下载地址
注:只能使用vmbox打开,新增一张网卡修改为桥接模式
https://download.vulnhub.com/tophatsec/Zorz.ova
实战演练
查找靶机IP
扫描靶机开放了那些端口?
看到了靶机开放了80端口,在浏览器打开80端口
点击超链接就会发现有三种上传的页面
phpwebshell,https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
第一种
直接上传就可以上传成功
问题是不知道路径是哪一个,需要我们爆破一下目录,找到了一个uploads2文件夹
打开之后,发现不是在这里面,发散一下思维,我们试试打开uploads1,成功获得反弹shell
查看源代码,我们可以发现这里面只是简简单单上传文件,没有做任何的校验
$ cat uploader.php
<?php
$uploaddir = '/var/www/html/uploads1/';
$uploadfile = $uploaddir . basename($_FILES['upfile']['name']);
echo "<p>";
if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Upload failed";
}
echo "</p>";
echo '<pre>';
echo 'Here is some more debugging info:';
print_r($_FILES);
print "</pre>";
?>
第二种
当我直接上传webshell的时候,系统提示只能上传图片文件
绕过的方法也很简单,在webshell添加gif98
上传失败,修改后缀名
上传成功
反弹shell连接成功
查看源代码,发现是imageFileType参数控制上传
$ $ cat uploader2.php
<?php
$target_dir = "/var/www/html/uploads2/";
$target_file = $target_dir . basename($_FILES["upfile"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["upfile"]["tmp_name"]);
if($check !== false) {
echo "Success! " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}
// Check if file already exists
if (file_exists($target_file)) {
echo "Sorry, file already exists.";
$uploadOk = 0;
}
// Check file size
if ($_FILES["upfile"]["size"] > 5000000) {
echo "Sorry, your file is too large.";
$uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
$uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
if (move_uploaded_file($_FILES["upfile"]["tmp_name"], $target_file)) {
echo "The file ". basename( $_FILES["upfile"]["name"]). " has been uploaded.";
} else {
echo "Sorry, there was an error uploading your file.";
}
}
?>
第三种
不过第三个网址打不开,jq连接是在google的,尴尬!!!
算了,直接查看源代码。发现上传文件应为扩展名为.jpeg,jpg和png且小于100kb的图像
$ cat uploader3.php
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['upfile']['error']) ||
is_array($_FILES['upfile']['error'])
) {
throw new RuntimeException('Invalid parameters.');
}
// Check $_FILES['upfile']['error'] value.
switch ($_FILES['upfile']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Exceeded filesize limit.');
default:
throw new RuntimeException('Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['upfile']['size'] > 1000000) {
throw new RuntimeException('Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['upfile']['tmp_name']),
array(
'jpg' => 'image/jpeg',
'png' => 'image/png',
'gif' => 'image/gif',
),
true
)) {
throw new RuntimeException('Invalid file format.');
}
// You should name it uniquely.
// DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
if (!move_uploaded_file(
$_FILES['upfile']['tmp_name'],
sprintf('./uploads/%s.%s',
sha1_file($_FILES['upfile']['tmp_name']),
$ext
)
)) {
throw new RuntimeException('Failed to move uploaded file.');
}
echo 'File is uploaded successfully.';
} catch (RuntimeException $e) {
echo $e->getMessage();
}
?>
来源:freebuf.com 2019-11-14 18:25:09 by: 陌度
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册