前言

​ 首先部署upload-labs

1.绕过js验证

(1)js验证代码分析

查看源码可知存在checkFile检测,剔除该检测即可上传shell文件

(2)burp剔除响应js

在proxy中的options中勾选remove all Javascript,设置代理

(3)浏览器审计工具剔除js

好麻烦。。。。。。删除onsubmit,保存文件,添加action以及地址,使用浏览器打开

(4)上传webshell,蚁剑连接

一句话木马:

上传shell,复制图片链接,加入蚁剑连接即可。

2.绕过MIME-Type验证

(1)MIME-Type介绍

参考链接:MIME 类型 | 菜鸟教程 (runoob.com)

(2)验证MIME-Type代码分析

is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
    }
}

upload_file是在表单中定义的

(3)bp绕过

修改content-type为image/jpeg

(4)蚁剑连接 虚拟终端

复制图片地址,在蚁剑连接

3.绕过黑名单验证

(1)基于文件名后缀验证介绍

​ 对于文件上传模块来说,尽量避免上传可执行的脚本文件。为了防止上传脚本需要设置对应的验证方式。最简单的就是设置文件后缀名验证。

基于文件后缀名验证方式的分类:

1.基于白名单验证:只针对白名单中有的后缀名,文件才能上传成功。

2.基于黑名单验证:只针对黑名单中没有的后缀名,文件才能上传成功。

(2)基于黑名单验证代码分析

可以通过寻找漏网之鱼绕过黑名单,寻找某些可以被作为执行脚本同时也不在黑名单中。

查看源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
                 $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
                 $is_upload = true;
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

发现’.asp’,’.aspx’,’.php’,’.jsp’这四种后缀名的文件无法上传

(3)bp绕过黑名单验证

利用bp截断http请求,利用intruder模块进行枚举后缀名,寻找黑名单中没有过滤的后缀名。

首先bp拦截,发送到intruder,打开positions。

选中php后缀,在payload,load中添加入准备好的字典,开始攻击

发现php后缀绕过失败的长度是5005,而有一些其他后缀为4995。

(4)上传蚁剑连接

复制与5005长度不同的地址,打开浏览器搜索,复制图片地址,上传蚁剑,修改图片后缀为php,连接即可。

4.绕过黑名单验证(.htaccess)

(1).htaccess文件介绍

概述来说,htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过htaccess文件,可以帮我们实现:网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能。

其中.htaccess文件内容:

SetHandler application/x-httpd-php

设置当前目录所有文件都是用PHP解析,那么无论上传任何文件,只要文件内容符合PHP语言代码规范,就会被当做PHP执行。不符合则报错。

(2)配置文件http.conf

打开apache配置文件,搜索AllowOverride,改none为all

(3)审计黑名单过滤代码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

在黑名单中,没有对.htaccess进行过滤,可直接上传.htaccess来设置使用php解析任意文件。

文件内容:SetHandler application/x-httpd-php

(4)制作图片phpinfo探针并上传

创建文本,加入内容

SetHandler application/x-httpd-php

保存为:.htaccess

上传

创建文本,加入内容

<?php
	phpinfo();
?>

修改格式为jpg,保存。上传即可。

5.绕过黑名单验证(大小写绕过)

(1)大小写绕过原理

window系统下,对于文件名中的大小写不敏感,例如:tEST.php和TESTt.php是一样的。

Linux系统下,对于文件名中的大小写敏感,例如:test.php和tesT.php

是不一样的。

大小写绕过只适用于windows系统。

(2)基于黑名单验证的代码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

(3)直接修改后缀名PhP上传文件

(4)WeBaCoo上传webshell

6.绕过黑名单验证(空格绕过)

(1)空格绕过原理

Windows系统下,对于文件名中的空格会被作为空处理,程序中的检测代码却不能自动删除空格。从而绕过黑名单。

针对这样的情况需要使用bp截断HTTP请求后,修改对应的文件名,添加空格。

(2)基于黑名单验证代码分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

代码中没有对上传文件的文件名做去空格处理。存在添加空格绕过黑名单问题。

(3)bp绕过黑名单验证

使用bp截断HTTP请求后,修改对应的文件名,添加空格。

(4)蚁剑连接