【upload-labs】windows特性绕过5~8
【pass-05】大小写绕过
1、源码分析:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); //黑名单过滤了好多后缀,包括.htaccess
$file_name = trim($_FILES['upload_file']['name']); //去除开头结尾的空格和预定义字符
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.'); //取后缀名
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
//上面没有进行小写转换,所以可以大小写绕过。
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name; //这里对上传的文件页面没有强制改名。
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
2、测试流程:
上传一个一句话木马:
用burp抓包,将文件后缀名改为大小写混写:
如图所示,文件上传成功!
用菜刀连一下:
如图所示,连接成功!
小结:
本关采用黑名单过滤机制,虽然也过滤了.htaccess文件预防了.htaccess文件配置的绕过,但是在过滤前并没有将后缀名全部转换为小写,使得大小写混合可以绕过。
【pass-06】windows空格绕过
1、源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.'); //获取后缀名
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
//上述代码中并没有trim()函数来去除文件名前后空格
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name; //此处也没有强制更改文件名
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
2、测试流程
上传一个一句话木马:
用burp抓包,给文件后缀名添加一个空格:
放包,如图所示上传成功!
我们看一下上传的文件,后缀末尾并没有空格,这是windows的特性,在保存文件时会自动删除文件后缀名末尾的空格。
用菜刀连一下:
连接成功!
小结:
这一关还是用黑名单机制,但是没有对上传的文件名前后做去空格操作。利用windows自身的特性,即在保存文件时会自动去除文件名后缀末尾的空格,所以这一关只需要在上传的文件名后缀添加空格即可绕过。
【pass-07】windows后缀点绕过
1、源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); //黑名单过滤,预防了.htaccess绕过
$file_name = trim($_FILES['upload_file']['name']); //去除两头空格,预防了空格绕过
$file_ext = strrchr($file_name, '.'); //取后缀名
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
//并没有用deldot()删除后缀名末尾的点
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
?>
2、测试流程
与上一关一样,上传一句话木马用burp抓包,在文件后缀名末尾加点。
放包,上传成功!
我们查看一下上传的文件,后缀末尾并没有点,这依然是windows的特性,在保存文件时会自动删除后缀末尾的点。
用菜刀连一下就行。
小结:
这一关还是用黑名单机制,但是没有对上传的文件名后缀末尾去点操作。利用windows自身的特性,即在保存文件时会自动去除文件名后缀末尾的点,所以这一关只需要在上传的文件名后缀加点即可绕过。
【pass-08】windows文件流绕过
1、源码分析
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); //依然是黑名单过滤机制
$file_name = trim($_FILES['upload_file']['name']); //去除首尾空格
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.'); //取后缀名
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
//上述代码没有对::DATA关键字进行绕过
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name; //没有改文件名
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
与上一关相比,少了这一步操作str_ireplace('::$DATA', '', $file_ext)去除::$DATA字符串。
2、测试流程
上传一个一句话木马:
用burp抓包,在文件名后缀末尾添加::$DATA
原理:根据windows中NTFS文件系统的特性,如果文件名+":: D A T A " 会 把 : : DATA"会把:: DATA"会把::DATA之后的数据当成文件流处理,不会检测后缀名,且保持:: D A T A 之 前 的 文 件 名 , 目 的 就 是 不 检 查 后 缀 名 。 例 如 : " p h p i n f o . p h p : : DATA之前的文件名,目的就是不检查后缀名。例如:"phpinfo.php:: DATA之前的文件名,目的就是不检查后缀名。例如:"phpinfo.php::DATA"Windows会自动去掉末尾的::$DATA变成"phpinfo.php"。
查看上传的文件,果然自动去除了::$DATA
然后用菜刀连接即可。
小结:
这一个依然采用黑名单过滤机制,但是没有过滤::$DATA字符串,使得攻击者可以利用windows读取文件流的特性,从而绕过检查。
总结:
pass5~8都是采用黑名单过滤的方式检查后缀,pass-05缺少strtolower($file_ext)使得大小写混写轻松绕过,pass-06到pass-08都是利用windows系统的特性绕过,在linux中不可用。