文件上传 —— 靶场upload-labs-master

目录

第一关

先试一下上传php文件

重要源代码

 再次尝试,成功​编辑

也可以用抓包的方式进行绕过

第二关

先测试

第三关

直接看源码

第四关

.htaccess文件配置文件漏洞,无过滤

制作图片马

第五关

第六关

看一下源码

第七关 

源码

第八关

源码

第九关

代码

第十关

源码

第十一关

00截断

源码

十七关

代码审计

给你看代码

抓包

 代码

这里改成他的上级目录


实验环境均由小p搭建

第一关

先试一下上传php文件

文件上传 —— 靶场upload-labs-master_第1张图片

 答案肯定是不行的

重要源代码

  • 代码

    function checkFile() {
        var file = document.getElementsByName('upload_file')[0].value;
        if (file == null || file == "") {
            alert("请选择要上传的文件!");
            return false;
        }
        //定义允许上传的文件类型
        var allow_ext = ".jpg|.png|.gif";
        //提取上传文件的类型
        var ext_name = file.substring(file.lastIndexOf("."));
        //判断上传文件类型是否允许上传
        if (allow_ext.indexOf(ext_name + "|") == -1) {
            var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
            alert(errMsg);
            return false;
        }
    }
    
    
  • 其实就是将你的上传文件的.后缀截取出来进行对比

    因为他是在JS进行过滤的我们可以直接将JS解析关掉

    文件上传 —— 靶场upload-labs-master_第2张图片

     再次尝试,成功文件上传 —— 靶场upload-labs-master_第3张图片

    也可以用抓包的方式进行绕过

    文件上传 —— 靶场upload-labs-master_第4张图片

     然后再将后缀修改为php文件上传 —— 靶场upload-labs-master_第5张图片

    搞定!!!

    心得:这个告诉我们要前后端都要做过滤

    第二关

    先测试

     文件上传 —— 靶场upload-labs-master_第6张图片

     一看就是后端过滤

    看一下源码

    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
                if (move_uploaded_file($temp_file, $img_path)) {
                    $is_upload = true;
                } else {
                    $msg = '上传出错!';
                }
            } else {
                $msg = '文件类型不正确,请重新上传!';
            }
        } else {
            $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
        }
    }
    

    明显让我们抓包改tpye

    修改一下type就好啦

    文件上传 —— 靶场upload-labs-master_第7张图片

    第三关

    直接看源码

    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array('.asp','.aspx','.php','.jsp');
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //收尾去空
    
            if(!in_array($file_ext, $deny_ext)) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
                if (move_uploaded_file($temp_file,$img_path)) {
                     $is_upload = true;
                } else {
                    $msg = '上传出错!';
                }
            } else {
                $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
            }
        } else {
            $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
        }
    }
    

    这trim 是移除字符串两边的字符。

    strschr 截取后缀名

    由于http配置了解析php3和phtml

    所以我们可以这样

    文件上传 —— 靶场upload-labs-master_第8张图片

    第四关

    .htaccess文件配置文件漏洞,无过滤

    伪静态,主要用于迷惑攻击者测试,比如当你访问一个网站它显示为index.html其实.htaccess给你传输到index.php啦

    然后这关用图片马就欧克啦

    制作图片马

    C:\Users\CaoYanChao\Desktop\offer>copy aaa.jpg/b+web.php/a ccc.jpg
    aaa.jpg
    web.php
    已复制         1 个文件。
    
    C:\Users\CaoYanChao\Desktop\offer>

    效果

    文件上传 —— 靶场upload-labs-master_第9张图片

     在上传就欧克啦

    温馨提示:文件上传一定要用白名单

    第五关

    利用Liunx和Windows特性进行绕过

    说到这个份上啦,那肯定是大小写

    windows是不区分大小写的,但是linux区分大小写

    我也就不演示啦。嘻嘻

    第六关

    看一下源码

    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //首尾去空
    
            if (!in_array($file_ext, $deny_ext)) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
                if (move_uploaded_file($temp_file, $img_path)) {
                    $is_upload = true;
                } else {
                    $msg = '上传出错!';
                }
            } else {
                $msg = '此文件类型不允许上传!';
            }
        } else {
            $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
        }
    }

    明显少了一个trim函数

    那样我们可以抓包然后给上传的文件加一个'空格' 就好啦。

    首先你加入空格你后缀不再是php啦

    其次在windows下你有空格自动给你取消

    文件上传 —— 靶场upload-labs-master_第10张图片

    第七关 

    源码

    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = $_FILES['upload_file']['name'];
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            
            if (!in_array($file_ext, $deny_ext)) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
                if (move_uploaded_file($temp_file,$img_path)) {
                    $is_upload = true;
                } else {
                    $msg = '上传出错!';
                }
            } else {
                $msg = '此文件不允许上传';
            }
        } else {
            $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
        }
    }
    

    strschr这个函数有没拉,当然然后我们利用添加.将后缀名绕过,在windows下自动删除.

    第八关

    源码

    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //首尾去空
            
            if (!in_array($file_ext, $deny_ext)) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH.'/'.$file_name;
                if (move_uploaded_file($temp_file, $img_path)) {
                    $is_upload = true;
                } else {
                    $msg = '上传出错!';
                }
            } else {
                $msg = '此文件类型不允许上传!';
            }
        } else {
            $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
        }
    }

    发现一个::$DATA,这个其实咱们真正的数据流的名称是携带后缀::$DATA

    这关也就说的很明白啦

    就是在抓包然后再修改filename最后加::$DATA

    文件上传 —— 靶场upload-labs-master_第11张图片

    第九关

    由于过滤只有一次,没有进行多次过滤导致的。

    代码

    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //首尾去空
            
            if (!in_array($file_ext, $deny_ext)) {
                $temp_file = $_FILES['upload_file']['tmp_name'];
                $img_path = UPLOAD_PATH.'/'.$file_name;
                if (move_uploaded_file($temp_file, $img_path)) {
                    $is_upload = true;
                } else {
                    $msg = '上传出错!';
                }
            } else {
                $msg = '此文件类型不允许上传!';
            }
        } else {
            $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
        }
    }
    

    他是先删空格,然后删点,然后再删::$DATA,再删空格

    然后我就有思路了 . . 

    第十关

    源码

    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists(UPLOAD_PATH)) {
            $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
    
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = str_ireplace($deny_ext,"", $file_name);
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;        
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
        }
    }
    

    看到str_replace替换为空,我就有思路啦

     答案:后缀名被替换为空直接双写进行绕过

    文件上传 —— 靶场upload-labs-master_第12张图片

    第十一关

    00截断

    源码

    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
        $ext_arr = array('jpg','png','gif');
        $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
        if(in_array($file_ext,$ext_arr)){
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
    
            if(move_uploaded_file($temp_file,$img_path)){
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else{
            $msg = "只允许上传.jpg|.png|.gif类型文件!";
        }
    }

    思路:抓包,然后将用00截断(php由C语言写的,c语言结束符\0)

    然后$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

    把."/".rand(10, 99).date("YmdHis").".".$file_ext;这个直接给截断删除啦

    展示

    文件上传 —— 靶场upload-labs-master_第13张图片

     然后中间的关卡大部分图片马可以绕过(你找一个图片的固定区域里进行插入php一句话木马)

    看一下

    十七关

    代码审计

    $is_upload = false;
    $msg = null;
    
    if(isset($_POST['submit'])){
        $ext_arr = array('jpg','png','gif');
        $file_name = $_FILES['upload_file']['name'];
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $file_ext = substr($file_name,strrpos($file_name,".")+1);
        $upload_file = UPLOAD_PATH . '/' . $file_name;
    
        if(move_uploaded_file($temp_file, $upload_file)){
            if(in_array($file_ext,$ext_arr)){
                 $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
                 rename($upload_file, $img_path);
                 $is_upload = true;
            }else{
                $msg = "只允许上传.jpg|.png|.gif类型文件!";
                unlink($upload_file);
            }
        }else{
            $msg = '上传出错!';
        }
    }
    

    就是你进行文件上传的时候,他会判断进行判断白名单,如果在白名单里则进行打乱文件名,不在则进行删除

    致命逻辑错误:先上传后删除    就是在你上传成功还没删除的时候我有可能访问到这个文件

    给你看代码

    ); ?>

    他的意思就是你访问了这个文件是,他会生成一个shell.php里面内容是;

    然后这样就好了我利用他的逻辑错误当我访问成功到那个没被删除的文件以后,我就会产生一个新的文件。

    抓包

    文件上传 —— 靶场upload-labs-master_第14张图片

     continue indefinitely 就是一直发包

    文件上传 —— 靶场upload-labs-master_第15张图片

     代码

    '); ?>

    这里改成他的上级目录

    文件上传 —— 靶场upload-labs-master_第16张图片

    成功

    你可能感兴趣的:(javascript,php,开发语言)