前言:
在日常渗透中,上传文件是getshell的一个常用方案,在其中,我们常常直接修改后缀进行绕过,如果不行,往往会放弃,从而错失机会。这里是我通过github的一个上传绕过源码来记录下需要注意的点。
upload-labs
通关攻略
上传绕过原理:
1> 后缀名采用上传文件名的文件后缀,也就是后缀名我们可以控制,接下来,就是看后台对后缀名是否违法(黑名单),或者是否(白名单)是如何限制了。
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
2>一种就是直接采用内部命名,这种考虑解析漏洞或者别的思路。
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'random(time).jpg; //这种已经确定死了,截断解析或者文件包含漏洞打组合拳吧
js绕过:
这种很简单,是通过js前段验证,我们抓包修改成.php即可。
window绕过技巧:
window的特性绕过,在window下,很多命名方式会导致window自动去了违法字符。
所以,前提是我们能保证服务器是window的情况下,可以根据返回值进行判断,来进行绕过。
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
基本上有一下几点:
shell.php (后面加空格)
shell.php.
shell.php::$DATA
根据规则绕过:
源码中,对后缀判断的规则或者写入的规则进行判断。
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$file_name = str_ireplace($deny_ext,"", $file_name);
这里是过滤了后缀中存在的关键字。
我们可以通过双写进行绕过: shell.pphphp
或者有的就是先上传temp文件,然后进行判断文件名是否合法,
不合法再进行删除。然后我们可以不断的写入文件,来执行我们的webshell等。
解析漏洞:
00截断解析漏洞的条件限制很苛刻
1. php版本小于5.3.4
2. php的magic\_quotes\_gpc为OFF状态
需要注意的点:
get请求中 可以直接 %00
post 必须在16进制下进行修改,因为post在请求中不会进行自行编码
总结:
基本没什么可以说的,还是需要走一遍流程,然后自己尝试一波即可。