风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二)

05后缀名黑名单校验之上传.htaccess绕过

还是使用黑名单,禁止上传所有web容器能解析的脚本文件的后缀

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

上传.htaccess 静态规则让web容器把任意文件解析成PHP脚本文件

<FilesMatch "fx">

SetHandler application/x-httpd-php

</FilesMatch>

演示地址:Pass-04/index.php

06后缀名黑名单校验之利用大小写绕过

还是黑名单,但是这次把.htaccess也限制了

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.phP 利用大小写绕过检测

演示地址:Pass-05/index.php

07后缀名黑名单校验之burp改包文件名后加空格绕过

还是黑名单,此时已经把所有后缀名改为小写,进行验证。

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = $_FILES['upload_file']['name'];

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file,$img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件不允许上传';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.php 在后缀名处加空格(%00) 绕过

此种绕过方式受系统环境和Web容器影响

演示地址:Pass-06/index.php

08后缀名黑名单校验之burp改包文件后缀加“.”绕过

还是黑名单,修复了上面的漏洞把文件后缀首尾空格去掉,进行验证。

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.$file_name;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.php. 在后缀名处加空格.绕过

但是没有对后缀名进行去”.”处理,利用windows特性,会自动去掉后缀名中最后的”.”,可在后缀名中加”.”绕过:

演示地址:Pass-07/index.php

09后缀名黑名单校验之利用windows特性::$DATA绕过

还是黑名单策略,修复了上面的漏洞,也去掉了后缀名中的的点“.”

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.php::$DATA 在后缀名处加::$DATA绕过

这道题利用的是Windows下NTFS文件系统的一个特性,即NTFS文件系统的存储数据流的一个属性 DATA 时,就是请求 a.asp 本身的数据,如果a.asp 还包含了其他的数据流,比如 a.asp:lake2.asp,请求 a.asp:lake2.asp::$DATA,则是请求a.asp中的流数据lake2.asp的流数据内容。

演示地址:Pass-08/index.php

10后缀名黑名单校验之双写文件名绕过

这里是用替换的方式替换了后缀名。

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = str_ireplace($deny_ext,"", $file_name);// preg_match_all

        $temp_file = $_FILES['upload_file']['tmp_name'];

        $img_path = UPLOAD_PATH.'/'.$file_name;

        if (move_uploaded_file($temp_file, $img_path)) {

            $is_upload = true;

        } else {

            $msg = '上传出错!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成双写,比如.php 改成 .phphpp 把其中一个php替换掉之后组成一个新的php文件

演示地址:Pass-10/index.php

11后缀名白名单校验之%00截断

可以看到是白名单,只能'jpg','png','gif'格式的文件访问,保存的路径是get传递的

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $ext_arr = array('jpg','png','gif');

    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);

    if(in_array($file_ext,$ext_arr)){

        $temp_file = $_FILES['upload_file']['tmp_name'];

        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){

            $is_upload = true;

        } else {

            $msg = '上传出错!';

        }

    } else{

        $msg = "只允许上传.jpg|.png|.gif类型文件!";

    }

}

绕过方式

在burp里改包,使用在url参数上%00截断绕过

演示地址:Pass-11/index.php

12后缀名白名单校验之00截断

白名单,只能'jpg','png','gif'格式的文件访问,不过保存的路径是post传递的

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $ext_arr = array('jpg','png','gif');

    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);

    if(in_array($file_ext,$ext_arr)){

        $temp_file = $_FILES['upload_file']['tmp_name'];

        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){

            $is_upload = true;

        } else {

            $msg = "上传失败";

        }

    } else {

        $msg = "只允许上传.jpg|.png|.gif类型文件!";

    }

}

绕过方式

在burp里改包,在post包里用00截断绕过,这里只能改包的hex值,手动改%00字符串无效

演示地址:Pass-12/index.php

13图片文件格式验证之图片木马

这里是读取了文件的内容,以文件的内容来判断是否是图片。

function getReailFileType($filename){

    $file = fopen($filename, "rb");

    $bin = fread($file, 2); //只读2字节

    fclose($file);

    $strInfo = @unpack("C2chars", $bin);

    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);

    $fileType = '';

    switch($typeCode){

        case 255216:

            $fileType = 'jpg';

            break;

        case 13780:

            $fileType = 'png';

            break;

        case 7173:

            $fileType = 'gif';

            break;

        default:

            $fileType = 'unknown';

        }

        return $fileType;

}

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $temp_file = $_FILES['upload_file']['tmp_name'];

    $file_type = getReailFileType($temp_file);

    if($file_type == 'unknown'){

        $msg = "文件未知,上传失败!";

    }else{

        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;

        if(move_uploaded_file($temp_file,$img_path)){

            $is_upload = true;

        } else {

            $msg = "上传出错!";

        }

    }

}

绕过方式

制作图片一句话木马上传 copy a.jpg/b + a.txt = a1.jpg

演示地址:Pass-13/index.php

14 条件竞争上传

这里是现把上传文件移动到目标文件夹,后对文件名进行判断。不符合条件的都删除掉。

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $ext_arr = array('jpg','png','gif');

    $file_name = $_FILES['upload_file']['name'];

    $temp_file = $_FILES['upload_file']['tmp_name'];

    $file_ext = substr($file_name,strrpos($file_name,".")+1);

    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){

        if(in_array($file_ext,$ext_arr)){

             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;

             rename($upload_file, $img_path);

             $is_upload = true;

        }else{

            $msg = "只允许上传.jpg|.png|.gif类型文件!";

            unlink($upload_file);

        }

    }else{

        $msg = '上传出错!';

    }

}

绕过方式

只要利用竞争上传,上传的php文件内容为写入shell文件,然后不断的访问该文件,只要访问成功,便可以写入shell,直接利用burp的intruder模块上传文件,同时不停的访问这个文件。

参考:

http://blog.evalshell.com/2020/12/20/风炫安全web安全学习第三十七节课-15种上传漏洞讲解/

风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二)的更多相关文章

  1. 风炫安全web安全学习第三十六节课-15种上传漏洞讲解(一)

    风炫安全web安全学习第三十六节课 15种上传漏洞讲解(一) 文件上传漏洞 0x01 漏洞描述和原理 文件上传漏洞可以说是日常渗透测试用得最多的一个漏洞,因为用它获得服务器权限最快最直接.但是想真正把 ...

  2. 风炫安全web安全学习第三十一节课 命令执行以及代码执行演示

    风炫安全web安全学习第三十一节课 命令执行以及代码执行演示 参考: http://blog.evalshell.com/2020/12/20/风炫安全web安全学习第三十一节课-命令执行以及代/

  3. 风炫安全web安全学习第三十节课 命令执行&代码执行基础

    风炫安全web安全学习第三十节课 命令执行&代码执行基础 代码执行&命令执行 RCE漏洞,可以让攻击者直接向后台服务器远程注入操作系统命令或者代码,从而控制后台系统. 远程系统命令执行 ...

  4. 风炫安全WEB安全学习第三十八节课 越权漏洞演示与讲解

    风炫安全WEB安全学习第三十八节课 越权漏洞演示与讲解 越权漏洞 0x01 漏洞介绍 越权漏洞的危害与影响主要是与对应业务的重要性相关,比如说某一页面服务器端响应(不局限于页面返回的信息,有时信息在响 ...

  5. 风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击

    风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击 文件包含漏洞 参考文章:https://chybeta.github.io/2017/10/08/php文件包含漏洞/ 分类 ...

  6. 风炫安全web安全学习第二十九节课 CSRF防御措施

    风炫安全web安全学习第二十九节课 CSRF防御措施 CSRF防御措施 增加token验证 对关键操作增加token验证,token值必须随机,每次都不一样 关于安全的会话管理(SESSION) 不要 ...

  7. 风炫安全WEB安全学习第二十六节课 XSS常见绕过防御技巧

    风炫安全WEB安全学习第二十六节课 XSS常见绕过防御技巧 XSS绕过-过滤-编码 核心思想 后台过滤了特殊字符,比如说

  8. 风炫安全WEB安全学习第二十五节课 利用XSS键盘记录

    风炫安全WEB安全学习第二十五节课 利用XSS键盘记录 XSS键盘记录 同源策略是浏览器的一个安全功能,不同源的客户端脚本在没有明确授权的情况下,不能读写对方资源.所以xyz.com下的js脚本采用a ...

  9. 风炫安全WEB安全学习第二十四节课 利用XSS钓鱼攻击

    风炫安全WEB安全学习第二十四节课 利用XSS钓鱼攻击 XSS钓鱼攻击 HTTP Basic Authentication认证 大家在登录网站的时候,大部分时候是通过一个表单提交登录信息. 但是有时候 ...

随机推荐

  1. day105:Mofang:设置页面初始化&更新头像/上传头像&设置页面显示用户基本信息

    目录 1.设置页面初始化 2.更新头像 1.点击头像进入更新头像界面 2.更新头像页面初始化 3.更新头像页面CSS样式 4.头像上传来源选择:相册/相机 5.调用api提供的本地接口从相册/相机提取 ...

  2. css外边距重叠及避免方法

    <html lang="en"> <head> <meta charset="UTF-8"> <meta name=& ...

  3. box-sizing什么时候用?常用的值都有什么?

    一般在做自适应的网页设计的时候用,用这个属性网页结构才不会被破坏. 常用的值: 1.  content-box:宽度和高度分别应用到元素的内容框,在宽度和高度之外绘制元素的内边距和边框. 2.  bo ...

  4. 题解-[CEOI2017]Building Bridges

    [CEOI2017]Building Bridges 有 \(n\) 个桥墩,高 \(h_i\) 重 \(w_i\).连接 \(i\) 和 \(j\) 消耗代价 \((h_i-h_j)^2\),用不到 ...

  5. 关于微信NFC功能开发的链接总结

    特此申明:若有侵权,请联系我,我会第一时间删除 一. 小程序开发一般流程: 首先调用 wx.getHCEState(OBJECT), 判断设备是否支持NFC,(ios,android兼容性处理) 调用 ...

  6. typora软件使用指南

    Markdown学习 标题: 三级标题 四级标题 字体 hello,world! hello,world! hello,world! hello,world! 引用 选择狂神说java,走向人生巅峰 ...

  7. 第七周jieba分词

    import jieba txt = open("聊斋志异简写版.txt", "r", encoding='utf-8').read() words = jie ...

  8. 在IDEA中使用JDBC获取数据库连接时的报错及解决办法

    在IDEA中使用JDBC获取数据库连接时,有时会报错Sat Dec 19 19:32:18 CST 2020 WARN: Establishing SSL connection without ser ...

  9. gcc编译阶段打印宏定义的内容

    背景 总所周知,代码量稍微大一点的C/C++项目的一些宏定义都会比较复杂,有时候会嵌套多个#if/#else判断分支和一堆#ifdef/#undef让你单看代码的话很难判断出宏定义的具体内容. 如果有 ...

  10. 5. 穿过拥挤的人潮,Spring已为你制作好高级赛道

    目录 ✍前言 版本约定 ✍正文 默认转换器注册情况 StreamConverter 代码示例 使用场景 兜底转换器 ObjectToObjectConverter part1:快速返回流程 part2 ...