上传漏洞 Upload-Labs-6-7 实战笔记

先哲赫拉克利特说,“人不能两次踏进同一条河流。”这句话深刻地说明了事物不断变化的本质,昨天的我已经死去,今天的我还活着,明天的我正在孕育,昨天死掉的那个死鬼爱上了妹子A,今天的我正跟妹子B热恋,明天的我看你们年级那个叫零的俄罗斯妹子身材容貌都颇为不错!每天的我都是全新的,我爱每个妹子的时候都是全心全意的,但我没法阻止自己不断地死去。

黑盒测试

上传m.php,提示此文件不允许上传 。遂继续尝试修改后缀,Php,PHP,PhP等等皆不允许上传,猜测可能是过滤了大小写(代码中把上传文件的后缀都大小写转换了),上传htaccess也不可以,修改contype也不可以,看来代码层的过滤是绕不过去了,尝试一些服务器层的解析漏洞。

在本系列课程的lab 1 中有提起大部分服务器层的解析漏洞,并且通过探测发现服务器为win,试一下win的后缀解析漏洞。

上传m.php.,提示不允许上传,看来在代码层已经把后缀中的点号过滤了,那么试一下m.php[空格]发现上传成功了。即代码中只过滤了后缀的点号,并没有过滤后缀中的空格,因为win的命名规则,成功上传m.php。

在lab 7 中用同样的套路流程,发现过滤了后缀后面的空格,但是没有过滤后缀后面的点号。

因为6-7中都只是过滤了后缀中的点号和空格号,你可以上传m.php.[空格].[空格],该后缀名在6-7都可以成功上传。

白盒测试

Lab 6

if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
    $file_name = $_FILES['upload_file']['name'];
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

Lab 7

if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //首尾去空

和前面的过滤机制一样,采用黑名单机制,并且对上传文件的后缀做了处理,转换成小写,去除末尾点或者空格,去除字符串。

在上传木马过程中,首先第一步就是先探测服务器的信息,考虑服务器层解析漏洞和代码层的漏洞,代码层无非就是黑名单机制,大小写过滤,文件重命名,服务器层也就那么几个解析漏洞,灵活运行在一起才能成功上传,并且上传木马中,返回的结果无非只有不允许上传和上传成功,没有更多可以探测的信息,就需要不断的猜测,不断的测试。

坚持原创技术分享,您的支持将鼓励我继续创作!
------ 本文结束 ------

版权声明

LangZi_Blog's by Jy Xie is licensed under a Creative Commons BY-NC-ND 4.0 International License
由浪子LangZi创作并维护的Langzi_Blog's博客采用创作共用保留署名-非商业-禁止演绎4.0国际许可证
本文首发于Langzi_Blog's 博客( http://langzi.fun ),版权所有,侵权必究。

0%