web_安全_文件上传漏洞
pass 1
上传文件发现会弹窗提示
然后直接f12找到上传按钮所在的代码,将onsubmint事件删除即可
pass 2
发现上传时提示我们文件不允许上传,猜测是服务器端对文件的mime类型进行了验证
直接抓包修改mime类型为image/jpg,即可上传成功
pass 3
不允许上传.asp,.aspx,.php,.jsp后缀文件,但是可以上传其他任意后缀
.php .phtml .phps .php5 .pht
1
前提是apache的httpd.conf中有如下配置代码
AddType application/x-httpd-php .php .phtml .phps .php5 .pht
或者上传.htaccess文件
需要:1.mod_rewrite模块开启。2.AllowOverride All
文件内容
<FilesMatch “shell.jpg”> SetHandler application/x-httpd-php
此时上传shell.jpg文件即可被当作php来解析。
刚开始看到上传后文件名被替换成当前时间加一个随机数,还想该怎么访问到这个上传到的文件,突然看到上传的文件会被当图片显示到页面上,直接就可以获取到文件现在的路径和文件名。。。
pass 4
考点:.htaccess绕过
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}
过滤了各种罕见后缀
但是没有过滤.htaccess
上传.htaccess文件
需要:1.mod_rewrite模块开启。2.AllowOverride All
文件内容
<FilesMatch "shell.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
此时上传shell.jpg文件即可被当作php来解析。
pass 5
考点:没有将输入全部转换为大写或小写的过滤步骤;
$is_upload = false;
msg=null;if(isset(msg = null; if (isset(msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
filename=trim(file_name = trim(filename=trim(_FILES[‘upload_file’][‘name’]);
filename=deldot(file_name = deldot(filename=deldot(file_name);//删除文件名末尾的点
fileext=strrchr(file_ext = strrchr(fileext=strrchr(file_name, ‘.’);
fileext=strireplace(′::file_ext = str_ireplace('::fileext=strireplace(′::DATA’, ‘’, fileext);//去除字符串::file_ext);//去除字符串::fileext);//去除字符串::DATA
fileext=trim(file_ext = trim(fileext=trim(file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}
} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
1
————————————————
跟pass4的过滤一样,过滤了全部的后缀名,并且也过滤了.htaccess后缀,将上传文件的文件名修改为当前的时间加一个随机数
但是这里跟pass4相比没有将文件后缀名转换为小写,所以可以使用大小写绕过黑名单,如Php
什么是.htaccess
如何有效的应用.htaccess
pass 6考点:windows下保存文件使会自动去除文件后缀名后面的空格或点,所以如果代码里没有首尾去空的过滤,则可以拦截后,在后缀名后面加一个空格或点$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件不允许上传';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}
————————————————与之前的代码比较发现少了一个首尾去空的步骤://首尾去空Win下xx.jpg[空格] 或xx.jpg.这两类文件都是不允许存在的,若这样命名,windows会默认除去空格或点 此处会删除末尾的点,但是没有去掉末尾的空格因此上传一个.php空格文件即可(注意是在burpsuite里修改,因为在windows下修改保存时都会自动删除空格或点)。pass 7考点:windows里文件后缀名后面加点$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';}
}
在这里插入代码片
与pass6是同一种类型,没有删除文件后缀名后面可能存在的点的步骤;
//删除文件名末尾的点burp拦截加点
pass 8
考点:::$DATA
$is_upload = false;
msg=null;if(isset(msg = null; if (isset(msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
filename=trim(file_name = trim(filename=trim(_FILES[‘upload_file’][‘name’]);
filename=deldot(file_name = deldot(filename=deldot(file_name);//删除文件名末尾的点
fileext=strrchr(file_ext = strrchr(fileext=strrchr(file_name, ‘.’);
fileext=strtolower(file_ext = strtolower(fileext=strtolower(file_ext); //转换为小写
fileext=trim(file_ext = trim(fileext=trim(file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}
} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
//去除字符串::DATA
所以可以尝试::$DATA绕过
是在php+windows的情况下:如果文件名+"::DATA"会吧::DATA之后的数据当成文件流处理,不会检测后缀名.且保持"::$DATA"之前的文件名。
``
pass 9
考点:空格+.绕过
$is_upload = false;
msg=null;if(isset(msg = null; if (isset(msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
filename=trim(file_name = trim(filename=trim(_FILES[‘upload_file’][‘name’]);
filename=deldot(file_name = deldot(filename=deldot(file_name);//删除文件名末尾的点
fileext=strrchr(file_ext = strrchr(fileext=strrchr(file_name, ‘.’);
fileext=strtolower(file_ext = strtolower(fileext=strtolower(file_ext); //转换为小写
fileext=strireplace(′::file_ext = str_ireplace('::fileext=strireplace(′::DATA’, ‘’, fileext);//去除字符串::file_ext);//去除字符串::fileext);//去除字符串::DATA
fileext=trim(file_ext = trim(fileext=trim(file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}} else {$msg = '此文件类型不允许上传!';}
} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
这里代码与之前的差距在于上传后保存的文件名为用户上传的文件名,这样就可以有我们操纵
可以使用.php.空格.绕过,会自动过滤最后一个点,但最后保存时,windows户哦自动去除剩下的空格和点
pass 10
考点:双写绕过
$is_upload = false;
msg=null;if(isset(msg = null; if (isset(msg=null;if(isset(_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(“php”,“php5”,“php4”,“php3”,“php2”,“html”,“htm”,“phtml”,“pht”,“jsp”,“jspa”,“jspx”,“jsw”,“jsv”,“jspf”,“jtml”,“asp”,“aspx”,“asa”,“asax”,“ascx”,“ashx”,“asmx”,“cer”,“swf”,“htaccess”);
$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错!';}
} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
使用.pphphp绕过,
pxxxhp被过滤掉,所以就剩下php
总结:
1.最后都是变为php,
kail菜单链接(两种方式)
1.使用webacoo
生成webshell:weabacoo -g -o webshell.php生成以后,可以修改文件名使用Burpsutie使用webacoo链接上传的websell:webacoo -t -u “url”2.使用weevely生成webshell并上传
生成weevely generate 密码 路径 文件名链接:weevely shell文件地址 密码
本文转载地址:https://blog.csdn.net/qq_41289254/article/details/93411567
web_安全_文件上传漏洞相关推荐
- .hpp文件_文件上传漏洞另类绕过技巧及挖掘案例全汇总
文件上传漏洞作为获取服务器权限最快的方式,虽然相关资料很多,但很多人对上传校验方式.如何针对性绕过检测.哪种上传和解析的场景会产生危害等还是比较模糊.本文作一些阐述,然后补充一些除了上传webshel ...
- java 文件上传漏洞_文件上传漏洞(绕过姿势)
文件上传漏洞可以说是日常渗透测试用得最多的一个漏洞,因为用它获得服务器权限最快最直接.但是想真正把这个漏洞利用好却不那么容易,其中有很多技巧,也有很多需要掌握的知识.俗话说,知己知彼方能百战不殆,因此 ...
- nginx 上传文件漏洞_文件上传漏洞,解析漏洞总结
文件上传漏洞.解析漏洞总结 1.文件上传漏洞是什么 文件上传漏洞是指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力.常见场景是web服务器允许用户上传图片或者普通文本文件 ...
- java 文件上传漏洞_文件上传漏洞(File Upload)
简介 File Upload,即文件上传漏洞,通常是由于对用户上传文件的类型.内容没有进行严格的过滤.检查,使得攻击者可以通过上传木马,病毒,恶意脚本等获取服务器的webshell权限,并进而攻击控制 ...
- java防止文件上传_文件上传漏洞:getshell的最好方式,我们如何防御?
我相信,你在开发Web应用时,后端一定会提供文件的上传功能,比如前端页面肯定有图片的展示,后端必定会提供图片的上传入口.但是,你在做文件上传功能时,是否考虑过它的安全性问题呢? 请看下面的代码: @P ...
- nginx 上传文件漏洞_文件上传漏洞小结
1 概念 上传文件时,服务器端脚本语言,未对上传的文件进行严格的验证和过滤,就有可能上传恶意的脚本文件,从而控制整个网站,甚至是服务器. 2 危害 • 网站被控制,对文件增删改查,执行命令,链接数据库 ...
- Web安全 文件上传漏洞的 测试和利用.(上传一个图片或文件 拿下服务器最高权限.)
文件上传漏洞的概括 现在大多的网站和Web应用系统都会有上传功能(比如:文档,图片,头像,视频上传等.),而程序员在开发文件上传功能时,没有对代码做严格校验上传文件的后缀和文件类型. 此时攻击者就可以 ...
- 太厉害了,终于有人能把文件上传漏洞讲的明明白白了
大家好! 我是小黄,很高兴又跟大家见面啦 ! 拒绝水文,从我做起 !!!! 未经允许,禁止转载 ,违者必究!!!! 本实验仅适用于学习和测试 ,严禁违法操作 ! ! ! 今天更新的是: P7 漏洞类型 ...
- fckeditor漏洞_三十,文件上传漏洞、编辑器漏洞和IIS高版本漏洞及防御
一.编辑器漏洞 1.编辑器 编辑器属于第三方软件,它的作用是方便网站管理员上传或编辑网站上的内容,类似我们电脑上的Word文档. 编辑器通常分为两种情况: (1) 不需要后台验证,可以直接在前台访问且 ...
最新文章
- 人工智能顶级会议ICLR取消线下会议:远程出席、视频演讲
- [重构到模式-Chain of Responsibility Pattern]把Fizz Buzz招式重构到责任链模式
- php5.3二进制包,php使用pack处理二进制文件的方法
- video自动全屏播放
- java 发送带basic认证的http post请求实例代码_图解HTTP学习笔记(八)—确认访问用户身份的认证...
- 大数据从业10年,从一个BI项目的失败,看到数据治理的重要性
- Asterisk 11 chan_sip.c: Failed to authenticate device 看不到IP的问题
- ic读卡器设置工具_每日学习:数字IC设计EDA软件教程整理
- 获取css style值
- MATLAB矩阵的平均值和最大值
- UIWebView的使用---safri
- linux的PS3模拟器下载,PS3模拟器
- 如何提高服务器并发能力
- Vertical roller mill lead blast furnace slag processing equipment
- 高德地图api调用demo_一 (1)高德SDK的使用
- 华为服务器文件升级失败,升级连接服务器失败
- 来瞧一瞧unshift和push的用法及“性能“对比
- python适合做网站吗_怎么用python做网站
- Ubuntu16.04+CUDA8.0+cudnn5.1+TensorFlow-GPU详细安装步骤
- 立体字3D字体数字设计|造型艺术字,灵感来源,速码!
热门文章
- 错误代码大全【100(临时响应)】【200(成功)】【300(已重定向)】【400(请求错误)】【500(服务器错误)】(HTTP协议版本)
- 如何修改Xshell默认存储路径
- 如何诊断RAC数据库上的“IPC Send timeout”问题?
- Mysql错误1366 - Incorrect integer value解决方法
- 面试不知道如何回答这六大知识点,你还敢说熟悉MySQL?
- 牛客网——今年的第几天
- canvas学习之API整理笔记(一)
- Android使用CountDownTimer倒计时
- MySQL根被拒绝_[转载]phpMyAdmin 尝试连接到 MySQL 服务器,但服务器拒绝连接。...
- python 迭代详解_详解python中的迭代