上傳點:真正可以用來上傳文件的地方。 move_uploaded_file()函數 $_FILES全局數組
學習環境 upload-labs,項目地址:https://github.com/c0ny1/upload-labs
pass6-10在這里:https://www.cnblogs.com/liqik/p/10711912.html
1.
pass-01:
關鍵詞:前端上傳繞過;客戶端js檢查
瀏覽器禁用網頁的javascript即可 上傳phpinfo.php文件
代碼只是在客戶端使用js對不合法圖片進行檢查,只要關閉瀏覽器的javascript即可上傳webshell,
例如火狐瀏覽器:地址欄輸入about:config ,搜索javascript.enabled
復制圖片地址可獲得,上傳文件的地址,蟻劍成功連接
pass-02:服務端對數據包的MIME檢查
白名單策略
代碼
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'] if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上傳出錯!'; } } else { $msg = '文件類型不正確,請重新上傳!'; } } else { $msg = UPLOAD_PATH.'文件夾不存在,請手工創建!'; } }
只允許jpeg,png,gif的格式上傳,否則不執行上傳
正常的圖片包 👇
webshell的包 👇
修改為正常圖片的類型,可上傳成功
MIME:多用途互聯網郵件擴展,它是一個互聯網標准,在1992年最早應用於電子郵件系統,但后來也應用到瀏覽器。服務器會將它們發送的多媒體數據的類型告訴瀏覽器,而通知手段就是說明該多媒體數據的MIME類型,從而讓瀏覽器知道接收到的信息哪些是MP3文件,哪些是Shockwave文件等等。服務器將MIME標志符放入傳送的數據中來告訴瀏覽器使用哪種插件讀取相關文件。
pass-03:黑名單 上傳特殊可解析后綴
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array('.asp','.aspx','.php','.jsp'); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//刪除文件名末尾的點 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //轉換為小寫 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //收尾去空 if(!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file,$img_path)) { $is_upload = true; } else { $msg = '上傳出錯!'; } } else { $msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件!'; } } else { $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!'; } }
禁止.asp .aspx .php .jsp為后綴名的文件
用burpsuit抓包 將上傳文件后綴名改為.phtml 上傳后也可執行文件內容
原理:
Apache的配置文件原因
打開方法phpstudy->其他選項菜單->打開配置文件->httpd-conf
AddType application/x-httpd-php .php .php3 .phtml
這句話 說明如果上傳.php .php3 .phtml 的文件 都會當作php來解析,所以把我們上傳的phtml文件當作php文件
pass-04: .htaccess繞過原理
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//刪除文件名末尾的點 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //轉換為小寫 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //收尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上傳出錯!'; } } else { $msg = '此文件不允許上傳!'; } } else { $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!'; } }
.htaccess繞過原理 這三行代碼:將所有 .jpg文件當作php文件解析
<FilesMatch "*.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
或 AddType application/x-httpd-php .jpg (Apache)
用burp抓包 修改上傳文件文件名
(1)首先抓包后,將上傳文件名改為1.jpg 原來是phpinfo.php
上傳成功
但是內容無法解析
(2)第二次將文件名改為.htaccess
內容改為
<FilesMatch "1.jpg"> 注意這里是1.jpg
SetHandler application/x-httpd-php
</FilesMatch>
上傳成功
可以解析了
1.jpg這個文件 就被當成了php的文件來解析
或者
這樣所有文件都會解析為php,然后再上傳圖片馬,就可以解析:
pass-05:文件名后綴名大小寫繞過
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//刪除文件名末尾的點 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //轉換為小寫 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //首尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上傳出錯!'; } } else { $msg = '此文件類型不允許上傳!'; } } else { $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!'; } }
這次不給上傳.htaccess文件了
把文件名php改成phP 就能上傳並解析了
pass-04中的代碼 把后綴名都該成小寫的了而05沒有改
pass6-10在這里https://www.cnblogs.com/liqik/p/10711912.html