本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
测试的靶机是作者自己购买的vps搭建的环境,使用了白名单形式访问!
Pass-04
- 根据提示,此关卡直接把所有可能的文件扩展全部过滤了
- 但是百密一疏,此关卡没有过滤.htaccess文件的上传,可以通过上传此文件到目标靶机,且里面写入内容:SetHandler application/x-httpd-php
- 当上述上传成功之后,再随便上传任何后缀名即可,比如上传ant.bmfx ,或者乱写后缀,只要不是上面过滤的黑名单扩展名即可
- 看如下演示
- 具体关于htaccess的可参考:https://www.zhaosimeng.cn/zqzb/55.html
Pass-05
- 此关卡我怎么尝试都没有成功,我根据网上的资料,通过上传phP,phP3,PHP等绕过方式都没能成功上传,此关卡暂时忽略
- 根据网上资料某博主做的题目并贴出源码发现,当时做此关卡的时候是除去掉如下代码所致:参考博客:https://www.zhaosimeng.cn/writeup/62.html
$file_ext = strtolower($file_ext); //转换为小写 - 所以实际只要除去上述代码即可绕过,这是本关卡作者考察的目的
- 我通此关卡的源码如下:
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //首尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '此文件类型不允许上传!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; } }
Pass-06
- 罪了,此关卡查看了源代码,就是互联网上各位博主做的Pass-05 关,该关卡除去掉了过滤大小的代码,所以可以直接使用类似 bmfxshit.phP3 后缀名进行上传即可
- 具体 操作如下:
上述最终上传成功拿下shell