风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二)

05后缀名黑名单校验之上传.htaccess绕过

还是使用黑名单,禁止上传所有web容器能解析的脚本文件的后缀

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

上传.htaccess 静态规则让web容器把任意文件解析成PHP脚本文件

<FilesMatch "fx">

SetHandler application/x-httpd-php

</FilesMatch>

演示地址:Pass-04/index.php

06后缀名黑名单校验之利用大小写绕过

还是黑名单,但是这次把.htaccess也限制了

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.phP 利用大小写绕过检测

演示地址:Pass-05/index.php

07后缀名黑名单校验之burp改包文件名后加空格绕过

还是黑名单,此时已经把所有后缀名改为小写,进行验证。

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = $_FILES['upload_file']['name'];

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file,$img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件不允许上传';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.php 在后缀名处加空格(%00) 绕过

此种绕过方式受系统环境和Web容器影响

演示地址:Pass-06/index.php

08后缀名黑名单校验之burp改包文件后缀加“.”绕过

还是黑名单,修复了上面的漏洞把文件后缀首尾空格去掉,进行验证。

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.$file_name;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.php. 在后缀名处加空格.绕过

但是没有对后缀名进行去”.”处理,利用windows特性,会自动去掉后缀名中最后的”.”,可在后缀名中加”.”绕过:

演示地址:Pass-07/index.php

09后缀名黑名单校验之利用windows特性::$DATA绕过

还是黑名单策略,修复了上面的漏洞,也去掉了后缀名中的的点“.”

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成.php::$DATA 在后缀名处加::$DATA绕过

这道题利用的是Windows下NTFS文件系统的一个特性,即NTFS文件系统的存储数据流的一个属性 DATA 时,就是请求 a.asp 本身的数据,如果a.asp 还包含了其他的数据流,比如 a.asp:lake2.asp,请求 a.asp:lake2.asp::$DATA,则是请求a.asp中的流数据lake2.asp的流数据内容。

演示地址:Pass-08/index.php

10后缀名黑名单校验之双写文件名绕过

这里是用替换的方式替换了后缀名。

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = str_ireplace($deny_ext,"", $file_name);// preg_match_all

        $temp_file = $_FILES['upload_file']['tmp_name'];

        $img_path = UPLOAD_PATH.'/'.$file_name;

        if (move_uploaded_file($temp_file, $img_path)) {

            $is_upload = true;

        } else {

            $msg = '上传出错!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

绕过方式

在burp里改包,把文件名改成双写,比如.php 改成 .phphpp 把其中一个php替换掉之后组成一个新的php文件

演示地址:Pass-10/index.php

11后缀名白名单校验之%00截断

可以看到是白名单,只能'jpg','png','gif'格式的文件访问,保存的路径是get传递的

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $ext_arr = array('jpg','png','gif');

    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);

    if(in_array($file_ext,$ext_arr)){

        $temp_file = $_FILES['upload_file']['tmp_name'];

        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){

            $is_upload = true;

        } else {

            $msg = '上传出错!';

        }

    } else{

        $msg = "只允许上传.jpg|.png|.gif类型文件!";

    }

}

绕过方式

在burp里改包,使用在url参数上%00截断绕过

演示地址:Pass-11/index.php

12后缀名白名单校验之00截断

白名单,只能'jpg','png','gif'格式的文件访问,不过保存的路径是post传递的

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $ext_arr = array('jpg','png','gif');

    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);

    if(in_array($file_ext,$ext_arr)){

        $temp_file = $_FILES['upload_file']['tmp_name'];

        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){

            $is_upload = true;

        } else {

            $msg = "上传失败";

        }

    } else {

        $msg = "只允许上传.jpg|.png|.gif类型文件!";

    }

}

绕过方式

在burp里改包,在post包里用00截断绕过,这里只能改包的hex值,手动改%00字符串无效

演示地址:Pass-12/index.php

13图片文件格式验证之图片木马

这里是读取了文件的内容,以文件的内容来判断是否是图片。

function getReailFileType($filename){

    $file = fopen($filename, "rb");

    $bin = fread($file, 2); //只读2字节

    fclose($file);

    $strInfo = @unpack("C2chars", $bin);

    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);

    $fileType = '';

    switch($typeCode){

        case 255216:

            $fileType = 'jpg';

            break;

        case 13780:

            $fileType = 'png';

            break;

        case 7173:

            $fileType = 'gif';

            break;

        default:

            $fileType = 'unknown';

        }

        return $fileType;

}

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $temp_file = $_FILES['upload_file']['tmp_name'];

    $file_type = getReailFileType($temp_file);

    if($file_type == 'unknown'){

        $msg = "文件未知,上传失败!";

    }else{

        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;

        if(move_uploaded_file($temp_file,$img_path)){

            $is_upload = true;

        } else {

            $msg = "上传出错!";

        }

    }

}

绕过方式

制作图片一句话木马上传 copy a.jpg/b + a.txt = a1.jpg

演示地址:Pass-13/index.php

14 条件竞争上传

这里是现把上传文件移动到目标文件夹,后对文件名进行判断。不符合条件的都删除掉。

$is_upload = false;

$msg = null;

if(isset($_POST['submit'])){

    $ext_arr = array('jpg','png','gif');

    $file_name = $_FILES['upload_file']['name'];

    $temp_file = $_FILES['upload_file']['tmp_name'];

    $file_ext = substr($file_name,strrpos($file_name,".")+1);

    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){

        if(in_array($file_ext,$ext_arr)){

             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;

             rename($upload_file, $img_path);

             $is_upload = true;

        }else{

            $msg = "只允许上传.jpg|.png|.gif类型文件!";

            unlink($upload_file);

        }

    }else{

        $msg = '上传出错!';

    }

}

绕过方式

只要利用竞争上传,上传的php文件内容为写入shell文件,然后不断的访问该文件,只要访问成功,便可以写入shell,直接利用burp的intruder模块上传文件,同时不停的访问这个文件。

参考:

http://blog.evalshell.com/2020/12/20/风炫安全web安全学习第三十七节课-15种上传漏洞讲解/

风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二)的更多相关文章

  1. 风炫安全web安全学习第三十六节课-15种上传漏洞讲解(一)

    风炫安全web安全学习第三十六节课 15种上传漏洞讲解(一) 文件上传漏洞 0x01 漏洞描述和原理 文件上传漏洞可以说是日常渗透测试用得最多的一个漏洞,因为用它获得服务器权限最快最直接.但是想真正把 ...

  2. 风炫安全web安全学习第三十一节课 命令执行以及代码执行演示

    风炫安全web安全学习第三十一节课 命令执行以及代码执行演示 参考: http://blog.evalshell.com/2020/12/20/风炫安全web安全学习第三十一节课-命令执行以及代/

  3. 风炫安全web安全学习第三十节课 命令执行&代码执行基础

    风炫安全web安全学习第三十节课 命令执行&代码执行基础 代码执行&命令执行 RCE漏洞,可以让攻击者直接向后台服务器远程注入操作系统命令或者代码,从而控制后台系统. 远程系统命令执行 ...

  4. 风炫安全WEB安全学习第三十八节课 越权漏洞演示与讲解

    风炫安全WEB安全学习第三十八节课 越权漏洞演示与讲解 越权漏洞 0x01 漏洞介绍 越权漏洞的危害与影响主要是与对应业务的重要性相关,比如说某一页面服务器端响应(不局限于页面返回的信息,有时信息在响 ...

  5. 风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击

    风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击 文件包含漏洞 参考文章:https://chybeta.github.io/2017/10/08/php文件包含漏洞/ 分类 ...

  6. 风炫安全web安全学习第二十九节课 CSRF防御措施

    风炫安全web安全学习第二十九节课 CSRF防御措施 CSRF防御措施 增加token验证 对关键操作增加token验证,token值必须随机,每次都不一样 关于安全的会话管理(SESSION) 不要 ...

  7. 风炫安全WEB安全学习第二十六节课 XSS常见绕过防御技巧

    风炫安全WEB安全学习第二十六节课 XSS常见绕过防御技巧 XSS绕过-过滤-编码 核心思想 后台过滤了特殊字符,比如说

  8. 风炫安全WEB安全学习第二十五节课 利用XSS键盘记录

    风炫安全WEB安全学习第二十五节课 利用XSS键盘记录 XSS键盘记录 同源策略是浏览器的一个安全功能,不同源的客户端脚本在没有明确授权的情况下,不能读写对方资源.所以xyz.com下的js脚本采用a ...

  9. 风炫安全WEB安全学习第二十四节课 利用XSS钓鱼攻击

    风炫安全WEB安全学习第二十四节课 利用XSS钓鱼攻击 XSS钓鱼攻击 HTTP Basic Authentication认证 大家在登录网站的时候,大部分时候是通过一个表单提交登录信息. 但是有时候 ...

随机推荐

  1. MapReduce简单执行过程及Wordcount案例

    MapReducer运行过程 以单词统计为案例. 假如现在文件中存在如下内容: aa bb aa cc dd aa 当然,这是小文件,如果文件大小较大时会将文件进行 "切片" ,此 ...

  2. HTTP慢速拒绝服务攻击(Slow HTTP Dos)

    HTTP慢速拒绝服务攻击简介 HTTP慢速攻击是利用HTTP合法机制,以极低的速度往服务器发送HTTP请求,尽量长时间保持连接,不释放,若是达到了Web Server对于并发连接数的上限,同时恶意占用 ...

  3. PHash从0到1

    背景 在重复图识别领域,对于识别肉眼相同图片,PHash是很有用的,而且算法复杂度很低.它抓住了 " 人眼对于细节信息不是很敏感 " 的特性,利用DCT变换把高频信息去掉,再加上合 ...

  4. 转载:c# 获取CPU温度(非WMI,直接读取硬件)

    c#获取cpu温度 很早一个项目做远控,所以需要用到获取cpu温度,但是就是不知从何下手,无意中发现了Open Hardware Monitor,令我的项目成功完成 亲测20台清装xp sp2的机器, ...

  5. 使用公钥私钥加密实现单点登录(SSO)

    Oauth2+Gateway+springcloud+springcloud-alibaba-nacos+jwt ,使用公钥私钥加密实现单点登录(OSS) github地址点这里 注意事项 GET: ...

  6. windows 10 1909 无法启用 .NET Framework 解决

    安装某应用,运行提示: 应用程序无法正常启动(0xc0000135) 应该是缺少 .net framework. 控制面板-程序-"启用或关闭windows功能" 勾选.NET F ...

  7. js下 Day09、事件(二)

    一.事件流 事件流描述的是从页面中接收事件的顺序,目前主要有三个模型: #1. 事件冒泡: 事件开始时由最具体的元素接收,然后逐级向上传播到较为不具体的元素

  8. 多任务-python实现-死锁,银行家算法(2.1.5)

    @ 目录 1.死锁 2.避免死锁的方式-银行家算法 1.死锁 死锁是指两个或两个以上的进程在执行过程中,由于竞争资源或者由于彼此通信而造成的一种阻塞的现象,若无外力作用,它们都将无法推进下去.此时称系 ...

  9. 第六章 Sleuth--链路追踪

    修整了2天,我们继续接着上篇 第五章 Gateway–服务网关 继续来讲SpringCloud Alibaba全家桶中的 Sleuth 链路追踪 组件 喜欢记得点关注哦 6.1 链路追踪介绍 在大型系 ...

  10. 前端Firebug常见错误:SyntaxError:missing variable nam

    出现上面那个问题应该是 某个地方,分号写错了 检查一下是否由于应该写分号的地方写成了其他符号.