目录
Pass-03(本关需要使用自己搭建upload-labs)
思维导图
思维导图分享
链接:https://pan.baidu.com/s/1N4mvnQhawhYKRHNwJDEAMw
提取码:iu9g
练习网站:
upload-labs(旧靶场20关)1-2关使用了旧靶场
upload-labs(新靶场21关)3-21关使用了新靶场
注意:
能运行<?php phpinfo();?>
就能运行<?php eval($_POST['cmd'])?>一句话木马
本文使用<?php phpinfo();?>主要是为了简便
知识点
$_FILES[表单提交过来的name]
[name]:获取到的文件名
[type]: 获取到的文件类型(MIMETYPE)
[tmp_name]:文件临时存放的路径
[error]: 上传文件报错信息(为空则上传成功)
[size]:上传文件的大小
Move_uploaded_file(需要移动的文件,要移动到的位置)
Strrchr(指定字符串,匹配的字符) --指针指到指定的字符的位置,取之后的值
Trim() --去除字符串中的前后空格
Rtrim() --去除右空格
Ltrim() --去除左空格
Strtolower() --将字符串转为小写
Str_ireplace --(被转换的字符串,替换成的字符串,需要查找的字符串)
在需要查找的字符串中查找需要被替换的字符串,替换为指定的字符串
Pass-01
代码:
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
提示:
本pass在客户端使用js对不合法图片进行检查!
解题思路:
安装插件disable javascript
编写一句话木马文件shell.php
根据提示关闭js上传文件,查看上传文件是否成功
使用蚁剑通过密码连接
Pass-02
知识点:
MIME TYPE常见分类
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}提示:
本pass在服务端对数据包的MIME进行检查!
解题思路:
编写木马
上传PHP文件
绕过MIMETYPE
burpsuite抓包修改类型
forward释放数据包
打开图片链接
发现能够执行上传的php文件
Pass-03(本关需要使用自己搭建upload-labs)
upload-labs资源
链接:https://pan.baidu.com/s/1uOM7sSAFusLk-973SkZlCw
提取码:ctyl
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name,'.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA','',$file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}提示:
本pass禁止上传.asp|.aspx|.php|.jsp后缀文件!
解题思路:
httpd.conf文件下添加代码
AddType application/x-httpd-php .php .phtml .php3 .php4
该句代码的意思是将.php、.php3、.php4当作php文件
上传phpinfo.php4
打开图片链接
就能查看运行的PHP文件
Pass-04
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name,$file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}提示:
本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf后缀文件!
解题思路:
上传.htaccess文件
将jpg文件当作php文件执行
<FilesMatch 'phpinfo.jpg'>
SetHandler application/x-httpd-php
</FilesMatch>再上传phpinfo.jpg(是由phpinfo.php改后缀成phpinfo.jpg)
打开链接
Pass-05(建议使用本机搭建的Upload-labs)
upload-labs资源
链接:https://pan.baidu.com/s/1uOM7sSAFusLk-973SkZlCw
提取码:ctyl
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name,$file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}提示:
上传目录存在php文件(readme.php)
解题思路:
先上传.user.ini
作用域是当前文件夹和当前文件夹中的子文件;包含指定的文件,显示在页面上
.user.ini内容
Auto_prepend_file=phpinfo.jpg //在页面上部显示
Auto_prepend_file=phpinfo.jpg //在页面底部部显示再上传phpinfo.jpg
查看readme.php文件
Pass-06
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".htaccess",'.');
$file_ext = str_ireplace('::$DATA',$file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext,9999).$file_ext;
if (move_uploaded_file($temp_file,请手工创建!';
}
}提示:
本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf|.htaccess后缀文件!
解题思路:
经过与第五关对比我们发现没有过滤大小写
缺少代码
$file_ext = strtolower($file_ext); //转换为小写所以我们修改上传文件后缀名phpinfo.Php
上传phpinfo.Php
右键打开链接
Pass-07
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".ini");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name,$file_ext);//去除字符串::$DATA
if (!in_array($file_ext,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}提示:
没有进行首尾去空
缺少代码
$file_ext = trim($file_ext); //首尾去空我们可以进行空格绕过
解题思路:
上传phpinfo.php进行BP抓包
上传成功后右键打开链接
Pass-08
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name,请手工创建!';
}
}
提示:
缺少代码
$file_name = deldot($file_name)没有删除文件名末尾后的点
所以进行点绕过
解题思路:
上传phpinfo.php文件进行BP抓包
上传成功后右键打开链接
Pass-09
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",'.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext,请手工创建!';
}
}提示:
缺少代码
$file_ext = str_ireplace('::$DATA',$file_ext);//去除字符串::$DATA上传后缀名添加::$DATA
::$DATA是一个流传输,可以把后面的数据当成流处理和.空格类似
解题思路:
上传phpinfo.php进行BP抓包,修改数据
右键打开链接
去掉URL中的::$DATA
Pass-10
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",请手工创建!';
}
}
提示:
deldot()函数从后向前检测,当检测到末尾的第一个点时会继续它的检测,但是遇到空格会停下来
解题思路:
上传phpinfo.php文件,BP抓包,修改数据
上传完文件邮件打开链接
Pass-11
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"",$file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
提示:
截取文件后缀名与上面禁用的后缀名匹配,如果想同,转化为空
所有利用双写后缀名绕过
解题思路:
上传phpinfo.pphphp文件
上传成功后右键打开链接
Pass-12
代码:
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10,99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}提示:
在处理数据时,当处理到00,就当作处理完成
PHP版本小于5.3
Magic_quotes_gpc=Off
解题思路:
上传phpinfo.jpg文件,用BP抓包修改数据
上传成功后右键打开链接
Pass-13
代码:
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg',$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10,$img_path)){
$is_upload = true;
} else {
$msg = "上传失败";
}
} else {
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}提示:
在处理数据时,当处理到00,就当作处理完成
PHP版本小于5.3
Magic_quotes_gpc=Off
解题思路:
上传phpinfo.jpg文件,用BP抓包修改数据
将空格(20)改成(00)进行截断
上传成功后右键打开链接
Pass-14
代码:
function getReailFileType($filename){
$file = fopen($filename,"rb");
$bin = fread($file,2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars",$bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10,99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
提示:
Jpg格式图片的文件头标识:FFD8开头FFD9结尾
Png格式图片的文件头标识:89 20 4E 47 0D 0A
Gif格式图片的文件头标识:GIF89a GIF87a
本关存在文件包含漏洞,Incould可以将被包含的文件当PHP代码执行
解题思路:
上传phpinfo.gif,BP抓包修改数据
文件上传成功后右键打开链接
Pass-15-17
15-17关都可以利用文件包含漏洞,上传图片码
代码:
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)>=0){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10,99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}提示:
利用文件包含漏洞上传图片码
解题思路:
制作图片码
上传生成的888.jpg图片码
上传成功后右键打开链接
Pass-18
代码:
//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
require_once("./myupload.php");
$imgFileName =time();
$u = new MyUpload($_FILES['upload_file']['name'],$_FILES['upload_file']['tmp_name'],$_FILES['upload_file']['size'],$imgFileName);
$status_code = $u->upload(UPLOAD_PATH);
switch ($status_code) {
case 1:
$is_upload = true;
$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
break;
case 2:
$msg = '文件已经被上传,但没有重命名。';
break;
case -1:
$msg = '这个文件不能上传到服务器的临时文件存储目录。';
break;
case -2:
$msg = '上传失败,上传目录不可写。';
break;
case -3:
$msg = '上传失败,无法上传该类型文件。';
break;
case -4:
$msg = '上传失败,上传的文件过大。';
break;
case -5:
$msg = '上传失败,服务器已经存在相同名称文件。';
break;
case -6:
$msg = '文件无法上传,文件不能复制到目标目录。';
break;
default:
$msg = '未知错误!';
break;
}
}
//myupload.php
class MyUpload{
......
......
......
var $cls_arr_ext_accepted = array(
".doc",".xls",".txt",".pdf",".gif",".jpg",".zip",".rar",".7z",".ppt",".xml",".tiff",".jpeg",".png" );
......
......
......
/** upload()
**
** Method to upload the file.
** This is the only method to call outside the class.
** @para String name of directory we upload to
** @returns void
**/
function upload( $dir ){
$ret = $this->isUploadedFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->setDir( $dir );
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkExtension();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkSize();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// if flag to check if the file exists is set to 1
if( $this->cls_file_exists == 1 ){
$ret = $this->checkFileExists();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here,we are ready to move the file to destination
$ret = $this->move();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// check if we need to rename the file
if( $this->cls_rename_file == 1 ){
$ret = $this->renameFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here,everything worked as planned :)
return $this->resultUpload( "SUCCESS" );
}
......
......
......
};提示:
上传文件后会判断后缀名,如果相同会进行重命名。我们可以进行条件竞争
解题思路:
上传文件,进行BP爆破
出现上传的php文件但很快就消失了
Pass-19
代码:
//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
require_once("./myupload.php");
$imgFileName =time();
$u = new MyUpload($_FILES['upload_file']['name'],everything worked as planned :)
return $this->resultUpload( "SUCCESS" );
}
......
......
......
};提示:
上传文件后,判断后缀名,移动文件进行重命名
Apache解析漏洞
1.php.zxc.zxc.zxc.zxc.zxc
Apache从右往左解析,解析不了继续解析下一个
上传phpinfo.php.7z
解题思路:
上传phpinfo.php.7z进行BP爆破
文件已经被上传了
Pass-20
代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}提示:
上传文件直接空格绕过
上传文件后直接右键打开链接
Pass-21
代码:
$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
//检查MIME
$allow_type = array('image/jpeg','image/png','image/gif');
if(!in_array($_FILES['upload_file']['type'],$allow_type)){
$msg = "禁止上传该类型文件!";
}else{
//检查文件名
$file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
if (!is_array($file)) {
$file = explode('.',strtolower($file));
}
$ext = end($file);
$allow_suffix = array('jpg','gif');
if (!in_array($ext,$allow_suffix)) {
$msg = "禁止上传该后缀文件!";
}else{
$file_name = reset($file) . '.' . $file[count($file) - 1];
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file,$img_path)) {
$msg = "文件上传成功!";
$is_upload = true;
} else {
$msg = "文件上传失败!";
}
}
}
}else{
$msg = "请选择要上传的文件!";
}
提示:
需要修改MIME TYPE类型,进行拼接
解题思路:
上传文件,BP抓包修改数据
文件上传成功后右键打开链接
文章浏览阅读8.4k次,点赞8次,收藏7次。SourceCodester Onl...
文章浏览阅读3.4k次,点赞46次,收藏51次。本文为大家介绍在...
文章浏览阅读1.1k次。- php是最优秀, 最原生的模板语言, 替代...
文章浏览阅读1.2k次,点赞22次,收藏19次。此网络模型提供了...
文章浏览阅读1.1k次,点赞14次,收藏19次。当我们谈论网络安...