一、NTFS交换数据流::$DATA绕过上传
如果后缀名没有对::$DATA进行判断,利用windows系统NTFS特征可以绕过上传
在window的时候如果文件名+"::$DATA"会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且保持::$DATA之前的文件名,其实和空格绕过点绕过类似
upload-pass08
代码分析
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
看到这里还是黑名单过滤,比前面少了一行
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
尝试上传
我们开启抓包,上传test.php 抓包中修改 test.php::$DATA
上传成功
二、利用windows环境的叠加特征绕过上传
在windows中如果上传文件test.php:.jpg时,会在目录下产生空白的文件test.php
再利用php和windows环境的叠加属性
正则匹配:
双引号等同于点
大于号等同于问号(任意一个字符)
小于号等同于星号(任意个任意字符)
upload-pass09
代码分析
其实就是把前面的代码加上了,基本上算后缀名检测的防护都开了,这种情况下我们可以尝试使用叠加特征上传
尝试上传
先上传一个test.php 抓包中加入:.jpg
可以看到,我们上传进了一个test.php但是是0kb,也就是没有任何内容的空文件
下一步就是写入这个文件,我们再次上传抓包
仔细看这个数据包,向test.php中写入<?php phpinfo();?>其实这里有写入的过程,我们只需要把test.php写成我们刚才传入文件的名字并且绕过后缀,使用正则匹配
将test.php变成 test.>>>
写入成功,上传成功
三、双写绕过
这个就很简单了
upload-pass10
代码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
str_ireplace("黑名单","空",后缀名)
从后缀名中匹配黑名单中的字符串,如果出现则换成空,从左到右匹配
类似sql注入中的双写绕过
如.pphphp,从左往右匹配到第一个php时去掉变为.php,达到了绕过的目的
尝试上传
上传成功
版权归原作者 白帽Chen_D 所有, 如有侵权,请联系我们删除。