2022-08-01 21:32:00 【weixin_53150482】
1. 描述
File upload vulnerability refers to because the programmers to upload files without strict verification and filtering result in the user can upload over its own access to the serverDynamic script executable file
,Nature is to upload a file called by us
2. 产生原因
File upload or in the final analysis is the client POST 请求,The message body is upload some information,The front-end upload page needs to perform enctype 为 multipart/form-data 或者 Multipart/form-data 才能正常上传文件.
3. File upload attack methods
Common focal point: 头像上传、修改上传、File editor middleware to upload,图片上传、媒体上传、Through caught upload malicious files for testing
4. 文件上传思路
1. 前端 JS 的验证
- 删除页面的 JS 代码
- 使用 Burp 禁用所有的 JS 代码
5. MIME 类型验证
In the code validated by file type to return.
To send data to caught,修改其中的 Content-Type 类型即可绕过, 所有的 MIME 类型:
- 超文本标记语言文本: .html text/html
- XML 文档 : .xml text/xml
- XHTML文档 .xhtml application/xhtml+xml
- 普通文本 .txt text/plain
- RTF文本 .rtf application/rtf
- PDF文档 .pdf application/pdf
- Microsoft Word文件 .word application/msword
- PNG图像 .png image/png
- GIF图形 .gif image/gif
- JPEG图形 .jpeg,.jpg image/jpeg
在 PHP 中关于 $_FILES 的使用:
- $_FILES[‘myFile’][‘name’] 表示文件的名称
- $_FILES[‘myFile’][‘type’] 表示文件的 MIME 类型
- $_FILES[‘myFile’][‘size’] 已上传文件的大小(单位:字节)
- $_FILES[‘myFile’][‘tmp_name’] 储存的临时文件名,一般是系统默认
- $_FILES[‘myFile’][‘error’] 该文件上传相关的错误代码,PHP4.2版本后增加的
6. 黑名单
1. Specific analytical suffix
The suffix upload documents stipulated in,We can change the suffix to inject,Using a script other extensions:
- PHP : php
phtm- ASP : asa
asp{80-90}- JSP :jspx
2. .htaccess 解析
利用思路: Using middleware of some special files,To parse other files into a particular file,比如 将 1.png 解析为 1.php
.htaccess 文件是 Apache The server of a configuration file,Mainly responsible for the relevant directory page configuration,即: A specific document directory to place a file contains one or more instructions to configure web.不过需要注意的是,.htaccessFile scope for it
Directory and all subdirectories
,But if the subdirectory also exist.htaccess文件,Will override the parent directory of the.htaccess效果.
上传的 .hatccess 文件:
<FilesMatch "1.png">
SetHandler application/x-httpd-php
目的: 将 1.png 文件解析为 php 文件执行
3. 大小写转换
To upload the file suffix for case mix
4. 空格绕过
After the server receives the file name,Not the end to end on the name of the file is empty,Caused the file suffix matching error,So we uploaded file called 1.php
(PHP 后有一个空格)
5. 点绕过
This vulnerability principle is,The server simply by “ . ” To get the upload file name
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');// 获取文件名称 . 之后的字符
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
} else {
$msg = '此文件不允许上传';
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
对于代码中的 $file_ext = strrchr($file_name, ‘.’);
- If the uploaded file name is called 1.php 那 file_ext 对应的内容为 php
- If the uploaded file name is called 1.php. 那么 file_ext 对应的内容为 Null
6. ::$$DATA 绕过
对于 ::$$DATA 介绍: 当php在 windows 环境的时候,如果文件名+ “::$$DATA" 会把 “::$$DATA” 之后的数据当成文件流处理,不会检测后缀名.且保持"::$$DATA"之前的文件名
7. 配合解析漏洞
Pass way of thinking is similar to point around,主要原因是对于 In the file suffix " . " Only made a filter
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点 只进行了一次
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
} else {
$msg = '此文件不允许上传';
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
We can change the upload file name suffix to 1.php. . (Between the two points have a whitespace-delimited)
8. 双后缀名绕过
To upload the file name suffix conducted a filter only,All we can write suffixes for double bypass
eg: 1.phpphp
9. %00 截断
- 0x00,%00这两类截断都是属于同种原理,%00在 url 解码后为空字符,0X00 即16进制的00.在解析后这两个内容都会被当做chr(0)来处理.
- chr()函数的作用:返回括号中的参数所代表的字符.
- chr(0)代表的含义是返回ASCII码中0代表的字符,也就是NULL.
- 当一个字符串中存在空字符的时候,在被解析的时候会导致空字符后面的字符被丢弃.而当传参方式为GET则需要使用%00,因为GET传参时url会自动编码,转移为空字符;而POST型传参 Will not automatically when the code,所以需要使用 0x00 进行截断.
php < php5.3 magic_quotes_gpc=Off,否则%00Will this null characters are escaped as\0
- GET 类型
- POST 类型
10. 二次渲染
- Uploaded to the server files will be uploaded after the completion of the rename,So before renaming for constantly visit,Makes the image has been visiting,Enabling rename to a
- 推荐文章: upload-labs 之pass 16 详细分析
11. move_uploaded_file
The characteristics of the function is ignored when upload /. ,That is to say, can be changed by this file suffix,To blacklist around.
12. Magic 检测绕过
Some sites need to detect file type,这种检查可以在 Shell 前加入对应的字节以绕过检查,The head of the several common types of files byte as follows:
类型 | 二进制值 |
JPG | FF D8 FF E0 00 10 4A 46 49 46 |
GIF | 47 49 46 38 39 61 |
PNG | 89 50 4E 47 |
TIF | 49 49 2A 00 |
BMP | 42 4D |
13. 系统命名绕过
在Windows系统中,上传 index.php.
会重命名为 .
,可以绕过后缀检查. 也可尝试 index.php%20
, index.php:1.jpg
等. 在Linux系统中,可以尝试上传名为 index.php/.
或 ./aa/../index.php/.
- 有时候可以通过之前给出的替换不常见的但可达到相同解析效果的文件名
- 制造一些“垃圾数据”,可以降低waf的检测
- 例如早期的安全狗就可以通过多加几个filename绕过
- (看到有人说有些waf会检测是否为POST,如果为POST则会校验数据包内容,这里更改POST为GET)
- 删除Conten-Type字段
- 删除Content-Disposition字段里的空格
- 修改Content-Disposition字段值的大小写
- (文件名处回车)
For file upload some thinking and summarize
1. 介绍
- 定义: File contains refers to the server to perform a file,Load another file by file contains the code to perform,
Nature is by the server call
2. 产生原因
By introducing a file,用户可控,No strict check,Or be around,Operating some sensitive files,Cause the leak of the file or code injection
$filename = $_GET['filename'];
在本例中 filename 完全由用户控制,Its value was brought into directly to the include 函数中,That can be modified filename 的值进行操作
3. 相关函数
4. 漏洞利用
1. 本地文件包含
$file = $_GET['file'];
include($file); # 直接带入 include 函数
Because there is no limit,So could be obtained by a directory traversal vulnerability to other content in the system
在本地创建 1.php 文件,At the same time create a file's contents as <?php phpinfo();?> 在浏览器进行访问http:localhost/1.php?file=1.txt
The effect of the show is phpinfo 执行效果Common file read path:
/etc/apache2/* #Apache配置文件,可以获知Web目录、服务端口等信息 /etc/nginx/* #Nginx配置文件,可以获知Web目录、服务端口等信息 /etc/crontab #定时任务文件 /etc/environment #One of the environment variable configuration file.环境变量可能存在大量目录信息的泄露,甚至可能出现secret key泄露的情况 /etc/hostname #主机名 /etc/hosts #主机名查询静态表,包含指定域名解析IP的成对信息.通过这个文件,Can detect the network card information and networkIP/域名 /etc/issue #系统版本信息 /etc/mysql/* #MYSQL配置文件 /etc/php/* #PHP配置文件 /proc 目录 #/proc目录通常存储着进程动态运行的各种信息,本质上是一种虚拟目录,如果查看非当前进程的信息,pid是可以进行暴力破解的,如果要查看当前进程,只需/proc/self代替/proc/[pid]即可 /proc/[pid]/cmdline #cmdline可读出比较敏感的信息 # ssh日志,攻击方法: ssh `<?php phpinfo(); ?>`@ /var/log/auth.log # apache日志 /var/log/apache2/[access.log|error.log]
Restrictions include file suffix
$file = $_GET['file'];
include($file . ".html"); # 文件的后缀为 .html
- 00 截断
使用前提: PHP < 5.3.4 magic_quotes_gpc=OFF
- 长度截断
使用前提:PHP 版本 <= 5.2.?
利用思路: PHP Exist for directory string length limit, windows Directory under the maximum length of 256 字节,Linux 下目录最大长度为 4096 字节,Beyond the parts will be discarded,So you can use the ideas of the garbage data:……………………………………………………………………………
zip/phar 协议
$file = $_GET['file'];
include($file . ".php"); # Contains the file suffix for php
- zip://文件路径/zip文件名称#Compressed package file name (使用时注意将#号进行URL编码)
- phar://文件路径/phar文件名称/phar内的文件名称
- phar://协议与zip://类似,同样可以访问zip格式压缩包内容
session 文件包含
前提条件:PHP版本>5.4.0 配置项:session.upload_process.enabled 的值为 On
参考文章链接: File contains SAO pose–利用 session.upload_progress 进行文件包含
For some knowledge to explain:
php.ini 的默认选项:
session.upload_progress.enabled = on #表示upload_progress功能开始,When the browser to the server to upload a file,php将会把此次文件上传的详细信息(如上传时间、上传进度等)存储在session当中 session.upload_progress.cleanup = on #表示当文件上传结束后,php将会立即清空对应session文件中的内容 session.upload_progress.prefix = "upload_progress_" session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" #表示为session中的键名 session.use_strict_mode=off #表示对Cookie中sessionid可控
For the last two options to explain:
// PHPSESSION = Sn0w <form action="upload.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" /> <input type="file" name="file1" /> <input type="file" name="file2" /> <input type="submit" /> </form>
在session.upload_progress.name=‘PHP_SESSION_UPLOAD_PROGRESS’ 的条件下,上传文件,便会在session[‘upload_progress_123’]Stored in this upload some information,储存在/tmp/sess_Sn0w:
Through the above and several default options about introduction to whether can use session.upload_progress To write malicious statements,And then to include file,But the premise is need to knowsession的存储位置
php 中 session 存储机制:
PHP 中的 session The content is stored in the form of file,Storage way is by the configuration items session.save_handler 来进行确定的,The default is stored in the form of file,Storage file name is sess_sessionid 来进行命名的,The contents of the file is to session 的值序列化
之后的内容,As for the store path is by configuration items session.save_path 来进行决定的一般来说 session 存储路径为:
Linux: /tmp 或者 /var/lib/php/session
Windows: C;\\WINDOWS\Temp
- 如何创建 session 文件:
如果配置项 session.auto_start=On 是打开的,那么 PHP When receiving the request will be automated Session , Not need to perform the function,但默认关闭,在 session 还有一个默认选项,session.use_strict_mode 默认值为 0,Define your own user card Iraq SessionID:Cookie中设置: PHPSESSID=Sn0w PHPWill create a file on the server(默认路径) /tmp/sess_Sn0w
即使此时用户没有初始化 Session,PHP 也会自动初始化 Session,并产生一个键值,这个键值有 ini.get(“session.upload_process.prefix”) + 由我们构造的 session.upload_progress.name 值组成,最后被写入 sess_ 文件中
- 但是还有一个问题没有解决,Even in the default configuration session.upload_process.cleanup = On ,导致文件上传后, session The file content will immediately be empty,So here need to use multiple threads to read and write,进行条件竞争,在 session File is removed prior to include use of.
2. 远程文件包含
- allow_url_fopen = On 是否允许打开远程文件
- allow_url_include = On 是否允许 include/require 远程文件
Code without any limitation,Direct deposit on public malicious WEBSHELL 即可,And then activated by including a malicious payload
Restrictions include file suffix:
例如:<?php include($_GET['filename'] . ".no"); ?>
? 绕过
# 绕过
File to read and download
According to the source code is file read holes
Hints file download is file download holes
1. 文件下载
In the link firename 以及 Download Said this is a file download holes,Following a visit to link back:
说明这是 Java 程序,从而从 JavaWeb Aspects to consider, Modify the submission to read WEB 配置文件 WEB-INF/web.xml
,Then I will download the corresponding file,In the download file exists in the:
结合所学知识,推断出 Flag The file location for WEB-INF/classes/com/wm/ctf/FlagController.class 中 ,After a visit. Then you will find Flag
2. 文件读取–敏感文件
C:\boot.ini //查看系统版本 C:\Windows\System32\inetsrv\MetaBase.xml //IIS配置文件 C:\Windows\repair\sam //存储系统初次安装的密码 C:\Program Files\mysql\my.ini //Mysql配置 C:\Program Files\mysql\data\mysql\user.MYD //Mysql root C:\Windows\php.ini //php配置信息 C:\Windows\my.ini //Mysql配置信息 ...
/root/.ssh/authorized_keys /root/.ssh/id_rsa /root/.ssh/id_ras.keystore /root/.ssh/known_hosts /etc/passwd /etc/shadow /etc/my.cnf /etc/httpd/conf/httpd.conf /root/.bash_history /root/.mysql_history /proc/self/fd/fd[0-9]*(文件标识符) /proc/mounts /porc/config.gz
.bash_history .zsh_history .profile .bashrc .gitconfig .viminfo passwd
/etc/apache2/apache2.conf /etc/nginx/nginx.conf
/var/log/apache2/access.log /var/log/nginx/access.log
.svn/entries .git/HEAD WEB-INF/web.xml .htaccess
.swp .swo .bak index.php~ ...
File contains and file upload with
Usually this topic have in common is: 无法直接上传 shell ,只能上传图片,存在文件包含
file_put_content 与死亡/Mix the code
- 特殊的备份文件
.swp .swo .bak index.php~ ...
