本文详细介绍了在Pass-06到Pass-10的Web安全练习中,如何通过不同方式绕过黑名单过滤实现文件上传。这些技巧包括双写::$DATA、利用空格、添加特殊字符等。通过蚁剑工具连接并测试了这些webshell,揭示了服务器系统(如Windows)对文件名处理的漏洞。文章强调了黑名单过滤的安全性问题,并分析了代码中的关键漏洞点。
目录
Pass-06
上传sh.php失败,burp中将抓到的包send to repeater
修改filename为sh.xxx发现可以上传成功,说明是黑名单过滤
将报文send to intruder,按照Pass-03的套路爆破后缀名(upload-labs通关(Pass-01~Pass-05)_箭雨镜屋-优快云博客)
爆破结果用../upload过滤,发现只有如下后缀的文件上传成功
仔细查看Response报文后发现,有如下两个文件可以作为webshell(服务器是windows系统),也就是说本关可以双写::$DATA绕过,也可以用大写绕过
用蚁剑尝试一下连接这两个shell。先试双写::$DATA的,如下图所示,可以连接成功
再试试大写绕过的。特别注意,我在我的环境上,用apache 2.4.39的时候连接失败,Response报文状态码500,用nginx 1.15.11是可以成功的,并且用蚁剑连接的时候,蚁剑中url地址的文件名后缀大小写无所谓。
代码分析:
比起之前的关卡,本关在用上传文件的文件名后缀和黑名单比较之前没有把文件后缀转换成小写,所以大写绕过黑名单过滤可以成功。
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_f
最低0.47元/天 解锁文章
扫一扫
1299
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
