Pass-5 .user.ini文件

根据我的观察,最新版的upload-labs第五关和旧版的不一样,这一关可以使用和Pass-10一样的方法通过,但是,其他所有的关卡都禁止了.ini文件的上传,就这一关没有禁止,老版的upload-labs没有这一关,由于网上我也没找到.ini文件如何利用,只能想到php.ini,但是能力理解有限,只能使用Pass10一样的方法通过

进过一番寻找,找到了大佬解决的办法,.user.ini文件控制的分为比.htaccess配置文件分为更广,只要使用PHP语言的网站都有影响

重要配置项:auto_prepend_file=文件名:在页面头部加载的文件

auto_append_file=文件名:在页面尾部加载的文件

Pass-6 大小写绕过,

观察源代码

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

这里将我们.htaccess也进行了黑名单,没有对我们的输入进行大小写转换,例如并没有过滤.PHP .Php之类的后缀名,在Windows中,是不区分大小写的,所以这里我们上传.Php文件

上传文件



访问测试



成功执行,但是这只存在于Windows中,因为Windows并不区分大小写

Pass-7 尾部空格绕过

审计源码

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = $_FILES['upload_file']['name'];

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file,$img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件不允许上传';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

这里还是黑名单,将传入的文件名转换为了小写,所以我们不能进行大小写绕过,但是并没有开头尾部进行去除空格

那么我们使用burpsuite抓包在我们文件后缀名后面加入空格.php ,就是.php空格,就可以绕过



文件上传成功

Pass-8 尾部.绕过

审计源码

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.$file_name;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

很明显,这一次虽然删除了文件开头和结尾的空格,并没有删除文件末尾的.点,并且没有对我们的文件名进行时间加固

所以我们使用burpsuite抓包在文件末尾加入.,就是.php.



上传成功

Pass-9 ::$DATA绕过

审计源码

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

通过观察,这次没有过滤::DATA后缀,所以我们在上传文件后缀加入::DATA就可以绕过

例如 :phpinfo.php::$DATA 进过windows特性去除::$DATA,变为phpinfo.php

使用burpsuite抓包更改文件名



文件上传成功

Pass-10 php.空格.绕过

审计源码

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = deldot($file_name);//删除文件名末尾的点

        $file_ext = strrchr($file_name, '.');

        $file_ext = strtolower($file_ext); //转换为小写

        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {

            $temp_file = $_FILES['upload_file']['tmp_name'];

            $img_path = UPLOAD_PATH.'/'.$file_name;

            if (move_uploaded_file($temp_file, $img_path)) {

                $is_upload = true;

            } else {

                $msg = '上传出错!';

            }

        } else {

            $msg = '此文件类型不允许上传!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

这次先删除文件名左右的空格,然后又删除了我们文件末尾的.,其次将我们上传的文件名转换为小写,删除文件末尾的::$DATA,最后又删除了文件名左右两侧的空格

根据他的逻辑,我们可以构造文件名phpinfo.php. .就是phpinfo.php.空格.

分析:

首先删除我们文件名左右的空格,对我们没有影响,还是phpinfo.php.空格.

删除末尾的.,变为phpinfo.空格,后面两条对我们也没有影响

最后又删除文件名左右的空格,变为phpinfo.php.,绕过文件检测,最后根据Windows特性去除文件末尾的.,上传成功

使用burpsuite进行上传



上传成功

Pass-11 双写绕过

审计源码

$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);

        $file_name = str_ireplace($deny_ext,"", $file_name);

        $temp_file = $_FILES['upload_file']['tmp_name'];

        $img_path = UPLOAD_PATH.'/'.$file_name;

        if (move_uploaded_file($temp_file, $img_path)) {

            $is_upload = true;

        } else {

            $msg = '上传出错!';

        }

    } else {

        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';

    }

}

这次使用str_ireplace函数将我们后缀名删除了,这里就用到了双写绕过,由于str_ireplace只进行了一次删除,所以我们构造语句

例如: 过滤php,我们则输入pphphp,可以分解看为p php hp,这是str_ireplace将我们的php进行转换为空,剩下来的p hp拼接为了php



访问测试,最后为php



使用burpsuite抓包进行文件上传



上传成功,访问测试

文件上传靶场 upload-labs Pass 5-10的更多相关文章

  1. Upload-labs 文件上传靶场通关攻略(上)

    Upload-labs 文件上传靶场通关攻略(上) 文件上传是Web网页中常见的功能之一,通常情况下恶意的文件上传,会形成漏洞. 逻辑是这样的:用户通过上传点上传了恶意文件,通过服务器的校验后保存到指 ...

  2. Web文件上传靶场 - 通关笔记

    Web应用程序通常会提供一些上传功能,比如上传头像,图片资源等,只要与资源传输有关的地方就可能存在上传漏洞,上传漏洞归根结底是程序员在对用户文件上传时控制不足或者是处理的缺陷导致的,文件上传漏洞在渗透 ...

  3. Upload-labs 文件上传靶场通关攻略(下)

    Upload-Labs靶场攻略(下) Pass-11 GET型传参,上传目录可设置,考虑00截断,在/upload/后添加1.php%00,即可上传 Pass-12 POST型传参,上传目录可设置,P ...

  4. 《Play for Java》学习笔记(六)文件上传file upload

    一. Play中标准方法 使用表单form和multipart/form-data的content-type类型. 1.Form @form(action = routes.Application.u ...

  5. Android 实现文件上传功能(upload)

    文 件上传在B/S应用中是一种十分常见的功能,那么在Android平台下是否可以实现像B/S那样的文件上传功能呢?答案是肯定的.下面是一个模拟网站程 序上传文件的例子.这里只写出了Android部分的 ...

  6. nodejs教程---基于expressJs框架,实现文件上传(upload)?

    文件上传功能在nodejs初期是一件很难实现的功能,之后出现了formidable勉强能解决这个问题,但是express框架出现之后基于这个框架开发的中间件有更好的方法来处理文件上传,这个中间件就是m ...

  7. [刘阳Java]_SpringMVC文件上传第1季_第10讲

    今天来介绍一个关于SpringMVC框架的文件上传功能.首先我个人感觉SpringMVC框架的文件上传还是要比Struts2框架要好用一些,灵活性更强.因为SpringMVC框架的文件上传有几种不同的 ...

  8. 文件上传漏洞靶机upload-labs(1到10)

    前言 项目地址:https://github.com/c0ny1/upload-labs pass-01(前端验证) 绕过方法:https://www.cnblogs.com/bk76120/p/12 ...

  9. 文件上传漏洞靶场分析 UPLOAD_LABS

    文件上传漏洞靶场(作者前言) 文件上传漏洞 产生原理 PASS 1) function checkFile() { var file = document.getElementsByName('upl ...

  10. Struts的文件上传下载

    Struts的文件上传下载 1.文件上传 Struts2的文件上传也是使用fileUpload的组件,这个组默认是集合在框架里面的.且是使用拦截器:<interceptor name=" ...

随机推荐

  1. 【个人笔记】Ubuntu 16.04 LTS 安装 Leanote 二进制版命令记录

    此命令根据<Leanote 二进制版详细安装教程 Mac and Linux>操作记录而得. 参考链接:https://github.com/leanote/leanote/wiki/Le ...

  2. linux(centos7)下部署jenkins

    1.安装jdk yum install -y java 确保已经安装了jdk,查看是否安装jdk命令参考地址: 2.安装jenkins 2.0添加Jenkins库到yum库,Jenkins将从这里下载 ...

  3. [OC] APP唤醒,URL Scheme,工程中的 URL Types 和 LSApplicationQueriesSchemes

    1.网页唤醒APP: 假设我们有一个APP,名字叫做 "APP甲",需要通过网页唤起 APP甲,我们首先需要在 APP甲的工程文件里配置参数 URL Types: 在 info.p ...

  4. Mac下安装lightgbm-image not found

    Error Message: : dlopen(/Users/{xxx}/anaconda3/lib/python3.6/site-packages/lightgbm/lib_lightgbm.so, ...

  5. Pod资源的基础管理操作(Kubernetes)

    Pod是Kubernetes API中的核心资源类型,它可以定义在JSON或者YAML格式的资源清单中,由资源管理命令进行陈述式声明管理.创建时通过create或apply命令将请求提交到API Se ...

  6. 20192305 王梓全Python程序设计实验四报告

    20192305 王梓全Python程序设计实验四报告 课程:<Python程序设计> 班级: 1923 姓名: 王梓全 学号:20192305 实验教师:王志强 实验日期:2021年6月 ...

  7. AdaptSegeNet 代码分析

    先G后D 训练 G: --S:pred1, pred2 = model(images) :  loss_seg1 = loss_calc(pred1, labels) :   loss.backwar ...

  8. 反序列化 sqlserver 中的 sysdiagrams,找到其中包含的表的信息

    转载于:Script SQL Server 2005 diagrams to a file - CodeProject /** <summary> Based on ufn_Varbina ...

  9. geoserver leaflet 使用wms

    注意事项 1.  地址是 http://192.168.31.120:8080/geoserver/cite/wms   不需要后面 2. 名称 city:Polyline3 3.默认层级别调试为0  ...

  10. Jmeter二、开始使用

    一.最简单的性能测试脚本 testplan→ thread group→HTTP request→view results tree.jmx后缀文件,xml文件校验 二.使用过程中其他需要注意的 1. ...