第一关:
上传2.php一句话木马
查看源码
发现只允许上传.jpg .png .gif 类型文件
此时,也是不可以抓包的。。。
怎么办?
可以尝试在服务器向浏览器发回包时,在浏览器收到回包之前修改其允许上传的文件类型,此时页面的源代码中会允许上传.php文件(前端绕过)
打开Burp,开启拦截功能
刷新浏览器页面
Do intercept 用于显示和修改HTTP请求和响应,通过你的浏览器和Web服务器之间。在BurpProxy的选项中,可以配置拦截规则来确定请求是什么和响应被拦截。
允许上传的文件类型添加.php
查看网页源码,.php增加成功
上传2.php成功
菜刀连接成功
第二关
将一句话木马2.png上传,并开启抓包
修改后缀为.php
查看目标机upload下的文件,发现上传了.gif 和.php文件
菜刀连接2.php文件
或者
查看源码,只接收以下三种类型
修改Type为任意一种接收的类型
第三关
查看源码,拒绝上传以.asp .aspx .php .jsp为后缀的文件
尝试修改大小写 .pHp
显然,这种办法行不通
将文件后缀名改为php3或php4试试,发现上传成功
目标主机
第四关
查看源码,过分了噢,拒绝了第三关的办法。
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
但是,没有过滤.htaccess 文件,可以在.htaccess文件里写入SetHandler application/x-httpd-php,使上传的文件以.php解析
再上传gg.jpg,写入
<?php phpinfo();?>
访问gg.jpg
如果解析不成功,可以通过修改配置文件http.conf以下三处
开启重写
第五关
查看源码
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
这次,连.htaccess也过滤了,怎么办呢?
But,可以通过修改php的大小写绕过,文件名改为1.PHP
上传成功
查看目标主机里的文件1.PHP文件,发现文件名被修改
可是,在实际情况下怎么知道文件名被修改为社么?
打开上传成功页面的源代码,可以找到对应的文件名
菜刀连接一句话木马也可以成功
