当前位置：网站首页>Upload labs for file upload - white box audit

<html>
<head></head>
<body></body>
<form enctype="multipart/form-data" action="upload_file.php" method="POST">
    <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>
</html>

2. Create a new... For receiving file information PHP file upload_file.php, The code is as follows ：

<?php
header("content-type:text/html;charset=utf-8");
echo "<pre>";    // Add before array echo '<pre>';  Format effect 
print_r($_FILES);
echo "<br>";
echo " Uploaded file name ：".$_FILES['userfile']['name']  //userfile, It's uploaded file In the form name Value 
?>

When uploading a picture , The contents obtained are as follows

namely , When we upload pictures , We got a $_userfile An array of , The key of an array is a fixed attribute of a file , The value of the array is the value of the file attribute

$_FILES The contents of the array are as follows : 
$_FILES['userfile']['name']  The original name of the client file . 
$_FILES['userfile']['type']  Of documents  MIME  type , Need browser to provide support for this information , for example "image/gif". 
$_FILES['userfile']['size']  The size of the uploaded file , The unit is byte . 
$_FILES['userfile']['tmp_name']  The temporary file name stored in the server after the file is uploaded , Generally, it is the system default , After the script is executed, the temporary file will be deleted , So we need to move the files 
$_FILES['userfile']['error']  Error code associated with the file upload .['error']  Is in  PHP 4.2.0  Added in version . Here's a description of it ：( They are PHP3.0 Later it became a constant )
 
UPLOAD_ERR_OK 
 value ：0;  No errors occurred , File upload succeeded . 
UPLOAD_ERR_INI_SIZE 
 value ：1;  More than... Files uploaded  php.ini  in  upload_max_filesize  Value of option limit . 
UPLOAD_ERR_FORM_SIZE 
 value ：2;  The size of the uploaded file exceeds  HTML  In the form  MAX_FILE_SIZE  The value specified by the option . 
UPLOAD_ERR_PARTIAL 
 value ：3;  Only part of the file is uploaded . 
UPLOAD_ERR_NO_FILE 
 value ：4;  No files were uploaded . 
 value ：5;  The size of the uploaded file is 0.

Pass-01 - js Limit

Upload the source code as follows , The function is to move files to new places , This makes any restrictions

if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $temp_file = $_FILES['upload_file']['tmp_name'];        # Get the temporary file name and path of the uploaded file 
        #UPLOAD_PATH Super global variables defined in other files ,define("UPLOAD_PATH", "../upload");
        #$_FILES['upload_file']['name'] Is the source file name when uploading 
        $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];   # That is, define a new file path and file name 
        if (move_uploaded_file($temp_file, $img_path)){    # Move temporary files to a new place 
            $is_upload = true;
        } else {
            $msg = ' Upload error ！';
        }
    } else {
        $msg = UPLOAD_PATH . ' Folder does not exist , Please create... By hand ！';
    }
}

The upload limit function is js function , be-all js Restrictions only occur on browsers , There's nothing luan use , The vulnerability occurs when the limit function is js Limit

Method 1

1. Upload a 1.php The file of , The content is one sentence

<?php phpinfo(); ?>

When we upload, it is enabled bp Grab the bag , Click upload , Pop-up dialog box , But the traffic has not passed through the agent software bp, Therefore, we guess it is the limitation of front-end upload , We look at the source code and find , There's a js Upload limit function

Find the function in the element , Delete directly

Then click upload , Successfully uploaded , This is where we can view the uploaded file address in the page element , Visit

Method 2

Or we can upload one first png The file of , Then change the packet capture to php The suffix of can bypass

Method 3

bp Set automatic culling of front end js, You can upload directly and upload successfully bp To eliminate js

Pass-02 - Content-Type testing

The limiting function is as follows , By reading the file type type To determine whether it is legal , That is, read the request header Content-Type Type value , It just needs to be modified Content-Type If the value meets the requirements, you can upload

principle ： Its content-type（mime） It is generated by the client according to the files you upload

as follows , modify Content-Type value , That is, it can be uploaded successfully

Blacklist detection

Pass-03

Source code is as follows , The above section defines a blacklist (.asp, .aspx, ...), Delete the point at the end of the file name , Intercept the suffix of the file . Match the suffix of the obtained file to the blacklist , If it matches, the upload fails , So we can upload files that are not on the blacklist . Such as php3

Upload file suffixes that are not in the blacklist , Such as php3,php5,phtml etc.

Pass-04 - .htaccess

The blacklist has been expanded , If you are not on the blacklist , Then upload , however .htaccess Not on the blacklist , So you can upload .htaccess file ——> About .htaccess attack _ Beiyu -CSDN Blog

Method 1 ：.htaccess

Use blacklist restrictions , Observe the code and find that it is unfiltered .htaccess file

1. hold png File as php File to execute

2. Upload one more png file , The content is php Code

3. Visit pictures

Method 2 ：apache File name resolution vulnerability

utilize Apache File name resolution vulnerability （5.2.x following ）(info.php.x Bypass ) To bypass , Portal -》apache File name resolution vulnerability

Pass-05 - .user.ini

This level adds a pair of .htaccess The filter , But no filtering .php7 and .ini file

So you can upload php7 Suffix files and .user.ini file , This pass examines the use of .user.ini File construction php back door , Portal ——> utilize .user.ini structure php back door

Pass-06 - Uppercase suffix PHP Bypass

This level is also the way of blacklist filtering , No uppercase suffixes are filtered in the blacklist , And the uploaded suffix is not converted to lowercase . So we upload a shell.PHP You can bypass

Pass-07 - Space around

Viewing the source code is still a blacklist detection , We found that there was no space between the beginning and end of the file name , So we can bypass the detection by adding a space after the suffix . The file is uploaded to the server , It will automatically remove the blank space

Intercept the package after uploading the file , Add a space after the suffix

Pass-08 - Point around

It is also blacklist detection , File suffixes in the source code filter spaces , But there are no filter points , So adding a dot or a space dot after the file suffix can bypass

Pass-09 - ::DATA

It is also blacklist detection , No filtering ::$DATA.

stay window If the file name +"::$DATA" Will be able to ::$DATA After the data as a file stream processing , The suffix will not be detected , And keep it ::$DATA Previous file name , His goal is not to check the suffix

for example :"phpinfo.php::$DATA"Windows Will automatically remove the end of ::$DATA become "phpinfo.php"

Pass-10 - Point blank to bypass

It is also blacklist detection , The file suffix in the source code filters points and spaces , So suffixes plus a space point can bypass

Pass-11 - Double writing bypasses

Match the file suffix with the words in the blacklist , If the match is successful, replace it with empty . So we can double write suffixes to bypass

White list detection

Pass-12 - GET type 00 truncation

From this level, you will enter the white list

principle ： Because in C In language %00 yes character string End identifier of , and PHP Namely C Written , So I inherited it C Characteristics of , So the judgment is %00 Is the end symbol and will not continue to execute later

Use conditions

PHP<5.3.29, And GPC close
Can customize the upload path

Exploit

1. php Switch to 5.2.17

2. close GPC, About GPC——> get_magic_quotes_gpc()

Open the corresponding php.ini The file will be GPC close , Then restart the server

3. Source code analysis

See the white list , We can control the upload path

however $img_path Directly joining together , So you can use %00 Cut and bypass . First modify path value , Why modify path Can only be , Because the program detects the suffix of the file , If the suffix is correct, splice the path and file name , So the attacker modified path The splicing result in the future is ：../uploads/1.php%00/1.png, When you move a file, it will be saved as ../uploads/1.php, So as to achieve Getshell effect .

Details can see ： About uploading 00 Truncation analysis

Pass-13 - POST type 00 truncation

The difference between this level and the previous level is ,00 Truncation is used in POST in

POST Don't like GET That's right %00 Automatic decoding .

1. modify post Path is ../upload/14.php, Click again hex

2. Use burpsuite Yes %00 decode

3. Click on forward

Pass-14 - Picture horse

This pass requires uploading pictures of horses . Image horses can be used in combination with file containing vulnerabilities , Use the File Inclusion Vulnerability to unconditionally resolve file names , Portal -》 File contains

Watch the source code , It is found that the image is opened in binary mode first , Then read the contents of the first two bytes , Judge the picture type according to the first two bytes

1. Upload jpg Picture horse

First find a normal picture , Because a normal picture must match its picture type . Then make pictures of horses ——>

How the picture horse is generated

2. The combination file contains

Contains the uploaded picture horse

Pass-15 - Picture horse

Source code is as follows , What we use here is getimagesize() Function to get picture information , The use method is the same as that of Shangguan

getimagesize() Function is used to get image size and related information , Successfully returned an array , Failure returns FALSE And produce a E_WARNING Level error message