Pass-01#
前端 js 繞過
設置禁用 java
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("請選擇要上傳的文件!");
return false;
}
//定義允許上傳的文件類型
var allow_ext = ".jpg|.png|.gif";
//提取上傳文件的類型
var ext_name = file.substring(file.lastIndexOf("."));
//判斷上傳文件類型是否允許上傳
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "該文件不允許上傳,請上傳" + allow_ext + "類型的文件,當前文件類型為:" + ext_name;
alert(errMsg);
return false;
}
}
Pass-02#
MME 驗證
上傳文件後綴如上
進行抓包
修改 Content-Type 類型
把 application/octet-stream 改成 image/png
即可上傳
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '文件類型不正確,請重新上傳!';
}
} else {
$msg = UPLOAD_PATH.'文件夾不存在,請手工創建!';
}
}
Pass-03#
繞過黑名單
抓包,修改後綴後,可直接上傳
但無法連接
後綴字母大寫也無法上傳,
可用 php1、pht、phtml、phps 繞過黑名單
根據網頁源碼找到文路徑
連接 shell
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
Pass-04#
繞過黑名單 -.htaccess
.htaccess#
.htaccess 是 Apache 服務的一個配置文件,負責相關目錄下的網頁配置
可實現網頁 301 重定向、自定義 404 錯誤頁面、改變文件擴展名、允許 / 阻止特定的用戶或者目錄的訪問、禁止目錄列表、配置默認文檔等功能。
其中.htaccess 文件內容:
SetHandler application/x-httpd-php
設置當前目錄所有文件都使用 PHP 解析,那麼無論上傳任何文件,只要文件內容符合 PHP 語言代碼規範,就會被當作 PHP 執行。不符合則報錯。
故先上傳一個.htaccess 的配置文件
然後再上傳一字木馬
連接 shell
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
Pass-05#
大寫繞過
通過混合隨機大小寫可繞過
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
$file_ext = strtolower($file_ext); //轉換為小寫
Pass-06#
空格繞過
原理:Windows 系統下,對於文件名中空格會被作為空處理,程序中的檢測代碼卻不能自動刪除空格。從而繞過黑名單。
於是進行抓包,在文件後綴添加一個空格
成功繞過
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
Pass-07#
. 號繞過
在後綴加上。成功繞過
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
$file_name = deldot($file_name);//刪除文件名末尾的點
Pass-08#
::$DATA 繞過
原理:在 window 的時候如果文件名 +"::$DATA" 會把::$DATA 之後的數據當成文件流處理,不會檢測後綴名,且保持::$DATA 之前的文件名,他的目的就是不檢查後綴名。如同空格一般
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = trim($file_ext); //首尾去空
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
Pass-09#
看看源碼,抓包修改後綴
在 php 後綴加上 '. .‘
成功上傳
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
GPT 分析:
該 PHP 代碼主要進行文件上傳,先判斷是否有通過 POST 請求提交表單的數據(是否點擊了 submit 按鈕),然後檢查上傳目錄是否存在,並定義一個不允許上傳的文件類型數組deny_ext。接著獲取用戶上傳的文件名並刪除末尾的點。接下來通過strrchr函數獲取文件的擴展名,再將其轉換為小寫、去除字符串::DATA。接著獲取用戶上傳的文件名並刪除末尾的點。接下來通過 strrchr 函數獲取文件的擴展名,再將其轉換為小寫、去除字符串::DATA、首尾去空格,以確保文件擴展名的一致性。最終可以根據這些信息來確定是否允許上傳該文件,如果文件類型在 $deny_ext 數組中,則不允許上傳,否則可以上傳。
Pass-10#
根據提示可知,本 pass 會從文件名中去除
即若上傳以上後綴的文件,將會自動刪除
例如 hack.php -->hack 後綴消失。
但只消除一次,利用雙寫字母即可繞過
雙寫格式應為 pphphp
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
ChatGPT:這段代碼的原理是用於限制文件類型的上傳以保護應用程序安全機制。該代碼將定義一個名為 "$ deny_ext" 的數組,其中列出了不允許用戶上傳的文件類型。在上傳文件之前,代碼將獲取上傳文件的名稱,將該名稱的所有在 "{$deny_ext}" 數組中列出的文件類型從名稱中移除,並將更改後的文件名重新賦值給 "$file_name" 變量。
接下來,代碼將從 $ _FILES ['upload_file']['tmp_name'] 變量中獲取臨時文件的路徑,並將它移動至 "$_SERVER ['DOCUMENT_ROOT'] . UPLOAD_PATH . '/' . $file_name" 目錄中。此時,如果移動過程成功,應用程序將在以下的代碼中標記上傳已完成 ( $is_upload = true;),如果移動過程失敗,應用程序將輸出錯誤信息( $msg = ' 上傳出錯!';)。
Pass-11 GET 00 截斷#
什麼是 00 截斷
無論是 0x00 還是 %00,最終被解析後都是一個東西: chr(0)
chr () 是個函數,這個函數是用來返回參數所對應的字符的,也就是說,參數是一個 ASCII 碼,返回的值是一個字符,類型為 string。
chr (0) 對應 NULL(空字符)
當一個字符串中存在空字符的時候,在被解析的時候會導致空字符後面的字符被丟棄
使用 00 截斷的情況:
- 路徑拼接直接使用的 $file_name 這個文件名
- 文件路徑可控
根據提示可知上傳路徑可控
那麼找到文件上傳路徑
<?php
include '../config.php';
include '../head.php';
include '../menu.php';
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else{
$msg = "只允許上傳.jpg|.png|.gif類型文件!";
}
}
?>
GPT 分析:
這段 PHP 代碼包含了一個簡單的文件上傳功能:
- 首先,通過 include 語句引入了 config.php、head.php 和 menu.php 等其它文件。
- 接著,程序檢查是否有 POST 數據提交,如果有,則繼續執行;否則不做任何操作。
- 這裡定義了一個允許上傳的文件類型數組 $ext_arr,包含三種文件類型:jpg、png 和 gif。後面會用到。
- 程序通過 $_FILES 數組獲取上傳的文件名,並將其擴展名存儲在變量 $file_ext 中。
- 如果 $file_ext 在 $ext_arr 數組中,則說明上傳的文件類型符合要求,可以進行上傳操作。
- 將臨時文件存儲在 $temp_file 變量中,並使用 rand () 函數生成一個隨機數和當前日期時間作為新文件名,再加上原來的文件擴展名作為文件路徑,存儲在 $img_path 變量中。
- 使用 move_uploaded_file () 函數進行文件上傳操作,如果上傳成功,則 is_upload 變量設置為 true;否則,msg 變量設置為 "上傳出錯!"。
- 如果文件類型不符合要求,則 $msg 變量設置為 "只允許上傳.jpg|.png|.gif 類型文件!"。
Pass-12 POST 00 截斷#
同樣是 00 截斷,但是 POST
通過 burp 抓包
通過 hex 修改
把 %00 的 hex 值改為 00000
即可上傳