upload-labs靶场通关

pass-01

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
    alert("请选择要上传的文件!");
    return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
    var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
    alert(errMsg);
    return false;
    }
    }
  • 上传
    白名单,仅允许上传.jpg|.png|.gif,但是只有前端校验
    上传jpg抓包修改为php

  • 连接webshell
    复制图片地址,使用蚁剑连接

pass-02

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}

会对MIME进行验证,与pass-01一样,上传png抓包修改为php

pass-03

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array('.asp','.aspx','.php','.jsp');
    $file_name = trim($_FILES['upload_file']['name']);
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //收尾去空

    if(!in_array($file_ext, $deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
    if (move_uploaded_file($temp_file,$img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传
    黑名单,可以上传php2、php3、php5、phtml、pht(是否解析需要根据配置文件中设置类型来决定)来绕过

pass-04

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //收尾去空

    if (!in_array($file_ext, $deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.$file_name;
    if (move_uploaded_file($temp_file, $img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = '此文件不允许上传!';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传
    黑名单,几乎所有可以上传的文件类型都被写死,但是可以上传.htaccess

    1
    2
    3
    <FilesMatch "shell.jpg">
    SetHandler application/x-httpd-php
    </FilesMatch>

    这个文件里面的含义就是将shell.jpg文件解析为php
    然后直接上传图片马,就可以解析为php

pass-05

  • 源码
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //首尾去空

    if (!in_array($file_ext, $deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.$file_name;
    if (move_uploaded_file($temp_file, $img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = '此文件类型不允许上传!';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传
    禁止了常见后缀名,也包括.htaccess,反复观察发现没有被限制的后缀名有 .php7 以及 .ini
    php.ini 是 php的配置文件,.user.ini 中的字段也会被 php 视为配置文件来处理,从而导致 php 的文件解析漏洞。
    但是想要引发 .user.ini 解析漏洞需要三个前提条件
    1. 服务器脚本语言为PHP
    2. 服务器使用CGI/FastCGI模式
    3. 上传目录下要有可执行的php文件

提示

上传.user.ini

1
2
auto_ prepend_ file=shell.jpg
意思是所有文件都包含shell.jpg

再上传图片马,蚁剑连接readme.php文件,图片马就被包含进去以php代码执行

  • 第二种方法绕过
    抓包修改后缀为shell.php. . 点空格点

    蚁剑连接shell.php即可

pass-06

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //首尾去空

    if (!in_array($file_ext, $deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
    if (move_uploaded_file($temp_file, $img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = '此文件类型不允许上传!';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传

黑名单,但是可以使用大小写绕过

pass-07

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
    $file_name = $_FILES['upload_file']['name'];
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

    if (!in_array($file_ext, $deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
    if (move_uploaded_file($temp_file,$img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = '此文件不允许上传';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传
    黑名单,但是没有去掉空格,使用空格绕过

pass-08

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //首尾去空

    if (!in_array($file_ext, $deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.$file_name;
    if (move_uploaded_file($temp_file, $img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = '此文件类型不允许上传!';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传
    黑名单,去空格并且转换为小写,但是忽略了.,文件名尾加.绕过

pass-09

  • 源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空

if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}

  • 上传
    在上关的基础上去掉了. 使用特殊字符绕过::$DATA
    php在window的时候如果文件名+”::$DATA”会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且保持”::$DATA”之前的文件名 他的目的就是不检查后缀名。

pass-10

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //首尾去空

    if (!in_array($file_ext, $deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.$file_name;
    if (move_uploaded_file($temp_file, $img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = '此文件类型不允许上传!';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }

  • 上传
    在上一关的基础上,禁止::$DATA,但是deldot()函数从后向前检测,当检测到末尾的第一个点时会继续它的检测,但是遇到空格会停下来
    使用pass-05的第二种方法,. .绕过

pass-11

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

    $file_name = trim($_FILES['upload_file']['name']);
    $file_name = str_ireplace($deny_ext,"", $file_name);
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH.'/'.$file_name;
    if (move_uploaded_file($temp_file, $img_path)) {
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传
    删除黑名单中的关键字但是只检测一次,使用双写绕过

上传之后得到文件名shell.php

pass-12

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

    if(move_uploaded_file($temp_file,$img_path)){
    $is_upload = true;
    } else {
    $msg = '上传出错!';
    }
    } else{
    $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
    }
  • 上传
    白名单,最后的路径是靠拼接,可以使用%00截断
    原理:php的一些函数的底层是C语言,而move_uploaded_file就是其中之一,遇到0x00会截断,0x表示16进制,URL中%00解码成16进制就是0x00。

pass-13

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

    if(move_uploaded_file($temp_file,$img_path)){
    $is_upload = true;
    } else {
    $msg = "上传失败";
    }
    } else {
    $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
    }

  • 上传
    与上关一样,区别是post提交,post不会对里面的数据自动解码,需要在Hex中修改。

#pass-14

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    function getReailFileType($filename){
    $file = fopen($filename, "rb");
    $bin = fread($file, 2); //只读2字节
    fclose($file);
    $strInfo = @unpack("C2chars", $bin);
    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
    $fileType = '';
    switch($typeCode){
    case 255216:
    $fileType = 'jpg';
    break;
    case 13780:
    $fileType = 'png';
    break;
    case 7173:
    $fileType = 'gif';
    break;
    default:
    $fileType = 'unknown';
    }
    return $fileType;
    }

    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_type = getReailFileType($temp_file);

    if($file_type == 'unknown'){
    $msg = "文件未知,上传失败!";
    }else{
    $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
    if(move_uploaded_file($temp_file,$img_path)){
    $is_upload = true;
    } else {
    $msg = "上传出错!";
    }
    }
    }
  • 上传
    会判断强两个字节的来确定上传文件的后缀是否为白名单里的,需要上传图片马配合文件包含漏洞
    上传图片马

    点击文件包含漏铜

pass-15

  • 源码
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    function isImage($filename){
    $types = '.jpeg|.png|.gif';
    if(file_exists($filename)){
    $info = getimagesize($filename);
    $ext = image_type_to_extension($info[2]);
    if(stripos($types,$ext)>=0){
    return $ext;
    }else{
    return false;
    }
    }else{
    return false;
    }
    }

    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
    $msg = "文件未知,上传失败!";
    }else{
    $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
    if(move_uploaded_file($temp_file,$img_path)){
    $is_upload = true;
    } else {
    $msg = "上传出错!";
    }
    }
    }

  • 上传
    在上关的基础上,校验图片的大小,依旧可以和上关一样使用图片马绕过

pass-16

  • 源码
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    function isImage($filename){
    //需要开启php_exif模块
    $image_type = exif_imagetype($filename);
    switch ($image_type) {
    case IMAGETYPE_GIF:
    return "gif";
    break;
    case IMAGETYPE_JPEG:
    return "jpg";
    break;
    case IMAGETYPE_PNG:
    return "png";
    break;
    default:
    return false;
    break;
    }
    }

    $is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
    $msg = "文件未知,上传失败!";
    }else{
    $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
    if(move_uploaded_file($temp_file,$img_path)){
    $is_upload = true;
    } else {
    $msg = "上传出错!";
    }
    }
    }

  • 上传
    在上关的基础上再检查后缀,依旧使用图片马绕过

pass-17

  • 源码
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])){
    // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
    $filename = $_FILES['upload_file']['name'];
    $filetype = $_FILES['upload_file']['type'];
    $tmpname = $_FILES['upload_file']['tmp_name'];

    $target_path=UPLOAD_PATH.'/'.basename($filename);

    // 获得上传文件的扩展名
    $fileext= substr(strrchr($filename,"."),1);

    //判断文件后缀与类型,合法才进行上传操作
    if(($fileext == "jpg") && ($filetype=="image/jpeg")){
    if(move_uploaded_file($tmpname,$target_path)){
    //使用上传的图片生成新的图片
    $im = imagecreatefromjpeg($target_path);

    if($im == false){
    $msg = "该文件不是jpg格式的图片!";
    @unlink($target_path);
    }else{
    //给新图片指定文件名
    srand(time());
    $newfilename = strval(rand()).".jpg";
    //显示二次渲染后的图片(使用用户上传图片生成的新图片)
    $img_path = UPLOAD_PATH.'/'.$newfilename;
    imagejpeg($im,$img_path);
    @unlink($target_path);
    $is_upload = true;
    }
    } else {
    $msg = "上传出错!";
    }

    }else if(($fileext == "png") && ($filetype=="image/png")){
    if(move_uploaded_file($tmpname,$target_path)){
    //使用上传的图片生成新的图片
    $im = imagecreatefrompng($target_path);

    if($im == false){
    $msg = "该文件不是png格式的图片!";
    @unlink($target_path);
    }else{
    //给新图片指定文件名
    srand(time());
    $newfilename = strval(rand()).".png";
    //显示二次渲染后的图片(使用用户上传图片生成的新图片)
    $img_path = UPLOAD_PATH.'/'.$newfilename;
    imagepng($im,$img_path);

    @unlink($target_path);
    $is_upload = true;
    }
    } else {
    $msg = "上传出错!";
    }

    }else if(($fileext == "gif") && ($filetype=="image/gif")){
    if(move_uploaded_file($tmpname,$target_path)){
    //使用上传的图片生成新的图片
    $im = imagecreatefromgif($target_path);
    if($im == false){
    $msg = "该文件不是gif格式的图片!";
    @unlink($target_path);
    }else{
    //给新图片指定文件名
    srand(time());
    $newfilename = strval(rand()).".gif";
    //显示二次渲染后的图片(使用用户上传图片生成的新图片)
    $img_path = UPLOAD_PATH.'/'.$newfilename;
    imagegif($im,$img_path);

    @unlink($target_path);
    $is_upload = true;
    }
    } else {
    $msg = "上传出错!";
    }
    }else{
    $msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
    }
    }

  • 上传
    同上,图片马传就完事了

pass-18

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    $is_upload = false;
    $msg = null;

    if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
    if(in_array($file_ext,$ext_arr)){
    $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
    rename($upload_file, $img_path);
    $is_upload = true;
    }else{
    $msg = "只允许上传.jpg|.png|.gif类型文件!";
    unlink($upload_file);
    }
    }else{
    $msg = '上传出错!';
    }
    }
  • 上传
    代码审计,对上传的文件的后缀进行对比,如果不在白名单之内就删除,没有文件包含漏洞,此处利用条件竞争
    文件上传,再被校验中间是有一个过程的,如果我们在上传后立即访问,占用文件,文件在被使用状态是不可被删除的
    利用burp重复发包,不设置payload

    利用脚本去重复访问上传的webshell路径

1
2
3
4
5
6
7
8
9
import requests

while True:
resp = requests.get(url='http://10.20.146.195/upload/shell.php')
if resp.status_code == 200:
print('攻击成功')
break
else:
continue

pass-19

  • 源码
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    //index.php
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit']))
    {
    require_once("./myupload.php");
    $imgFileName =time();
    $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    $status_code = $u->upload(UPLOAD_PATH);
    switch ($status_code) {
    case 1:
    $is_upload = true;
    $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
    break;
    case 2:
    $msg = '文件已经被上传,但没有重命名。';
    break;
    case -1:
    $msg = '这个文件不能上传到服务器的临时文件存储目录。';
    break;
    case -2:
    $msg = '上传失败,上传目录不可写。';
    break;
    case -3:
    $msg = '上传失败,无法上传该类型文件。';
    break;
    case -4:
    $msg = '上传失败,上传的文件过大。';
    break;
    case -5:
    $msg = '上传失败,服务器已经存在相同名称文件。';
    break;
    case -6:
    $msg = '文件无法上传,文件不能复制到目标目录。';
    break;
    default:
    $msg = '未知错误!';
    break;
    }
    }

    //myupload.php
    class MyUpload{
    ......
    ......
    ......
    var $cls_arr_ext_accepted = array(
    ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
    ".html", ".xml", ".tiff", ".jpeg", ".png" );

    ......
    ......
    ......
    /** upload()
    **
    ** Method to upload the file.
    ** This is the only method to call outside the class.
    ** @para String name of directory we upload to
    ** @returns void
    **/
    function upload( $dir ){

    $ret = $this->isUploadedFile();

    if( $ret != 1 ){
    return $this->resultUpload( $ret );
    }

    $ret = $this->setDir( $dir );
    if( $ret != 1 ){
    return $this->resultUpload( $ret );
    }

    $ret = $this->checkExtension();
    if( $ret != 1 ){
    return $this->resultUpload( $ret );
    }

    $ret = $this->checkSize();
    if( $ret != 1 ){
    return $this->resultUpload( $ret );
    }

    // if flag to check if the file exists is set to 1

    if( $this->cls_file_exists == 1 ){

    $ret = $this->checkFileExists();
    if( $ret != 1 ){
    return $this->resultUpload( $ret );
    }
    }

    // if we are here, we are ready to move the file to destination

    $ret = $this->move();
    if( $ret != 1 ){
    return $this->resultUpload( $ret );
    }

    // check if we need to rename the file

    if( $this->cls_rename_file == 1 ){
    $ret = $this->renameFile();
    if( $ret != 1 ){
    return $this->resultUpload( $ret );
    }
    }

    // if we are here, everything worked as planned :)

    return $this->resultUpload( "SUCCESS" );

    }
    ......
    ......
    ......
    };

    同上一关,但是在上一关的基础上,对文件名进行修改,需要配合文件包含漏洞或其他漏洞
    绕过白名单过滤:利用apache的后缀名识别漏洞 —— 从右往左依次识别后缀,遇到不能识别的后缀名便跳过 ,因此可以文件名改为create.php.7z(.7z这个后缀apache不能识别)

pass-20

  • 源码
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

    $file_name = $_POST['save_name'];
    $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

    if(!in_array($file_ext,$deny_ext)) {
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH . '/' .$file_name;
    if (move_uploaded_file($temp_file, $img_path)) {
    $is_upload = true;
    }else{
    $msg = '上传出错!';
    }
    }else{
    $msg = '禁止保存为该类型文件!';
    }

    } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
    }
  • 上传
    黑名单,会对文件名重命名,双写,大小写都可以绕过

pass-21

  • 源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    $is_upload = false;
    $msg = null;
    if(!empty($_FILES['upload_file'])){
    //检查MIME
    $allow_type = array('image/jpeg','image/png','image/gif');
    if(!in_array($_FILES['upload_file']['type'],$allow_type)){
    $msg = "禁止上传该类型文件!";
    }else{
    //检查文件名
    $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
    if (!is_array($file)) {
    $file = explode('.', strtolower($file));
    }

    $ext = end($file);
    $allow_suffix = array('jpg','png','gif');
    if (!in_array($ext, $allow_suffix)) {
    $msg = "禁止上传该后缀文件!";
    }else{
    $file_name = reset($file) . '.' . $file[count($file) - 1];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $img_path = UPLOAD_PATH . '/' .$file_name;
    if (move_uploaded_file($temp_file, $img_path)) {
    $msg = "文件上传成功!";
    $is_upload = true;
    } else {
    $msg = "文件上传失败!";
    }
    }
    }
    }else{
    $msg = "请选择要上传的文件!";
    }
  • 上传
    检查MIME和白名单,以.切割为数组,取数组最后一个元素来校验是否在白名单内,再取数组数-1来重命名后缀