uploads_labs前9题

创始人

2024-02-04 12:00:10

0次

upload-labs详解

1.代码使用的函数详解
2.uploads_labs
- - 1.Pass-01
  - 2.Pass-02
  - 3.Pass-03
  - 4.Pass-04
  - 5.Pass-05
  - 6.Pass-06
  - 7.Pass-07
  - 8.Pass-08
  - 9.Pass-09

1.代码使用的函数详解

2.uploads_labs

1.Pass-01

function checkFile() {var file = document.getElementsByName('upload_file')[0].value;if (file == null || file == "") {alert("请选择要上传的文件!");return false;}//定义允许上传的文件类型var allow_ext = ".jpg|.png|.gif";//提取上传文件的类型var ext_name = file.substring(file.lastIndexOf("."));//截取文件后缀//判断上传文件类型是否允许上传if (allow_ext.indexOf(ext_name + "|") == -1) {var errMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name;alert(errMsg);return false;}
}

如上为Pass-01核心代码，代码解释如上所示，前端只允许我们上传".jpg|.png|.gif"为后缀的文件，我们可以把一句话木马文件先改成".jpg|.png|.gif"为后缀的文件，抓包后再改回来

2.Pass-02

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) { //判断是否提交了if (file_exists($UPLOAD_ADDR)) { //判断文件路径是否存在if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) { //设置了白名单，只有 'image/jpeg'等文件后缀才可以上传，其他文件类型不可以上传if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];$is_upload = true;}} else {$msg = '文件类型不正确，请重新上传！';}} else {$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建！';}
}

如上为Pass-02核心代码，代码解释如上所示，后端只允许我们上传"image/jpeg "等类型的文件，我们可以上传一句话木马文件，并且抓包后把文件类型改成image/jpeg

上传1.php:
更改类型：

3.Pass-03

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array('.asp','.aspx','.php','.jsp');  //黑名单，就是不允许上传的文件的后缀$file_name = trim($_FILES['upload_file']['name']); //去除$_FILES['upload_file']['name']左右的空格$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');  //如果$file_name是1.php，取php$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];$is_upload = true;}} else {$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';}} else {$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';}
}

如上为Pass-03核心代码，代码解释如上所示，没有过滤php5,phtml等后缀，如果平台又可以解析php5,phtml(apacher 开启了AddType application/x-httpd-php .php .phtml)，就可以上传后缀为php5,phtml的文件，和php一模一样的(解析的前提是修改httpd.conf，) 现在我的是php的环境，那我们能够用php4、php5，或者说是phtml的方式进行绕过，那当然，如果说我们是asp的环境，那我们可以用asa、cer、cdx，这样的后缀名，进行绕过，那如果说是我们aspx的，这种网站，我们能够用ashx、asmx、ascx、esms，那当我们遇到jsp的时候，我们可以用jspx、jspf，这种后缀名进行绕过

上传phtml文件后缀的文件：

4.Pass-04

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");  //几乎限制了所有脚本文件的上传,没有绕过.htaccess文件，可以先上传.htaccess构造.htaccess解析漏洞$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];$is_upload = true;}} else {$msg = '此文件不允许上传!';}} else {$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';}
}

如上操作请查看.htaccess漏洞和图片马的使用

5.Pass-05

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); //绕过了部分脚本文件，并且下面在进行比对的时候没有进行全部大写，全部小写的代码，及缺少strtolower()$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允许上传';}} else {$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';}
}

所以如上代码，我们可以上传木马文件，文件后缀为Php就可以绕过，由于windows和LInux一样，你大小写后都会自动变成小写，所以我们要在抓包的时候更改文件后缀

6.Pass-06

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允许上传';}} else {$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';}
}

前两个也没什么不同，但是将所有的后缀都给过滤了，仔细看了看，发现这个题目没有对后缀名末尾做去空处理。也就是说这道题目的考点是空格绕过，所以文件抓包后在php后缀下加上空格再发送就可以了(注意目标服务器需要是apache服务器，nginx服务器则不能够这样)

7.Pass-07

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允许上传';}} else {$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';}
}

这一题比前面三题来说，将所有改过滤的都过滤了，这下要想想其他的绕过方法了没有对后缀名末尾的点进行处理，利用windows特性，会自动去掉后缀名中最后的”.”，可在后缀名中加”.”绕过，这题的考点是.绕过。

8.Pass-08

 $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允许上传';}} else {$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';}
}

看下这个题目，又将文件名末尾的点给删除了，在看看和上一个代码的差别，但是我们可以看到这个代码没有了::$DATA$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA也就是没了这一句，那我们把这个加到后面不就可以过滤了吗

9.Pass-09

 $is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允许上传';}} else {$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';}
}

这次可狠了，前面所有可以利用的都给过滤了，分析下代码，先将首尾去空，又去除了::$DATA又转换为小写，再删去末尾的点。这样一来我们构造文件名，使其经过过滤后得到的还是php的文件名不就行了，所以就1.php. . 就可以绕过，也就是点+空格+点+空格绕过

上一篇：Android 深入理解View.post() 、Window加载View原理

下一篇：连锁超市如何部署远程监控系统

uploads_labs前9题

upload-labs详解

1.代码使用的函数详解

2.uploads_labs

1.Pass-01

2.Pass-02

3.Pass-03

4.Pass-04

5.Pass-05

6.Pass-06

7.Pass-07

8.Pass-08

9.Pass-09

相关内容

热门资讯