目录
Pass-03(本关需要使用自己搭建upload-labs)
思维导图
思维导图分享
链接:https://pan.baidu.com/s/1N4mvnQhawhYKRHNwJDEAMw
提取码:iu9g
练习网站:
upload-labs(旧靶场20关)1-2关使用了旧靶场
upload-labs(新靶场21关)3-21关使用了新靶场
注意:
能运行phpinfo();?>
就能运行一句话木马
本文使用主要是为了简便
知识点
$_FILES[表单提交过来的name]
[name]:获取到的文件名
[type]: 获取到的文件类型(MIMETYPE)
[tmp_name]:文件临时存放的路径
[error]: 上传文件报错信息(为空则上传成功)
[size]:上传文件的大小
Move_uploaded_file(需要移动的文件,要移动到的位置)
Strrchr(指定字符串,匹配的字符) --指针指到指定的字符的位置,取之后的值
Trim() --去除字符串中的前后空格
Rtrim() --去除右空格
Ltrim() --去除左空格
Strtolower() --将字符串转为小写
Str_ireplace --(被转换的字符串,替换成的字符串,需要查找的字符串)
在需要查找的字符串中查找需要被替换的字符串,替换为指定的字符串
Pass-01
代码:
- function checkFile() {
- var file = document.getElementsByName('upload_file')[0].value;
- if (file == null || file == "") {
- alert("请选择要上传的文件!");
- return false;
- }
- //定义允许上传的文件类型
- var allow_ext = ".jpg|.png|.gif";
- //提取上传文件的类型
- var ext_name = file.substring(file.lastIndexOf("."));
- //判断上传文件类型是否允许上传
- if (allow_ext.indexOf(ext_name + "|") == -1) {
- var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
- alert(errMsg);
- return false;
- }
- }
提示:
本pass在客户端使用js对不合法图片进行检查!
解题思路:
安装插件disable javascript
编写一句话木马文件shell.php
根据提示关闭js上传文件,查看上传文件是否成功
使用蚁剑通过密码连接
Pass-02
知识点:
MIME TYPE常见分类
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '文件类型不正确,请重新上传!';
- }
- } else {
- $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
- }
- }
提示:
本pass在服务端对数据包的MIME进行检查!
解题思路:
编写木马
上传PHP文件
绕过MIMETYPE
burpsuite抓包修改类型
forward释放数据包
打开图片链接
发现能够执行上传的php文件
Pass-03(本关需要使用自己搭建upload-labs)
upload-labs资源
链接:https://pan.baidu.com/s/1uOM7sSAFusLk-973SkZlCw
提取码:ctyl
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array('.asp','.aspx','.php','.jsp');
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //收尾去空
-
- if(!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file,$img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
本pass禁止上传.asp|.aspx|.php|.jsp后缀文件!
解题思路:
httpd.conf文件下添加代码
AddType application/x-httpd-php .php .phtml .php3 .php4
该句代码的意思是将.php、.php3、.php4当作php文件
上传phpinfo.php4
打开图片链接
就能查看运行的PHP文件
Pass-04
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //收尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf后缀文件!
解题思路:
上传.htaccess文件
将jpg文件当作php文件执行
- <FilesMatch 'phpinfo.jpg'>
- SetHandler application/x-httpd-php
- </FilesMatch>
再上传phpinfo.jpg(是由phpinfo.php改后缀成phpinfo.jpg)
打开链接
Pass-05(建议使用本机搭建的Upload-labs)
upload-labs资源
链接:https://pan.baidu.com/s/1uOM7sSAFusLk-973SkZlCw
提取码:ctyl
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
上传目录存在php文件(readme.php)
解题思路:
先上传.user.ini
作用域是当前文件夹和当前文件夹中的子文件;包含指定的文件,显示在页面上
.user.ini内容
- Auto_prepend_file=phpinfo.jpg //在页面上部显示
-
- Auto_prepend_file=phpinfo.jpg //在页面底部部显示
再上传phpinfo.jpg
查看readme.php文件
Pass-06
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf|.htaccess后缀文件!
解题思路:
经过与第五关对比我们发现没有过滤大小写
缺少代码
$file_ext = strtolower($file_ext); //转换为小写所以我们修改上传文件后缀名phpinfo.Php
上传phpinfo.Php
右键打开链接
Pass-07
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
- $file_name = $_FILES['upload_file']['name'];
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file,$img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件不允许上传';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
没有进行首尾去空
缺少代码
$file_ext = trim($file_ext); //首尾去空我们可以进行空格绕过
解题思路:
上传phpinfo.php进行BP抓包
上传成功后右键打开链接
Pass-08
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
缺少代码
$file_name = deldot($file_name)没有删除文件名末尾后的点
所以进行点绕过
解题思路:
上传phpinfo.php文件进行BP抓包
上传成功后右键打开链接
Pass-09
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
缺少代码
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA上传后缀名添加::$DATA
::$DATA是一个流传输,可以把后面的数据当成流处理和.空格类似
解题思路:
上传phpinfo.php进行BP抓包,修改数据
右键打开链接
去掉URL中的::$DATA
Pass-10
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = deldot($file_name);//删除文件名末尾的点
- $file_ext = strrchr($file_name, '.');
- $file_ext = strtolower($file_ext); //转换为小写
- $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
- $file_ext = trim($file_ext); //首尾去空
-
- if (!in_array($file_ext, $deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = '此文件类型不允许上传!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
deldot()函数从后向前检测,当检测到末尾的第一个点时会继续它的检测,但是遇到空格会停下来
解题思路:
上传phpinfo.php文件,BP抓包,修改数据
上传完文件邮件打开链接
Pass-11
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
-
- $file_name = trim($_FILES['upload_file']['name']);
- $file_name = str_ireplace($deny_ext,"", $file_name);
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH.'/'.$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
截取文件后缀名与上面禁用的后缀名匹配,如果想同,转化为空
所有利用双写后缀名绕过
解题思路:
上传phpinfo.pphphp文件
上传成功后右键打开链接
Pass-12
代码:
- $is_upload = false;
- $msg = null;
- if(isset($_POST['submit'])){
- $ext_arr = array('jpg','png','gif');
- $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
- if(in_array($file_ext,$ext_arr)){
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
-
- if(move_uploaded_file($temp_file,$img_path)){
- $is_upload = true;
- } else {
- $msg = '上传出错!';
- }
- } else{
- $msg = "只允许上传.jpg|.png|.gif类型文件!";
- }
- }
提示:
在处理数据时,当处理到00,就当作处理完成
PHP版本小于5.3
Magic_quotes_gpc=Off
解题思路:
上传phpinfo.jpg文件,用BP抓包修改数据
上传成功后右键打开链接
Pass-13
代码:
- $is_upload = false;
- $msg = null;
- if(isset($_POST['submit'])){
- $ext_arr = array('jpg','png','gif');
- $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
- if(in_array($file_ext,$ext_arr)){
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
-
- if(move_uploaded_file($temp_file,$img_path)){
- $is_upload = true;
- } else {
- $msg = "上传失败";
- }
- } else {
- $msg = "只允许上传.jpg|.png|.gif类型文件!";
- }
- }
提示:
在处理数据时,当处理到00,就当作处理完成
PHP版本小于5.3
Magic_quotes_gpc=Off
解题思路:
上传phpinfo.jpg文件,用BP抓包修改数据
将空格(20)改成(00)进行截断
上传成功后右键打开链接
Pass-14
代码:
- function getReailFileType($filename){
- $file = fopen($filename, "rb");
- $bin = fread($file, 2); //只读2字节
- fclose($file);
- $strInfo = @unpack("C2chars", $bin);
- $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
- $fileType = '';
- switch($typeCode){
- case 255216:
- $fileType = 'jpg';
- break;
- case 13780:
- $fileType = 'png';
- break;
- case 7173:
- $fileType = 'gif';
- break;
- default:
- $fileType = 'unknown';
- }
- return $fileType;
- }
-
- $is_upload = false;
- $msg = null;
- if(isset($_POST['submit'])){
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $file_type = getReailFileType($temp_file);
-
- if($file_type == 'unknown'){
- $msg = "文件未知,上传失败!";
- }else{
- $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
- if(move_uploaded_file($temp_file,$img_path)){
- $is_upload = true;
- } else {
- $msg = "上传出错!";
- }
- }
- }
提示:
Jpg格式图片的文件头标识:FFD8开头FFD9结尾
Png格式图片的文件头标识:89 20 4E 47 0D 0A
Gif格式图片的文件头标识:GIF89a GIF87a
本关存在文件包含漏洞,Incould可以将被包含的文件当PHP代码执行
解题思路:
上传phpinfo.gif,BP抓包修改数据
文件上传成功后右键打开链接
Pass-15-17
15-17关都可以利用文件包含漏洞,上传图片码
代码:
- function isImage($filename){
- $types = '.jpeg|.png|.gif';
- if(file_exists($filename)){
- $info = getimagesize($filename);
- $ext = image_type_to_extension($info[2]);
- if(stripos($types,$ext)>=0){
- return $ext;
- }else{
- return false;
- }
- }else{
- return false;
- }
- }
-
- $is_upload = false;
- $msg = null;
- if(isset($_POST['submit'])){
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $res = isImage($temp_file);
- if(!$res){
- $msg = "文件未知,上传失败!";
- }else{
- $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
- if(move_uploaded_file($temp_file,$img_path)){
- $is_upload = true;
- } else {
- $msg = "上传出错!";
- }
- }
- }
提示:
利用文件包含漏洞上传图片码
解题思路:
制作图片码
上传生成的888.jpg图片码
上传成功后右键打开链接
Pass-18
代码:
- //index.php
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit']))
- {
- require_once("./myupload.php");
- $imgFileName =time();
- $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
- $status_code = $u->upload(UPLOAD_PATH);
- switch ($status_code) {
- case 1:
- $is_upload = true;
- $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
- break;
- case 2:
- $msg = '文件已经被上传,但没有重命名。';
- break;
- case -1:
- $msg = '这个文件不能上传到服务器的临时文件存储目录。';
- break;
- case -2:
- $msg = '上传失败,上传目录不可写。';
- break;
- case -3:
- $msg = '上传失败,无法上传该类型文件。';
- break;
- case -4:
- $msg = '上传失败,上传的文件过大。';
- break;
- case -5:
- $msg = '上传失败,服务器已经存在相同名称文件。';
- break;
- case -6:
- $msg = '文件无法上传,文件不能复制到目标目录。';
- break;
- default:
- $msg = '未知错误!';
- break;
- }
- }
-
- //myupload.php
- class MyUpload{
- ......
- ......
- ......
- var $cls_arr_ext_accepted = array(
- ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
- ".html", ".xml", ".tiff", ".jpeg", ".png" );
-
- ......
- ......
- ......
- /** upload()
- **
- ** Method to upload the file.
- ** This is the only method to call outside the class.
- ** @para String name of directory we upload to
- ** @returns void
- **/
- function upload( $dir ){
-
- $ret = $this->isUploadedFile();
-
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- $ret = $this->setDir( $dir );
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- $ret = $this->checkExtension();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- $ret = $this->checkSize();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- // if flag to check if the file exists is set to 1
-
- if( $this->cls_file_exists == 1 ){
-
- $ret = $this->checkFileExists();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
- }
-
- // if we are here, we are ready to move the file to destination
-
- $ret = $this->move();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- // check if we need to rename the file
-
- if( $this->cls_rename_file == 1 ){
- $ret = $this->renameFile();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
- }
-
- // if we are here, everything worked as planned :)
-
- return $this->resultUpload( "SUCCESS" );
-
- }
- ......
- ......
- ......
- };
提示:
上传文件后会判断后缀名,如果相同会进行重命名。我们可以进行条件竞争
解题思路:
上传文件,进行BP爆破
出现上传的php文件但很快就消失了
Pass-19
代码:
- //index.php
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit']))
- {
- require_once("./myupload.php");
- $imgFileName =time();
- $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
- $status_code = $u->upload(UPLOAD_PATH);
- switch ($status_code) {
- case 1:
- $is_upload = true;
- $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
- break;
- case 2:
- $msg = '文件已经被上传,但没有重命名。';
- break;
- case -1:
- $msg = '这个文件不能上传到服务器的临时文件存储目录。';
- break;
- case -2:
- $msg = '上传失败,上传目录不可写。';
- break;
- case -3:
- $msg = '上传失败,无法上传该类型文件。';
- break;
- case -4:
- $msg = '上传失败,上传的文件过大。';
- break;
- case -5:
- $msg = '上传失败,服务器已经存在相同名称文件。';
- break;
- case -6:
- $msg = '文件无法上传,文件不能复制到目标目录。';
- break;
- default:
- $msg = '未知错误!';
- break;
- }
- }
-
- //myupload.php
- class MyUpload{
- ......
- ......
- ......
- var $cls_arr_ext_accepted = array(
- ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
- ".html", ".xml", ".tiff", ".jpeg", ".png" );
-
- ......
- ......
- ......
- /** upload()
- **
- ** Method to upload the file.
- ** This is the only method to call outside the class.
- ** @para String name of directory we upload to
- ** @returns void
- **/
- function upload( $dir ){
-
- $ret = $this->isUploadedFile();
-
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- $ret = $this->setDir( $dir );
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- $ret = $this->checkExtension();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- $ret = $this->checkSize();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- // if flag to check if the file exists is set to 1
-
- if( $this->cls_file_exists == 1 ){
-
- $ret = $this->checkFileExists();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
- }
-
- // if we are here, we are ready to move the file to destination
-
- $ret = $this->move();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
-
- // check if we need to rename the file
-
- if( $this->cls_rename_file == 1 ){
- $ret = $this->renameFile();
- if( $ret != 1 ){
- return $this->resultUpload( $ret );
- }
- }
-
- // if we are here, everything worked as planned :)
-
- return $this->resultUpload( "SUCCESS" );
-
- }
- ......
- ......
- ......
- };
提示:
上传文件后,判断后缀名,移动文件进行重命名
Apache解析漏洞
1.php.zxc.zxc.zxc.zxc.zxc
Apache从右往左解析,解析不了继续解析下一个
上传phpinfo.php.7z
解题思路:
上传phpinfo.php.7z进行BP爆破
文件已经被上传了
Pass-20
代码:
- $is_upload = false;
- $msg = null;
- if (isset($_POST['submit'])) {
- if (file_exists(UPLOAD_PATH)) {
- $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
-
- $file_name = $_POST['save_name'];
- $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
-
- if(!in_array($file_ext,$deny_ext)) {
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH . '/' .$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $is_upload = true;
- }else{
- $msg = '上传出错!';
- }
- }else{
- $msg = '禁止保存为该类型文件!';
- }
-
- } else {
- $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
- }
- }
提示:
上传文件直接空格绕过
上传文件后直接右键打开链接
Pass-21
代码:
- $is_upload = false;
- $msg = null;
- if(!empty($_FILES['upload_file'])){
- //检查MIME
- $allow_type = array('image/jpeg','image/png','image/gif');
- if(!in_array($_FILES['upload_file']['type'],$allow_type)){
- $msg = "禁止上传该类型文件!";
- }else{
- //检查文件名
- $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
- if (!is_array($file)) {
- $file = explode('.', strtolower($file));
- }
-
- $ext = end($file);
- $allow_suffix = array('jpg','png','gif');
- if (!in_array($ext, $allow_suffix)) {
- $msg = "禁止上传该后缀文件!";
- }else{
- $file_name = reset($file) . '.' . $file[count($file) - 1];
- $temp_file = $_FILES['upload_file']['tmp_name'];
- $img_path = UPLOAD_PATH . '/' .$file_name;
- if (move_uploaded_file($temp_file, $img_path)) {
- $msg = "文件上传成功!";
- $is_upload = true;
- } else {
- $msg = "文件上传失败!";
- }
- }
- }
- }else{
- $msg = "请选择要上传的文件!";
- }
提示:
需要修改MIME TYPE类型,进行拼接
解题思路:
上传文件,BP抓包修改数据
文件上传成功后右键打开链接
