上传点:真正可以用来上传文件的地方。 move_uploaded_file()函数 $_FILES全局数组
学习环境 upload-labs,项目地址:https://github.com/c0ny1/upload-labs
pass6-10在这里:https://www.cnblogs.com/liqik/p/10711912.html
1.
pass-01:
关键词:前端上传绕过;客户端js检查
浏览器禁用网页的javascript即可 上传phpinfo.php文件
代码只是在客户端使用js对不合法图片进行检查,只要关闭浏览器的javascript即可上传webshell,
例如火狐浏览器:地址栏输入about:config ,搜索javascript.enabled
复制图片地址可获得,上传文件的地址,蚁剑成功连接
pass-02:服务端对数据包的MIME检查
白名单策略
代码
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'] if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '文件类型不正确,请重新上传!'; } } else { $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!'; } }
只允许jpeg,png,gif的格式上传,否则不执行上传
正常的图片包 👇
webshell的包 👇
修改为正常图片的类型,可上传成功
MIME:多用途互联网邮件扩展,它是一个互联网标准,在1992年最早应用于电子邮件系统,但后来也应用到浏览器。服务器会将它们发送的多媒体数据的类型告诉浏览器,而通知手段就是说明该多媒体数据的MIME类型,从而让浏览器知道接收到的信息哪些是MP3文件,哪些是Shockwave文件等等。服务器将MIME标志符放入传送的数据中来告诉浏览器使用哪种插件读取相关文件。
pass-03:黑名单 上传特殊可解析后缀
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array('.asp','.aspx','.php','.jsp'); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //收尾去空 if(!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file,$img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; } }
禁止.asp .aspx .php .jsp为后缀名的文件
用burpsuit抓包 将上传文件后缀名改为.phtml 上传后也可执行文件内容
原理:
Apache的配置文件原因
打开方法phpstudy->其他选项菜单->打开配置文件->httpd-conf
AddType application/x-httpd-php .php .php3 .phtml
这句话 说明如果上传.php .php3 .phtml 的文件 都会当作php来解析,所以把我们上传的phtml文件当作php文件
pass-04: .htaccess绕过原理
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //收尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '此文件不允许上传!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; } }
.htaccess绕过原理 这三行代码:将所有 .jpg文件当作php文件解析
<FilesMatch "*.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
或 AddType application/x-httpd-php .jpg (Apache)
用burp抓包 修改上传文件文件名
(1)首先抓包后,将上传文件名改为1.jpg 原来是phpinfo.php
上传成功
但是内容无法解析
(2)第二次将文件名改为.htaccess
内容改为
<FilesMatch "1.jpg"> 注意这里是1.jpg
SetHandler application/x-httpd-php
</FilesMatch>
上传成功
可以解析了
1.jpg这个文件 就被当成了php的文件来解析
或者
这样所有文件都会解析为php,然后再上传图片马,就可以解析:
pass-05:文件名后缀名大小写绕过
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //首尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '此文件类型不允许上传!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; } }
这次不给上传.htaccess文件了
把文件名php改成phP 就能上传并解析了
pass-04中的代码 把后缀名都该成小写的了而05没有改
pass6-10在这里https://www.cnblogs.com/liqik/p/10711912.html