文件上传总结

0x00 漏洞原理与危害

网站web应用程序都有一些文件上传功能,比如文档、图片、头像、视频上传,当上传功能的实现代码没有严格校验上传文件的后缀和文件类型时,就可以上传任意文件甚至是执行文件后门。

恶意文件传递给解释器去执行,之后就可以再服务器上执行恶意代码,进行数据库执行、服务器文件管理,服务器命令执行等恶意操作。根据网站使用及可解析的程序脚本不同,可以上传的恶意脚本可以是PHP、ASP、JSP、ASPX文件等。

0x01 常见上传点及绕过

头像
相册
附件
添加文章图片
前台留言资料上传
编辑器文件上传
...

后缀绕过

PHP:
/ph(p[2-7]?|t(ml)?)/的后缀,如php2、php3、php5、php7、phtml、pht、shtml、phtm(是否解析需要根据配置文件中设置类型类决定)
ASP:
asa、cer、cdx、asp{80-90}
ASPX:
ascx、asax、ashx、asac、asmx
JSP:
jsp、jspx、jspf、jspa、jsw、jsv、jtml

绕过类型

Content-Type绕过
前端绕过
文件解析规则绕过
Windows环境特性绕过
文件名大小写绕过
双写绕过
点空格绕过
文件头绕过
条件竞争绕过
......

0x02 中间件解析漏洞

1、 Apache解析漏洞

1.1) 未知后缀

特性:Apache对于文件名的解析是从后面往前解析的,直到遇见一个Apache认识的文件类型未知。

phpshell.php.rar.abc.xxx

Apache不认识xxx、abc、rar依次从右往左解析,直到遍历到.php。

文件类型定义在Apache的mime.types文件中。

文件上传总结_第1张图片
image-20200103114647808

防御方法:在配置文件httpd.conf或httpd-vhosts.conf中加入

 
Require all denied 

1.2) CVE-2017-15715(LINUX环境下)

Apache 2.4.0-2.4.29使用了如下的配置


    SetHandler application/x-httpd-php

原理:可以注意到$这个解析漏洞的根本原因就是这个$。如果我们此时有个文件后缀名为:.php\n,Apache是会将其作为php文件进行解析。

利用Burp的HEX功能在1.php后面添加一个\x0A,然后访问/1.php%0A。

2、IIS 5.x/6.0解析漏洞

2.1) 目录解析

在网站下建立文件夹的名称中带有.asp、.asa等可执行脚本文件后缀为后缀的文件夹,其目录内的任何扩展名的文件都被IIS当作可执行文件来解析并执行。这是由于处理文件夹扩展名出错,导致将/*.asp/目录下的所有文件都作为asp文件进行解析。

原因: ii6.0的服务器开启Active Server Pages服务拓展

http://www.xxx.com/xx.asp/xx.jpg

2.2) 文件解析

在IIS和Windows环境下曾经出现过以分号";"为截断字符的漏洞。

原因: ii6.0的服务器开启Active Server Pages服务拓展

http://www.xxx.com/xx.asp;xx.jpg

2.3) IIS PUT

PUT是在WebDav中定义的一个方法。WebDav大大扩展了HTTP协议中的GET、POST、HEAD等功能,它所包含的PUT方法,允许用户上传文件到直定的路劲下。

开启WebDav之后,IIS就支持PROPFIND、PROPPATCH、MKCOL、DELETE、PUT、COPY、MOVE、LOCK、UNLOCK等方法了。我们的攻击手段采用:

1:通过options探测服务器信息(IIS PUT SCANER进行探测,还可以利用iiswrite工具进行漏洞利用)

2:上传文本文件

3:通过MOVE改名(MOVE能否执行成功,取决于IIS服务器是否勾选了“脚本资源访问”的复选框)(IIS6.0 默认的可执行文件除了asp还包含这三种 *.asa *.cer *.cdx)

3、IIS 7.0/7.5解析漏洞

3.1) 畸形解析漏洞

原理:默认fast-cgi开启状况下,在一个文件路劲后面加上/xx.php会将原来的文件解析为php文件。

条件:1)php.ini里cgi.fix_pathinfo=1(默认为1);2)在"Handler Mapping"中取消勾选"Invoke handler only if request is mapped to"

上传test.jpg

http://www.xxx.com/test.jpg/xx.php

4、Nginx解析漏洞

4.1) 畸形解析漏洞

这和IIS 7.5的一样,php.ini里cgi.fix_pathinfo=1(默认为1)。

http://www.xxx.com/test.jpg/xx.php

原因:这个漏洞形成的原因是在fastcgi方式下,PHP获取环境变量的方式有关。

配合写入马上传

原理:1)网站允许上传任意文件,然后检查上传文件是否包括webshell,如果包含则删除该文件;2)网站允许上传任意文件,但是如果不是指定类型,那么使用unlink删除文件。

也就是说在删除之前就执行了上传文件中的php代码。

');?>

然后访问test.jpg/.php就会在当前目录下生成一句话木马shell.php,密码为cmd。

4.2) Nginx<8.03 空字节代码执行漏洞

Fast-CGI关闭的情况下,仍存在解析漏洞。

影响范围:Nginx 0.5.,0.6.,0.7<=0.7.65,0.8<=0.8.37

http://www.xxx.com/xxx.jpg%00.php

4.3) CVE-2013-4547

影响范围:0.8.41,1.5<=1.5.7

http://127.0.0.1/test.jpg \0.php

发送请求

http://www.xxx.com/test2.jpgAAAphp

使用burpsuite抓包。分别将AAA采用hex功能改为 \x20 , \x00 , \x2e

5、Tomcat 解析漏洞

限制在windows操作系统下,其实利用的就是windows特性

xxx.jsp.
xxx.jsp/
xxx.jsp%20
xxx.jsp::$DATA

0x03 upload-labs 闯关日记

我们以 upload-labs 作为学习的靶机

Pass-01 前端检测

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

这是一段JS代码,在前端进行验证。我们可以采用提交.jpg文件然后抓包将文件名后缀改成.php上传。或者noscript插件禁用JS。

image-20200102170356062

Pass-02 MIME检测

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }
}
 if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))

这段PHP的代码在上传文件的类型上做了检测,MIME检测,抓包修改其Content-Type

image-20200105102235248

Pass-03 过滤不严绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}
$deny_ext = array('.asp','.aspx','.php','.jsp');
if(!in_array($file_ext, $deny_ext)) 

这里是黑名单检测,我们可以尝试php3、php5等来尝试绕过

image-20200105104637501

Pass-04 .htaccess绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这也是黑名单检测,但过滤的很严格。不过并没有过滤.htaccess。.htaccess是伪静态环境配置文件

.htaccess文件,其内容为


SetHandler application/x-httpd-php

其将pino解析为php文件

文件上传总结_第2张图片
image-20200105115438798

这里是将所有文件解析为.php文件

再上传一个允许的后缀名文件,就可以解析

文件上传总结_第3张图片
image-20200105125011647

最开始我在linux环境下,始终解析不了。

百度以后,支持.htaccess解析(只支持apache),apache 需要配置httpd.conf,然后重启

Options FollowSymLinks
AllowOverride None

改为:

Options FollowSymLinks
AllowOverride All

Pass-05 .user.ini绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这里把.htaccess的后缀也过滤了。我们这里可以尝试下user.ini上传

利用条件:

1、服务器脚本语言为PHP

2、服务器使用CGI/FastCGI

3、上传目录下要有可执行的php文件

.user.ini实际上就是一个可以由用户自定义的php.ini,我们能够自定义的设置是模式为"PHP_INI_PERDIR、PHP_INI_USER"的设置。

根据hint,我们得知上传目录下存在readme.php

我们上传.user.ini文件,其内容为

GIF89a
auto_prepend_file=a.jpg

大致意思就是:我们指定一个文件(如a.jpg),那么该文件就会被包含在要执行的php文件中(如index.php),类似于在index.php中插入一句:require(./a.jpg);

这两个设置的区别只是在于auto_prepend_file是在文件前插入;auto_append_file在文件最后插入(当文件调用的有exit()时该设置无效) ,其实质相当于是文件包含

文件上传总结_第4张图片
image-20200105173316533

在上传a.jpg

文件上传总结_第5张图片
image-20200105174834042

Pass-06 大小写绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这段代码未采用 strtolower 过滤,我们可以采用大小写绕过的方式

image-20200105175524342

Pass-07 空格绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

还是黑名单检测,这里未采用trim()函数,可以采用空绕过也就php后面加一个空格

image-20200105180138257

Pass-08 中间件解析漏洞/特殊文件名绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我这里采用的是上传1.php.aaa利用apache的解析漏洞

文件上传总结_第6张图片
image-20200105183014671

看了其他人的wp,这里未用deldot函数 删除文件名末尾的点

采用上传1.php. 然后利用windows特性自动去掉后缀名中最后的.,Unix/Linux系统没有这个特性。

文件上传总结_第7张图片
image-20200105183401029

Pass-09 Windows流特性绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

php再windows的时候如果文件名+ ::$DATA 会把 $DATA 之后的数据当成文件流处理,不会检测后缀名。且保持 ::$DATA 之前的文件名。

文件上传总结_第8张图片
image-20200105190219777

Pass-10 综合绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这里先经过trim去除前后空格,再经过deldot删除末尾的点后进行检测弱过检测过了直接拼接到上传路径上。

获取文件的扩展名,转为小写,去除::$DATA字符串再去除首尾空格。

我们考虑构造一个 1.php. . 上传

后面的两个.中间有个空格

image-20200105201721217

Pass-11 双写绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}
$file_name = str_ireplace($deny_ext,"", $file_name);

这个函数的意思是如果上传的文件名里如果存在deny_ext数组里的字符串就将他替换为空

我们可以想到双写绕过,例如phphpp这里将php过滤后剩下php

image-20200105210559017

Pass-12 %00截断绕过

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

这里是白名单检测

$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

注意看这段,有一个GET的参数save_path这里表明了,我们的上传路径是可控的。

文件上传总结_第9张图片
image-20200106083741867

我们这里采用%00截断,因为GET会自动解码,在文件名绕过后,由于代码是由路劲+xxx拼接成的,由于服务器不认识这个符号便自动截断了。为什么这里是%00而有时候是0x00呢?

00截断原理分析

%00:在url中%00表示ascII码中的0,而ascii中0作为特殊字符保留,表示字符串结束,所以当url中出现%00时会认为读取已结束。

例如

https://mp.csdn.net/upfiles/?filename=test.txt              此时输出test.txt
https://mp.csdn.net/upfiles/?filename=test.php%00.text      此时输出test.php

0x00:0x00是16进制的00,也就是%00解码成16进制。在burp接收到POST数据包的时候,会将POST数据包中的内容,直接进行URL编码了。

我们的常规操作,将 `1.php .jpg` 的空格用burp的hex功能,把0x20改为0x00

或者 `1.php%00.jpg` 中将%00进行URL-decode

首先解释为什么要进行url-decode,其原因在于上传的表单中有一个enctype的属性,并且需要enctype="multipart/form-data" (不对表单数据进行编码),path大多数都是存放在表单中的,因此需要在数据包中进行urldecode操作使得%00变成字符串结束字符。

理解:在URL中的%00会被web服务器当作16进制处理,然后自动翻译成ascii码实现截断;而在burp中16进制编辑器将空格20改成了00。本质来说,都是利用0x00是字符串的结束标识符,进行截断。

Pass-13 0x00截断绕过

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

和上题一样都是00截断,这里就需要url-decode了

image-20200106092450725

php 00截断条件

1、版本小于5.3.4

2、magic_quotes_gpc为OFF

Pass-14 文件头检测

function getReailFileType($filename){
    $file = fopen($filename, "rb");
    $bin = fread($file, 2); //只读2字节
    fclose($file);
    $strInfo = @unpack("C2chars", $bin);    
    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    
    $fileType = '';    
    switch($typeCode){      
        case 255216:            
            $fileType = 'jpg';
            break;
        case 13780:            
            $fileType = 'png';
            break;        
        case 7173:            
            $fileType = 'gif';
            break;
        default:            
            $fileType = 'unknown';
        }    
        return $fileType;
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_type = getReailFileType($temp_file);

    if($file_type == 'unknown'){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错!";
        }
    }
}

检测文件内容的前两个字节,然后使用文件包含绕过

我们这里制作图片马,网上说也可以采用在文件内容前加GIF89a

copy x.jpg/b+1.txt/a 1.jpg
文件上传总结_第10张图片
image-20200106103720655

本地环境不知道为什么,图片马包含一直报错,但是放在Linux服务器上包含能解析出来

后来我换了一张图片,就能包含成功了

Pass-15 getimagesize绕过

function isImage($filename){
    $types = '.jpeg|.png|.gif';
    if(file_exists($filename)){
        $info = getimagesize($filename);
        $ext = image_type_to_extension($info[2]);
        if(stripos($types,$ext)>=0){
            return $ext;
        }else{
            return false;
        }
    }else{
        return false;
    }
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错!";
        }
    }
}

这里采用的 getimagesize

这个函数是通过获取图片数据流中头部几个字节来判断图片类型的,这样就为webshell注入提供了机会,木马程序只需要在头部插入相关图片类型几个字节,就可以绕过getimagesize的检测。

我们这里也可以采用图片马绕过。

Pass-16 exif_imagetype 绕过

function isImage($filename){
    //需要开启php_exif模块
    $image_type = exif_imagetype($filename);
    switch ($image_type) {
        case IMAGETYPE_GIF:
            return "gif";
            break;
        case IMAGETYPE_JPEG:
            return "jpg";
            break;
        case IMAGETYPE_PNG:
            return "png";
            break;    
        default:
            return false;
            break;
    }
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错!";
        }
    }
}

方法和上面一致的

文件头值:

jpg:FFD8FFE000104A464946
png:89504E470D0A1A0A
gif:474946383961

Pass-17 二次渲染绕过

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
    // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
    $filename = $_FILES['upload_file']['name'];
    $filetype = $_FILES['upload_file']['type'];
    $tmpname = $_FILES['upload_file']['tmp_name'];

    $target_path=UPLOAD_PATH.'/'.basename($filename);

    // 获得上传文件的扩展名
    $fileext= substr(strrchr($filename,"."),1);

    //判断文件后缀与类型,合法才进行上传操作
    if(($fileext == "jpg") && ($filetype=="image/jpeg")){
        if(move_uploaded_file($tmpname,$target_path)){
            //使用上传的图片生成新的图片
            $im = imagecreatefromjpeg($target_path);

            if($im == false){
                $msg = "该文件不是jpg格式的图片!";
                @unlink($target_path);
            }else{
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".jpg";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagejpeg($im,$img_path);
                @unlink($target_path);
                $is_upload = true;
            }
        } else {
            $msg = "上传出错!";
        }

    }else if(($fileext == "png") && ($filetype=="image/png")){
        if(move_uploaded_file($tmpname,$target_path)){
            //使用上传的图片生成新的图片
            $im = imagecreatefrompng($target_path);

            if($im == false){
                $msg = "该文件不是png格式的图片!";
                @unlink($target_path);
            }else{
                 //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".png";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagepng($im,$img_path);

                @unlink($target_path);
                $is_upload = true;               
            }
        } else {
            $msg = "上传出错!";
        }

    }else if(($fileext == "gif") && ($filetype=="image/gif")){
        if(move_uploaded_file($tmpname,$target_path)){
            //使用上传的图片生成新的图片
            $im = imagecreatefromgif($target_path);
            if($im == false){
                $msg = "该文件不是gif格式的图片!";
                @unlink($target_path);
            }else{
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".gif";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagegif($im,$img_path);

                @unlink($target_path);
                $is_upload = true;
            }
        } else {
            $msg = "上传出错!";
        }
    }else{
        $msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
    }
}

这里判断了后缀名,content-type,然后利用 imagecreatefromgif 判断内容,最后做了二次渲染,二次渲染的意思是利用你上传的图片生成一个新的图片。

判断图片有没有被二次渲染可以上传图片马,然后下载服务器上的图片,用16进制编辑器打开对比下。

GIF:二次渲染的绕过需要找到渲染前后没有变化的位置,然后将PHP代码写进去就可以了。
PNG和JPG的渲染绕过有点没看懂。。。
详情:https://xz.aliyun.com/t/2657

Pass-18 条件竞争上传

$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允许上传.jpg|.png|.gif类型文件!";
            unlink($upload_file);
        }
    }else{
        $msg = '上传出错!';
    }
}

可以看到这里是先上传再做检测,如果检测不再白名单里,则删除,我们可以利用这个时间差来做条件竞争上传

');?>

然后不停的用Intruder发上传包

文件上传总结_第11张图片
image-20200106135601100

同时不停的发请求包,利用时间差访问这个上传的php

文件上传总结_第12张图片
image-20200106135645234
文件上传总结_第13张图片
image-20200106135838289

这个shell.php便是临时存在的php代码,而x.php则是我们burp请求到shell.php生成的。具体观察会发现,shell.php生成了一会就会被删除,如果访问到了,就会生成x.php,这个x.php不会被删除。

Pass-19 条件竞争配合解析漏洞上传

//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
    require_once("./myupload.php");
    $imgFileName =time();
    $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    $status_code = $u->upload(UPLOAD_PATH);
    switch ($status_code) {
        case 1:
            $is_upload = true;
            $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
            break;
        case 2:
            $msg = '文件已经被上传,但没有重命名。';
            break; 
        case -1:
            $msg = '这个文件不能上传到服务器的临时文件存储目录。';
            break; 
        case -2:
            $msg = '上传失败,上传目录不可写。';
            break; 
        case -3:
            $msg = '上传失败,无法上传该类型文件。';
            break; 
        case -4:
            $msg = '上传失败,上传的文件过大。';
            break; 
        case -5:
            $msg = '上传失败,服务器已经存在相同名称文件。';
            break; 
        case -6:
            $msg = '文件无法上传,文件不能复制到目标目录。';
            break;      
        default:
            $msg = '未知错误!';
            break;
    }
}

//myupload.php
class MyUpload{
......
......
...... 
  var $cls_arr_ext_accepted = array(
      ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
      ".html", ".xml", ".tiff", ".jpeg", ".png" );

......
......
......  
  /** upload()
   **
   ** Method to upload the file.
   ** This is the only method to call outside the class.
   ** @para String name of directory we upload to
   ** @returns void
  **/
  function upload( $dir ){
    
    $ret = $this->isUploadedFile();
    
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->setDir( $dir );
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkExtension();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkSize();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }
    
    // if flag to check if the file exists is set to 1
    
    if( $this->cls_file_exists == 1 ){
      
      $ret = $this->checkFileExists();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }

    // if we are here, we are ready to move the file to destination

    $ret = $this->move();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }

    // check if we need to rename the file

    if( $this->cls_rename_file == 1 ){
      $ret = $this->renameFile();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
    
    // if we are here, everything worked as planned :)

    return $this->resultUpload( "SUCCESS" );
  
  }
......
......
...... 
};

我们看看MyUpload类的源代码

MyUpload构造函数:

​ 初始化4个值,文件名,临时文件名,文件大小,重命名

isUploadedFile 函数:

​ is_uploaded_file函数检测是否为http post上传文件

setDir 函数

​ 初始化上传路劲

checkExtension 函数:

​ 检测后缀(白名单检测)

checkSize 函数:

​ 检测文件大小

move 函数:

​ 上传临时文件

checkFileExists 函数:

​ 检测文件是否存在

renameFile 函数:

​ 将上传的文件改名

再看 upload 函数经过检测后

    $ret = $this->move();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }

    // check if we need to rename the file

    if( $this->cls_rename_file == 1 ){
      $ret = $this->renameFile();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
$this->cls_upload_dir . $this->cls_filename
$this->cls_upload_dir为$status_code = $u->upload(UPLOAD_PATH);主函数设置的全局变量
define("UPLOAD_PATH", "../upload");  config.php文件里的定义
这里展示的是上传文件名为../upload拼接文件名

这里是先上传再改名,意思是如果能绕过上面的检测,就能通过条件竞争来上传了。

官网上说的是必须利用LINUX环境。我们可以尝试利用apache解析漏洞配合。

文件上传总结_第14张图片
image-20200106200223855
文件上传总结_第15张图片
image-20200106200136020

操作和上面的一个一样,我们这里传的一个x.php.tiff,然后不停的发包请求,利用的apache解析漏洞

image-20200106200702544

就能成功利用了

Pass-20 CVE-2015-2348

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

        if(!in_array($file_ext,$deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上传出错!';
            }
        }else{
            $msg = '禁止保存为该类型文件!';
        }

    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

这里使用了 pathinfo 返回字符串再检测,然后利用 move_uploaded_file 上传

这个函数存在任意文件上传的漏洞CVE-2015-2348

文件上传总结_第16张图片
image-20200106202705924

我们这里 $file_name 可控,就导致 $img_path ,就导致 move_uploaded_file 函数里的 $destination 可控。

这里采用00截断

image-20200106203326421

网上另外的解法是 1.php/. ,因为 move_uploaded_file 上传时会忽略 /.

Pass-21 数组绕过

$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
    //检查MIME
    $allow_type = array('image/jpeg','image/png','image/gif');
    if(!in_array($_FILES['upload_file']['type'],$allow_type)){
        $msg = "禁止上传该类型文件!";
    }else{
        //检查文件名
        $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
        if (!is_array($file)) {
            $file = explode('.', strtolower($file));
        }

        $ext = end($file);
        $allow_suffix = array('jpg','png','gif');
        if (!in_array($ext, $allow_suffix)) {
            $msg = "禁止上传该后缀文件!";
        }else{
            $file_name = reset($file) . '.' . $file[count($file) - 1];
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $msg = "文件上传成功!";
                $is_upload = true;
            } else {
                $msg = "文件上传失败!";
            }
        }
    }
}else{
    $msg = "请选择要上传的文件!";
}

我们这里分析下源码

$allow_type = array('image/jpeg','image/png','image/gif');
    if(!in_array($_FILES['upload_file']['type'],$allow_type))

首先,这里进行了文件类型检测,MIME

if (!is_array($file)) {
            $file = explode('.', strtolower($file));
        }

这里如果$file不是数组,则按照 . 分割成数组并小写(如果传入数组则绕过这步)

$ext = end($file);
        $allow_suffix = array('jpg','png','gif');
        if (!in_array($ext, $allow_suffix))

取数组的最后一个来进行白名单验证(如果我们直接传入的数组最后一个是在白名单里,则绕过这步)

$file_name = reset($file) . '.' . $file[count($file) - 1];
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) 

$file_name为数组里第一个拼接一个 . 再拼接数组第长度减一个再上传

我们这里可以构造一个数组[0] [2],[0]来构成reset($file),[2]来绕过白名单

最后在拼接的时候,由于[1]为空所以会多出一个 . 这里可以采用Winodws特性,或者move_uploaded_file 上传时会忽略 /.

文件上传总结_第17张图片
image-20200106210948311

0x04 编辑器上传漏洞

FCKeditor

查看FCKeditor版本

http://127.0.0.1/fckeditor/editor/dialog/fck_about.html
http://127.0.0.1/FCKeditor/_whatsnew.html

测试文件

FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html

FCKeditor/_samples/default.html
FCKeditor/_samples/asp/sample01.asp
FCKeditor/_samples/asp/sample02.asp
FCKeditor/_samples/asp/sample03.asp
FCKeditor/_samples/asp/sample04.asp
FCKeditor/_samples/default.html
FCKeditor/editor/fckeditor.htm
FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php

突破上传

改扩展名、%00截断、添加文件头等

二次上传绕过FCK在上传了诸如shell.asp;.jpg的文件后,会自动将文件名改为shell_asp;.jpg。可以继续上传同名文件,文件名会变为shell.asp;(1).jpg

提交shell.php+空格绕过(windows特性)

IIS6.0突破文件夹限制

Fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp
FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

文件解析限制

通过FCKeditor编辑器在文件上传页面中,创建1.asp文件夹,然后再到该文件夹下上传图片,配合iis6.0解析漏洞

http://www.xxx.com/images/upload/201806/image/1.asp/1.jpg

Ewebeditor

进入后台

弱口令
下载默认数据库 ewebeditor/db/ewebeditor.mdb
burp爆破
利用注入点

然后添加样式,添加按钮,使用IE浏览器(不可以上传的话打开兼容性视图设置)上传

CKFinder

其1.4.3 asp.net版本存在任意文件上传漏洞

Kindeditor

<= 4.10 存在文件上传漏洞

只能上传 html, htm 钓鱼

南方数据编辑器southidceditor

登陆后台,利用编辑器上传,访问admin/southidceditor/admin_style.asp,修改编辑器央视,增加asa,然后后台上传

UEditor

利用iis6.0解析漏洞

DotNetTextBox

关键字:system_dntb/
确定有system_dntb/uploadimg.aspx并能打开,这时候是不能上传的,由于他是验证cookie来得出上传后的路径,这样我们可以用cookie欺骗工具
cookie:UserType=0;IsEdition=0;Info=1;
uploadFolder=../system_dntb/Upload/;
路径可以修改,只要权限够,上传后改名为1.asp;.jpg利用iis解析漏洞

PHPWEB网站管理系统后台Keditor

1、IIS6.0文件名解析漏洞

2、%00截断

Cute Editor在线编辑器本地包含漏洞

影响版本:

Cute Editor For Net 6.4

http://www.xx.com/Cute_Client?CuteEditor/Load.ashx?type=image&file=../../../web.config

总结:编辑器漏洞说到底还是采用各种上传姿势来进行利用的

你可能感兴趣的:(文件上传总结)