风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二)
风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二)php
05后缀名黑名单校验之上传.htaccess绕过
仍是使用黑名单,禁止上传全部web容器能解析的脚本文件的后缀html
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不容许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工建立!';
}
}
绕过方式web
上传.htaccess 静态规则让web容器把任意文件解析成PHP脚本文件shell
<FilesMatch "fx"> SetHandler application/x-httpd-php </FilesMatch>
演示地址:Pass-04/index.phpwindows
06后缀名黑名单校验之利用大小写绕过
仍是黑名单,可是此次把.htaccess也限制了安全
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不容许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工建立!';
}
}
绕过方式app
在burp里改包,把文件名改为.phP 利用大小写绕过检测jsp
演示地址:Pass-05/index.phpide
07后缀名黑名单校验之burp改包文件名后加空格绕过
仍是黑名单,此时已经把全部后缀名改成小写,进行验证。web安全
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不容许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工建立!';
}
}
绕过方式
在burp里改包,把文件名改为.php 在后缀名处加空格(%00) 绕过
此种绕过方式受系统环境和Web容器影响
演示地址:Pass-06/index.php
08后缀名黑名单校验之burp改包文件后缀加“.”绕过
仍是黑名单,修复了上面的漏洞把文件后缀首尾空格去掉,进行验证。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不容许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工建立!';
}
}
绕过方式
在burp里改包,把文件名改为.php. 在后缀名处加空格.绕过
可是没有对后缀名进行去”.”处理,利用windows特性,会自动去掉后缀名中最后的”.”,可在后缀名中加”.”绕过:
演示地址:Pass-07/index.php
09后缀名黑名单校验之利用windows特性::$DATA绕过
仍是黑名单策略,修复了上面的漏洞,也去掉了后缀名中的的点“.”
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不容许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工建立!';
}
}
绕过方式
在burp里改包,把文件名改为.php::$DATA 在后缀名处加::$DATA绕过
这道题利用的是Windows下NTFS文件系统的一个特性,即NTFS文件系统的存储数据流的一个属性
DATA 时,就是请求 a.asp 自己的数据,若是a.asp 还包含了其余的数据流,好比 a.asp:lake2.asp,请求 a.asp:lake2.asp::$DATA,则是请求a.asp中的流数据lake2.asp的流数据内容。
演示地址:Pass-08/index.php
10后缀名黑名单校验之双写文件名绕过
这里是用替换的方式替换了后缀名。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);// preg_match_all
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工建立!';
}
}
绕过方式
在burp里改包,把文件名改为双写,好比.php 改为 .phphpp 把其中一个php替换掉以后组成一个新的php文件
演示地址:Pass-10/index.php
11后缀名白名单校验之%00截断
能够看到是白名单,只能'jpg','png','gif'格式的文件访问,保存的路径是get传递的
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else{
$msg = "只容许上传.jpg|.png|.gif类型文件!";
}
}
绕过方式
在burp里改包,使用在url参数上%00截断绕过
演示地址:Pass-11/index.php
12后缀名白名单校验之00截断
白名单,只能'jpg','png','gif'格式的文件访问,不过保存的路径是post传递的
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传失败";
}
} else {
$msg = "只容许上传.jpg|.png|.gif类型文件!";
}
}
绕过方式
在burp里改包,在post包里用00截断绕过,这里只能改包的hex值,手动改%00字符串无效
演示地址:Pass-12/index.php
13图片文件格式验证之图片木马
这里是读取了文件的内容,以文件的内容来判断是不是图片。
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
绕过方式
制做图片一句话木立刻传 copy a.jpg/b + a.txt = a1.jpg
演示地址:Pass-13/index.php
14 条件竞争上传
这里是现把上传文件移动到目标文件夹,后对文件名进行判断。不符合条件的都删除掉。
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只容许上传.jpg|.png|.gif类型文件!";
unlink($upload_file);
}
}else{
$msg = '上传出错!';
}
}
绕过方式
只要利用竞争上传,上传的php文件内容为写入shell文件,而后不断的访问该文件,只要访问成功,即可以写入shell,直接利用burp的intruder模块上传文件,同时不停的访问这个文件。
参考:
http://blog.evalshell.com/2020/12/20/风炫安全web安全学习第三十七节课-15种上传漏洞讲解/
相关文章
- 1. 风炫安全web安全学习第三十六节课-15种上传漏洞讲解(一)
- 2. 风炫安全WEB安全学习第三十八节课 越权漏洞演示与讲解
- 3. 风炫安全Web安全学习第四十三节课 路径遍历漏洞
- 4. 风炫安全web安全学习第三十五节课 文件下载和文件读取漏洞
- 5. 风炫安全Web安全入门第一期课程总结
- 6. 风炫安全WEB安全学习第四十五节课 信息收集之子域名搜集
- 7. 风炫安全web安全学习第三十二节课 Python代码执行以及代码防护措施
- 8. Web安全——上传漏洞
- 9. 风炫安全WEB安全学习第四十四节课 敏感信息泄漏
- 10. 风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击
- 更多相关文章...
- • ASP.NET MVC - 安全 - ASP.NET 教程
- • C# 不安全代码 - C#教程
- • Tomcat学习笔记(史上最全tomcat学习笔记)
- • Kotlin学习(二)基本类型
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. 风炫安全web安全学习第三十六节课-15种上传漏洞讲解(一)
- 2. 风炫安全WEB安全学习第三十八节课 越权漏洞演示与讲解
- 3. 风炫安全Web安全学习第四十三节课 路径遍历漏洞
- 4. 风炫安全web安全学习第三十五节课 文件下载和文件读取漏洞
- 5. 风炫安全Web安全入门第一期课程总结
- 6. 风炫安全WEB安全学习第四十五节课 信息收集之子域名搜集
- 7. 风炫安全web安全学习第三十二节课 Python代码执行以及代码防护措施
- 8. Web安全——上传漏洞
- 9. 风炫安全WEB安全学习第四十四节课 敏感信息泄漏
- 10. 风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击