字符,而是%O0解码后的内容,即解码成了Ox00,比如

 https://localhost/upfile/?file=test.txt

此时输出的是test.txt 加上%00

 https://localhost/upfile/?file=test.php%00.txt

此时输出的是test.php,绕过了后 缀限制,可以上传webshell

请添加图片描述

上传成功,进入路径发现1.php 后有个一无法编码的字符,去掉,即可 getshell,蚁剑连接。

请添加图片描述
请添加图片描述

Pass-12、路径名00截断(post)

因为POST不会像GET对%00进行自动解码,所以需要在二进制中进行修改

请添加图片描述请添加图片描述

路径上添加空格在 hex中将 相应行数后改为 00 特殊编码然后 run,上传成功

请添加图片描述

对路径中 1.php 后特殊符号删除,访问成功,蚁剑连接 getshell

Pass-13、文件头解析绕过

图片马:上文已经教了如何制作

源码读取前2个字节判断上传文件的类型,判断通过后,便重新给文件赋予新的后缀名

构造:include.php?file=upload/shell.jpg , include 会以本文的形式读取 shell.jpg 的内容,这样存在于 shell.jpg 里的一句话木马就

可以执行

只检查文件头的类型,写上 GIF89a 可解析为 gif 文件,上传后,根据include 函数的特性,上传图片马,找到 include.php 的路径,使用文件包含漏洞即可访问,蚁剑连接 getshell

请添加图片描述

Pass-14、文件内容检测

image_type_to_extension 根据指定的图像类型返回对应的后缀名

方法同上,使用 include 函数,检查文件体的类型

请添加图片描述

蚁剑连接 getshell

Pass-15、文件内容检测

方法同上

请添加图片描述

Pass-16、图片二次渲染,内容检测

is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
    
    // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
    $filename = $_FILES['upload_file']['name'];
    $filetype = $_FILES['upload_file']['type'];
    $tmpname = $_FILES['upload_file']['tmp_name'];

    $target_path=UPLOAD_PATH.'/'.basename($filename);

    // 获得上传文件的扩展名
    $fileext= substr(strrchr($filename,"."),1);

    //判断文件后缀与类型,合法才进行上传操作
    if(($fileext == "jpg") && ($filetype=="image/jpeg")){
    
        if(move_uploaded_file($tmpname,$target_path)){
    
            //使用上传的图片生成新的图片
            $im = imagecreatefromjpeg($target_path);

            if($im == false){
    
                $msg = "该文件不是jpg格式的图片!";
                @unlink($target_path);
            }else{
    
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".jpg";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagejpeg($im,$img_path);
                @unlink($target_path);
                $is_upload = true;
            }
        } else {
    
            $msg = "上传出错!";
        }

    }else if(($fileext == "png") && ($filetype=="image/png")){
    
        if(move_uploaded_file($tmpname,$target_path)){
    
            //使用上传的图片生成新的图片
            $im = imagecreatefrompng($target_path);

            if($im == false){
    
                $msg = "该文件不是png格式的图片!";
                @unlink($target_path);
            }else{
    
                 //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".png";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagepng($im,$img_path);

                @unlink($target_path);
                $is_upload = true;               
            }
        } else {
    
            $msg = "上传出错!";
        }

    }else if(($fileext == "gif") && ($filetype=="image/gif")){
    
        if(move_uploaded_file($tmpname,$target_path)){
    
            //使用上传的图片生成新的图片
            $im = imagecreatefromgif($target_path);
            if($im == false){
    
                $msg = "该文件不是gif格式的图片!";
                @unlink($target_path);
            }else{
    
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".gif";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagegif($im,$img_path);

                @unlink($target_path);
                $is_upload = true;
            }
        } else {
    
            $msg = "上传出错!";
        }
    }else{
    
        $msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
    }
}

同上,需要处理好的图片这里网上搜搜就好啦(能抵挡两次图片渲染代码依旧健在)

请添加图片描述

Pass-17、文件内容检测

同上,使用 include.php
请添加图片描述

原网站

版权声明
本文为[EdmunDJK]所创,转载请带上原文链接,感谢
https://blog.csdn.net/qq_49433473/article/details/126002913

边栏推荐

猜你喜欢

随机推荐