Upload-labs通關筆記(更新中)

原創 簡簡的我 2019-07-11 21:14

upload-labs包含漏洞類型分類


如何判斷上傳漏洞類型?

上傳的過程

Pass-01(前端JS繞過)

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("請選擇要上傳的文件!");
        return false;
    }
    //定義允許上傳的文件類型
    var allow_ext = ".jpg|.png|.gif";
    //提取上傳文件的類型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判斷上傳文件類型是否允許上傳
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "該文件不允許上傳,請上傳" + allow_ext + "類型的文件,當前文件類型爲:" + ext_name;
        alert(errMsg);
        return false;
    }
}

方法一:前端檢測。js的檢測只能位於client,可以禁用js,在瀏覽器設置中修改。或者直接改掉這裏的 checkFile()


修改之後就可以直接上傳.php文件,上傳之後複製圖像地址就可以得到上傳路徑了


方法二:上傳1.png直接抓包,修改後綴爲php就可以繞過上傳

得到路徑/upload/1.php,連接菜刀,得到shell

Pass-02(MIME繞過)

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '文件類型不正確,請重新上傳!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夾不存在,請手工創建!';
    }
}

本節對數據包的MIME(content-type)進行了限定,只允許 image/jpeg、image/png、image/gif 圖片內容數據傳輸。操作和第一節方法二一樣。

上傳1.png直接抓包,修改後綴爲php就可以繞過上傳



得到路徑/upload/1.php,連接菜刀,得到shell


Pass-03(上傳特殊可解析後綴繞過php4、phtml)

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換爲小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '不允許上傳.asp,.aspx,.php,.jsp後綴文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
    }
}

查看源碼,發現是設置了文件後綴名黑名單,禁止上傳後綴名爲.php文件,這裏利用php2、php3、php4、php5、phps、phtml一樣會解析,直接修改後綴名爲phps上傳。
複製圖像地址


得到上傳路徑

常見擴展名繞過

asp:asa,cer,cdx
aspx:ashx,asmx,ascx
php:php2、php3、php4、php5、phps、phtml
jsp:jspx,jspf

Pass-04(上傳 .htaccess)

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換爲小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此文件不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
    }
}

比剛纔的黑名單多了不少,但是.htaccess還是沒有過濾,可以重寫文件解析規則繞過,上傳一個.htaccess,文件內容如下,意思就是在upload目錄下匹配1.jpg的文件並以php文件執行

<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

上傳一個.htaccess


上傳1.jpg,應爲重寫了文件解析規則,1.jpg將會被以php文件執行

然後直接連接菜刀

getshell

.htaccess攻擊總結
有的時候由於各種名單的原因,可能我們不能上傳任何php文件,而且還沒有其他地方來解析成php,咋辦?如果你能上傳.htaccess文件的話,那麼就很好辦了。
建一個.htaccess 文件,裏面的內容如下

<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

這個時候就上傳一個文件名字是1.jpg的文件,然後裏面是一句話木馬,1.jpg就會被當成1.php執行,就能成功連接菜刀

Pass-05(後綴大小寫繞過)

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此文件類型不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
    }
}

Pass-04與Pass-05代碼對比


對比之後發現黑名單多了一個.htaccess
並且沒有將文件後綴轉小寫的代碼了
於是這裏顯然可以用大小寫繞過,例如 .Php .phP

Pass-06(後綴末尾 加空格 繞過)

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//刪除文件名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換爲小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此文件不允許上傳';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
    }
}

Pass-05與Pass-06代碼對比


發現刪去了將文件名前後去空格的操作 所以可以利用6.php(空格)

Pass-07(後綴末尾 加點 繞過)

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換爲小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此文件類型不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
    }
}

Pass-06與Pass-07代碼對比


對比發現沒有去處文件末尾的點的操作了
於是利用7.php.

Pass-08( ::$DATA 繞過 )

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉換爲小寫
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上傳出錯!';
            }
        } else {
            $msg = '此文件類型不允許上傳!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
    }
}

[圖片上傳失敗...(image-b1aca6-1562811998688)]
對比發現這裏刪掉了::$DATA的限制
::DATA備用流存在於每個文件,因此它可以是訪問任何文件的替代方法 所以使用`8.php::DATA`


Windows :: DATA備用數據流漏洞:
https://www.owasp.org/index.php/Windows_::DATA_alternate_data_stream

Pass-09( 加點 空格 配合繞過)

參考:
https://cloud.tencent.com/developer/article/1377897
http://www.bubuko.com/infodetail-2944836.html
https://blog.csdn.net/u011377996/article/details/86776198
http://www.she1don.cn/index.php/archives/38.html

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

10 個實用的 Chrome DevTools 設計功能

Chrome DevTools 不只是開發者的工具,也是網頁設計師的好幫手。讓我來爲大家介紹十個非常實用的設計功能。 直達 Google 開發者在線課程,收穫 Web 技術乾貨 https://developers.google.cn/le

王莹 2021-11-30 09:53:49

PWA 的高級模式

漸進式 Web 應用 (PWA) 讓開發者打造的 Web 應用在體驗上能夠與用戶的桌面設備或移動設備上安裝的其他應用別無二致。在本次專題演講中,我們將瞭解各家公司如何結合運用緩存策略和現代 Web API 來實現快速而彈性的 Web 體驗。

王莹 2021-11-29 16:13:59

核心網頁指標的新變化以及成功模式

我們一直都在積極收集關於網頁指標的反饋,在本次專題演講中,我們將分享我們關於如何利用工具衡量和優化網頁指標的最新研究成果。 直達 Google 開發者在線課程,收穫 Web 技術乾貨 https://developers.google.cn

王莹 2021-11-29 16:13:59

隱私沙盒近期動向

web 平臺的默認隱私保障正在逐步強化。您的網站該如何爲更注重隱私保護的 web 做好準備?我們將爲您逐一介紹下面這些開發者須知事項:具體變化和原因、如何爲第三方 cookie 的停用做好準備、有哪些可用的工具、有哪些可嘗試的新 API、C

王莹 2021-11-29 16:13:59

Site Kit 和 CMS 核心網頁指標的新變化

Sitekit 是一個 Google 所開發的一站式工具套件,供網站站長和創作者查看網站性能和健康狀況。 在本次專題演講中,我們將展示 Sitekit 的強大功能,以及 Google 如何與網站構建平臺和託管服務提供商合作集成此一站式解決方

王莹 2021-11-26 10:09:03

2021 Google 開發者大會一覽,同步Android、TensorFlow、Web開發等最新動態

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

罗燕珊 2021-11-16 19:33:53

ssm根據pdf模板導出pdf

一、使用word設計pdf模板,並另存爲pdf格式的文件。 二、使用Adobe Acrobat DC工具,打開pdf文件,工具中選擇準備表單並打開 三、在文件中設置域名稱,如下圖 四、下面是正式的操作 pom依賴 <!-- 生成P

LVAmber 2020-07-08 12:00:10

koa應用的部署

koa應用的部署 koa2項目的簡單創建到服務器的部署, 本例使用centos。 創建koa2項目 npm install -g koa-generator npm start 是 npm run start npm stop

这魏先森 2020-07-08 08:25:02

Ruby on Rails的國際化,本地化問題的解決(轉載)

原文出自: http://my.donews.com/woodstudio/ Ruby on Rails是一個很不錯的web開發框架,不過由於目前其本身對國際化的支持較差,所以需要一些輔助的東西來解決國際化問題。 我最先使用的是一個叫

iteye_17269 2020-07-08 02:37:16

Could not open ServletContext resource [/WEB-INF/a

   錯誤如下: org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from resourc

iteye_3794 2020-07-08 00:39:42

windows系統遠程提權、MySQL UDF提權

本文目錄權限提升提權本質提權分類windows系統提權基礎命令windows提權輔助工具輔助工具介紹windows遠程提權上手操作一下Mysql UDF提權udf介紹udf.dll獲取上傳udf執行提權命令 前言 小白一枚,之前聽

m0re 2020-07-07 23:45:29

前後端數據交互-json 你還不會傳集合嗎?

文章目錄json前端jsp後端配置導入beancontroller測試結果後端控制檯前端控制檯 json json(JavaScript Object Notation) 是一種數據格式,就是將key和value按規範封裝成一串字

唔仄lo咚锵 2020-07-07 22:40:07

關於DOM的一段話

[size=large]DOM實際上是以面向對象的方式描述的對象模型。DOM定義了表示和修改文檔所需要的對象,這些對象的屬性和行爲以及這些對象之間的關

iteye_17543 2020-07-07 22:21:22

RESTful風格API到底是什麼?

什麼是RESTful REST(Resource Representational State Transfer)是Roy Thomas Fielding在他2000年的博士論文中提出的。如果一個架構符合REST原則,就稱爲RES

hongmin.shm 2020-07-07 21:53:41

Spring攔截器Interceptor與Servlet過濾器Filter詳解

文章目錄一、先說結論1.攔截器Interceptor與過濾器Filter的區別2.攔截器鏈與過濾器鏈的執行順序Filter 鏈執行順序Interceptor 執行順序3.攔截器與過濾器的執行時機4.攔截器與過濾器的適用場景攔截器I

hongmin.shm 2020-07-07 21:53:41