上传漏洞 Upload-Labs-5 实战笔记

“你知道国内现在把人分成高富帅和屌丝么?高富帅就是那种漂亮女孩子争着去倒贴,倒贴不成或者被甩了之后,她们就会去找那种很喜欢她们但是她们看不上的男孩子哭诉,那种男孩就是屌丝。”“她们不小心怀了高富帅的孩子,屌丝就会难过地带着她们去医院,安慰她们,等到她们恢复了她们又去找别的高富帅啦,屌丝们在QQ上给她们留言她们再也不回……”

黑盒测试

尝试上传m.php木马文件,提示此文件不允许上传 。遂继续尝试修改后缀,改成m.PHp,没想到居然直接上传成功了….查看源码后发现原来刚刚好不在黑名单里面。

然后试着burp抓包,使用爆破模块,把所有的后缀包括大小写全都作为爆破字典进行爆破

c

发现的确可以上传成功,当然在实际渗透中该方法仅供参考,要根据实际情况来分析处理。

白盒测试

if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

就像lab3-4一样,使用黑名单机制,$deny_ext数组里面的后缀名不要允许上传,并且过滤pHp这样的大小写,但是仔细发现,代码中并没有把后缀从大写转换成小写,上传m.PHp刚好不在黑名单里面,运气也是实力的一部分啊,很多时候如果发现m.pHp禁止上传后,要想想可能是黑名单机制,应该不断尝试m.Php,m.PHP,m.phP,等等

坚持原创技术分享,您的支持将鼓励我继续创作!
------ 本文结束 ------

版权声明

LangZi_Blog's by Jy Xie is licensed under a Creative Commons BY-NC-ND 4.0 International License
由浪子LangZi创作并维护的Langzi_Blog's博客采用创作共用保留署名-非商业-禁止演绎4.0国际许可证
本文首发于Langzi_Blog's 博客( http://langzi.fun ),版权所有,侵权必究。

0%