4.文件上传


点击跳转到MIDDLE级别

点击跳转到HIGN级别

1. LOW级别:

木马内容:

```
上传文件后利用用户可控的apple参数进行操控。
###### 图:直接菜刀连
![image.png](http://upload-images.jianshu.io/upload_images/4559317-1ae5e4f1ab49d7e0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

--------------------------------------------------------------------------------------------------------------------

## 2.MIDDLE级别:

if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {

    // Can we move the file to the upload folder? 
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 
        // No 
        echo '
Your image was not uploaded.
'; } else { // Yes! echo "
{$target_path} succesfully uploaded!
"; } } else { // Invalid file echo '
Your image was not uploaded. We can only accept JPEG or PNG images.
'; }

}
?>

##### Medium级别的代码对上传文件的类型、大小做了限制,要求文件类型必须是jpeg或者png,大小不能超过100000B(约为97.6KB)。

用burpsuite拦截改Content-type绕过前端检查
![image.png](http://upload-images.jianshu.io/upload_images/4559317-c8aa7a53a31f7527.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

--------------------------------------------------------------------------------------------------------------

## 3.Hign级别:

if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {

    // Can we move the file to the upload folder? 
    if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 
        // No 
        echo '
Your image was not uploaded.
'; } else { // Yes! echo "
{$target_path} succesfully uploaded!
"; } } else { // Invalid file echo '
Your image was not uploaded. We can only accept JPEG or PNG images.
'; }

}
?>

##### High级别的代码读取文件名中最后一个”.”后的字符串,期望通过文件名来限制文件类型,因此要求上传文件名形式必须是”*.jpg”、”*.jpeg” 、”*.png”之一。同时,getimagesize函数更是限制了上传文件的文件头必须为图像类型。

将图片马拼接到jpg文件后面即可:
![image.png](http://upload-images.jianshu.io/upload_images/4559317-561dca687ad1bae2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

不过在本地用菜刀连不上去......必须借用本地文件包含
![image.png](http://upload-images.jianshu.io/upload_images/4559317-886c69094a05899e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

---
上菜刀
![image.png](http://upload-images.jianshu.io/upload_images/4559317-ada46a85b0334f2c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

---
##### 解决方案:
1.限制文件后缀的同时不允许文件名中出现php/asp以免绕过。
2.对文件开头的内容进行二进制审查。
3.最好能取消掉上传文件夹的php/asp文件的执行权限,这样就算上传成功也无法执行。

你可能感兴趣的:(4.文件上传)