Pass-1&Pass-2 修改數(shù)據(jù)包繞過
#Pass-1
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("請選擇要上傳的文件!");
return false;
}
//定義允許上傳的文件類型
var allow_ext = ".jpg|.png|.gif";
//提取上傳文件的類型
var ext_name = file.substring(file.lastIndexOf("."));
//判斷上傳文件類型是否允許上傳
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "該文件不允許上傳,請上傳" + allow_ext + "類型的文件,當前文件類型為:" + ext_name;
alert(errMsg);
return false;
}
}
#Pass-2
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '文件類型不正確,請重新上傳曼验!';
}
} else {
$msg = $UPLOAD_ADDR.'文件夾不存在,請手工創(chuàng)建!';
}
}
Pass-1提示
Pass-2提示
Pass-1是js過濾吕朵,js不進行攔截就可以
Pass-2是服務端對請求包校驗嗅榕,不過只是對字段文件類型的校驗
所以Pass-1可以burpsuit對文件名進行更改
兩個Pass可以都通
修改文件名
上傳路徑
Pass-3 采用其他可執(zhí)行的文件后綴名
#Pass-3
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創(chuàng)建火焰!';
}
}
Pass-3提示
同樣劲装,burpsuite改后綴名就好,不過過濾了asp昌简、aspx占业、php、jsp
大小寫繞不過
php版本5.3.2纯赎,pht后綴可以直接用谦疾,不加后綴別名的話,pass3
連接用的是蟻劍址否。
php5餐蔬,phps不能運行,phtml佑附,pht可以運行
如果上面幾種可以運行樊诺,可以在apache的配置文件httpd.conf里加上這一句(沒怎么調(diào)過,發(fā)現(xiàn)初始是空的,看的CSDN這位大佬的文章https://blog.csdn.net/weixin_44677409/article/details/92799366)
AddType application/x-httpd-php .php .phtml .phps .php5 .pht
修改文件名
上傳路徑
Pass-4 .htaccess繞過
#Pass-4
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '此文件不允許上傳!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創(chuàng)建音同!';
}
}
修改文件名
上傳路徑
這里只是說明可以繞過上傳词爬,但并不能直接執(zhí)行.htaccess文件
此方法是借鑒自這位大佬的博客https://www.cnblogs.com/feizianquan/p/11109390.html
所以我們采用這種辦法,在.htaccess里放這樣一句代碼
AddType application/x-httpd-php .png
修改.htaccess文件
這樣我們就可以把png文件解析成php文件了,當然也可以修改成其他可上傳的文件類型名字权均。
上傳一句話
測試
Pass-5 大小寫繞過
#Pass-5
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允許上傳';
}
} else {
$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創(chuàng)建顿膨!';
}
}
.htaccess也被過濾了,不過統(tǒng)一轉(zhuǎn)化為小寫這句去掉了叽赊,可以采用大小寫繞過
修改文件名
測試
Pass-6
#Pass-6
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允許上傳';
}
} else {
$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創(chuàng)建恋沃!';
}
}
全轉(zhuǎn)化為小寫加上了,但沒有了空格的檢測
可以通過加空格必指,繞過
修改文件名
測試
上傳確實是上傳上去了囊咏,但是蟻劍連不上
陷入沉思
陷入沉思*2
文件帶空格不解析
可能是服務器的問題,留個坑
