一. 漏洞产生的原理
- 程序员在开发时没有对用户上传的文件做限制
二. 上传
1. 客户端
js检查:
- 通过抓包绕过网页检查
- 在浏览器右键–>检查
2. 服务端
后缀:
- 修改后缀上传,抓包改回原来的后缀
内容:
- 伪造头部信息:GLF89A
- CMD方法:二次渲染
copy/b test.png+1.php muma.
三. 实战:方式一
只允许上传图片,如何把php文件上传到对方服务器
1. 修改脚本文件
把php文件后缀名修改为符合的后缀,例如脚本文件:47.php修改为47.jpg
2. 抓包
选择修改好的文件47.jpg,用Burp Suite抓个包,修改参数47.jpg为47.php这样就能绕过前端防御,点击放包.
脚本文件已上传成功
四. 实战:方法二:
源代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
第一步: 直接上传47.php文件,用burp suite抓包
第二步: 修改Content-Type:为 image/gif
五. 实战:方法三
源代码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
- 分析代码发现,这里对上传的后缀名的判断增加了,php3.php5…已经不允许上传,但是没有限制.htaccess文件的上传,所以我们依然可以使用
另外一种方法就是利用PHP 和 Windows环境的叠加特性,以下符号在正则匹配时的相等性:
利用PHP 和 Windows环境的叠加特性,以下符号在正则匹配时的相等性: - 双引号" = 点号.
- 大于符号> = 问号?
- 小于符号< = 星号*
第一步:上传47.php,抓包后后缀改为47.php:.jpg的文件,上传成功后会生成47.php的空文件,
第二步:然后再上传47.php,抓包后后缀改为47.<或者47.<<的文件,这时47.<文件的内容就会写入到原来的47.php空文件中,
六. 实战:方法四
源代码:
1 $is_upload = false;
2 $msg = null;
3 if (isset($_POST[‘submit‘])) {
4 if (file_exists($UPLOAD_ADDR)) {
5 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
6 $file_name = trim($_FILES[‘upload_file‘][‘name‘]);
7 $file_name = deldot($file_name);//删除文件名末尾的点
8 $file_ext = strrchr($file_name, ‘.‘);
9 $file_ext = str_ireplace(‘::$DATA‘, ‘‘, $file_ext);//去除字符串::$DATA
10 $file_ext = trim($file_ext); //首尾去空
11
12 if (!in_array($file_ext, $deny_ext)) {
13 if (move_uploaded_file($_FILES[‘upload_file‘][‘tmp_name‘], $UPLOAD_ADDR . ‘/‘ . $_FILES[‘upload_file‘][‘name‘])) {
14 $img_path = $UPLOAD_ADDR . ‘/‘ . $file_name;
15 $is_upload = true;
16 }
17 } else {
18 $msg = ‘此文件不允许上传‘;
19 }
20 } else {
21 $msg = $UPLOAD_ADDR . ‘文件夹不存在,请手工创建!‘;
22 }
23 }
分析代码,发现以.htaccess为后缀的文件已经不允许上传,但是 f i l e e x t = s t r t o l o w e r ( file_ext = strtolower( fileext=strtolower(file_ext); //转换为小写 这一句没有了,我们就可以使用文件名后缀大小写混合绕过,把1.php改为1.phP…来上传