upload-labs搭建及前11关过关教程
Posted 墨子辰
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了upload-labs搭建及前11关过关教程相关的知识,希望对你有一定的参考价值。
目录
- 使用phpstudy搭建Uploads-labs
- 第一关:JS绕过
- 第二关:文件类型绕过
- 第三题:php3绕过
- 第四关:.htaccess
- 第五关:逻辑绕过
- 第六关:大写绕过
- 第七关:空格绕过
- 第八关:点空格点绕过
- 第九关:::$DATA绕过(windows)
- 第十关:逻辑绕过
- 第十一关:双写绕过
使用phpstudy搭建Uploads-labs
链接:https://pan.baidu.com/s/1lMRBVdQyFuKOgNlWPUoSSQ
提取码:8mmv
下载后,解压修改名字:upload-labs,然后移动到phpstudy网站目录:phpstudy\\www(根据自己的网站目录决定),若网站根目录下存在多个目录,记得打开允许目录列表,打开方法:其他选项菜单—phpStudy设置—允许目录列表。在upload-labs目录下创建一个upload文件夹
启动phpstudy在浏览器输入:http://localhost/upload-labs/ 或者:http://127.0.0.1/upload-labs/
第一关:JS绕过
源代码如下
function checkFile()
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "")
alert("请选择要上传的文件!");
return false;
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1)
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
从源代码来看,这里是用前端代码来判断的允许上传文件的名单(白名单)验证
我们需要做的只是添加上.php文件即可
上传的时候打开burp抓包发送到repeater模块点击go
能够看见a.php已经上传成功
打开菜刀链接即可
使用 AntSword(中国蚁剑) 链接也是可以的
第二关:文件类型绕过
先看给的源代码
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
if (file_exists(UPLOAD_PATH))
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path))
$is_upload = true;
else
$msg = '上传出错!';
else
$msg = '文件类型不正确,请重新上传!';
else
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
从源码来看,这里只是对文件类型进行了判断 Content-Type
我们上传时,用burp抓包修改Content-Type为:image/jpg 即可绕过
接下来就算和第一题一样,用菜刀链接即可
第三题:php3绕过
做题之前,先说说白名单和黑名单
白名单限制:通俗一点来说就是允许上传的名单,白名单限制的特点就是只允许上传指定的文件,这总时候绕过的招式就很少了,常见的是%00截断上传,但是它上传上去并不能解析为php,这时候需要找到解析漏洞或者包含漏洞才能触发小马
黑名单限制:不允许上传的名单,黑名单限制就是除了规定的文件不能上传外,其它文件都可以上传,这总时候,绕过的方式就很多了,常见的有大小写绕过,双写绕过,如果是php还能php3 php4 php5 phtml 等方式
源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
if (file_exists(UPLOAD_PATH))
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext))
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path))
$is_upload = true;
else
$msg = '上传出错!';
else
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
else
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
本题属于黑名单限制,从源代码中可以看出,限制了.asp,.aspx,.php,.jsp文件
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
代码说明:上传文件的时候判断类型,然后去除文件末尾的点,然后将文件名全变为小写再去掉文件名后面的空格
这里我们就不能用大小写绕过的方式去绕过
在这里我们只需要避开上传就好,这里方式很多-> php3、php4等
在这里如果复现不成功,打开phpstudy->其它选项菜单->打开配置文件夹->httpd-conf
ctrl+F查找 application/x-httpd-php
再后面添加.php3 php4 php5 phtml即可
如果没有找到,把下面一行代码加入httpd-conf即可
AddType application/x-httpd-php .php .html .phtml
第四关:.htaccess
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
if (file_exists(UPLOAD_PATH))
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext))
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path))
$is_upload = true;
else
$msg = '上传出错!';
else
$msg = '此文件不允许上传!';
else
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
源代码看似把几乎所有的文件都限制了,仔细看它漏掉了.htaccess
关于.htaccess 大家第一次看见,在这给大家详细讲解一下
1.创建htaccess文件,编辑内容为:
SetHandler application/x-httpd-php
然后再上传shell.jpg的木马, 这样shell.jpg就可解析为php文件。
2.编辑内容为:
<FilesMatch “jpg”>
SetHandler application/x-httpd-php
指定文件名的文件,才能被当做PHP解析.
.htaccess上传成功后上传图片马
菜刀链接就OK
第五关:逻辑绕过
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
if (file_exists(UPLOAD_PATH))
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext))
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path))
$is_upload = true;
else
$msg = '上传出错!';
else
$msg = '此文件类型不允许上传!';
else
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
这一关看起来无从下手,但是他有个逻辑漏洞
程序先是去除文件名前后的空格,再去除文件名最后所有的.,再通过strrchar来寻找.来确认文件名的后缀,但是最后保存文件的时候没有重命名而使用的原始的文件名,导致可以利用类似a.php. .(两个点号之间有一个空格)绕过
第六关:大写绕过
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
if (file_exists(UPLOAD_PATH))
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', 新upload-labs 1-19关过关思路
Upload-labs(1-21关详细教程)简单易懂万字教程