Upload-labs 刷题日记

Needingcen原创2024/11/5大约 5 分钟

Upload-labs

前言

之前的图床用的是博客园的，不知道为什么会突然之间加载不了在这个网站上。。诸君凑合看吧

pass-01

前段js提示不能够上传非jpg，png格式的马

抓包、修改文件后缀名

随后用蚁剑连上即可

pass-02

前段依旧有文件后缀名校验，直接忽略，抓包改，与pass-01一样的做法

甚至马的位置都是一样的，此处略过

pass-03

尝试上传3.php，发现黑名单提示：不允许上传.asp,.aspx,.php,.jsp后缀文件

利用phtml，php3，php5，pht文件后缀名绕过

pass-04

上传中常用到的 .htaccess文件:假设我们的马名字叫做：needingcen_webshell.png

.htaccess 的内容为：

<FilesMatch "needingcen_webshell.png"> 

SetHandler application/x-httpd-php 

</FilesMatch>

pass-05

需要特殊环境，没写

pass-06

访问源码，发现是原始的枚举文件后缀名，直接找一个没有被枚举到的：.pHP

蚁剑成功连上了

这fofa找的一台机子，发现这哥们凌晨两三点还在做upload-labs，nb

pass-07

发现没有对上传的文件名做去空格的操作->trim()

抓包在webshell.php的最后加一个空格即可：

pass-08

发现对上传的文件后缀名未做去点.的操作—>strrchr($file_name, '.')

Windows系统下，文件后缀名最后一个点会被自动去除。

上传 webshell.php. 即可

pass-09

分析代码发现对上传的文件后缀名未做去::$DATA处理

    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = trim($file_ext); //首尾去空

上传文件名为：webshell.php::$data

上传的文件后缀名为：webshell.php::$data，会在目标靶机上生成文件为 webshell.php的文件

所以我们在用蚁剑连的时候，链接的文件应该是webshell.php

pass-10

分析代码：

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
       #将文件名进行过滤操作后，将文件名拼接在路径后面，所以需要绕过前面的首尾去空以及去点。

根据代码的一次性来编写payload：
webshell.php. .

pass-11

代码分析：
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);#将这些扩展名从文件名中移除
        $temp_file = $_FILES['upload_file']['tmp_name'];

利用str_ireplace()将文件名中符合黑名单的字符串替换成空
利用方式：利用双写黑名单字符，对字符串的一次过滤后拼接出php,文件名.pphphp

pass-12

分析数据包：使用白名单限制上传文件类型，但上传文件的存放路径可控

利用方法：设置上传路径为upload/12.php%00 ,添加12.php%00内容为了控制路径，上传文件后缀为白名单即可例:12.png，保存后为/upload/12.php%00*****.png，但服务端读取到%00时会自动结束，将文件内容保存至12.php中

php的一些函数的底层是C语言，而move_uploaded_file就是其中之一，遇到0x00会截断，0x表示16进制，URL中%00解码成16进制就是0x00。
strrpos(string,find[,start]) 函数查找字符串在另一字符串中最后一次出现的位置（区分大小写）。
substr(string,start[,length])函数返回字符串的一部分(从start开始 [，长度为length])
magic_quotes_gpc 着重偏向数据库方面，是为了防止sql注入，但magic_quotes_gpc开启还会对$_REQUEST, $_GET,$_POST,$_COOKIE 输入的内容进行过滤