本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
测试的靶机是作者自己购买的vps搭建的环境,使用了白名单形式访问!
Pass-07
- 此关卡根据提示,还是黑名单的形式过滤的各种扩展后缀,但是发现此关卡去除了收尾去空的代码
$file_ext = trim($file_ext); //首尾去空
- 所以我们上传shell通过添加空格即可绕过,这里使用burpsuite抓包操作方便
- 具体如下操作:
将shit.php后面添加一个空格即可,我这里测试不成功,因为我是docker环境下,不能处理,Windows环境下没有问题
PS:在windows系统中会将文件扩展名后的空格做空处理,并不会被当成另一种不可识别的文件类型。因此可以利用这个特性来绕过这一关的黑名单。
Pass-08
- 此关卡显示的源代码如下:
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini"); $file_name = trim($_FILES['upload_file']['name']); $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //首尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '此文件类型不允许上传!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; } }
- 对比上一关卡的代码,发现少了去除末尾点的代码,具体如下
$file_name = deldot($file_name);//删除文件名末尾的点
- 所以本关卡可以通过burpsuite抓包在上传的php后缀添加点"." 即可绕过,可以是多个点
- 由于我这里是docker的Linux环境搭建,无法复现最终的效果,但是我上传是成功的
- 正常情况下如果是Windows环境,通过在后面添加多个点上传成功之后,落地到磁盘以文件的形式存放,Windows会去掉这些点"." 可以正常拿shell 了,比如我这里上传的是shit.php... Linux环境下不会改变,但访问带点的shell文件,同样可以拿shell
- 具体看如下:
