文章详情

短信预约-IT技能 免费直播动态提醒

请输入下面的图形验证码

提交验证

短信预约提醒成功

文件上传漏洞基础/htaccess重写解析绕过/大小写绕过上传/windows特性绕过

2023-09-02 07:25

关注

目录

一、htaccess重写解析绕过上传

htaccess文件

htaccess文件上传

靶场练习pass-04

代码分析

创建.htaccess文件

开始上传

访问

二、大小写绕过

upload-labs pass-05

代码分析

上传

访问

​编辑 

三、空格绕过上传

pass-06

代码分析

尝试上传

访问

四、利用windows系统特征绕过上传

pass-07

代码分析

尝试上传


htaccess文件

htaccess文件可以帮我们实现包括:文件夹密码保护、用户自动重定向、自定义错误页面、改变文件扩展名、封禁特定IP地址的用户、只允许特定IP地址的用户、禁止目录列表,以及使用其他文件作为index文件等一些功能!

htaccess文件上传

如果黑名单过滤了所有的能执行的后缀名,如果允许上传.htaccess。在htaccess文件中写入

SetHandler application/x-httpd-php

则可以将文件重写成php文件。PHPstudy中要使htaccess文件的规则生效,则需要在apache开启rewite重写模块,apache大多数都默认开启该模块,所以一般情况下都生效

可以看到我这里是默认开启的

靶场练习pass-04

代码分析

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {    if (file_exists($UPLOAD_ADDR)) {        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");        $file_name = trim($_FILES['upload_file']['name']);        $file_name = deldot($file_name);//删除文件名末尾的点        $file_ext = strrchr($file_name, '.');        $file_ext = strtolower($file_ext); //转换为小写        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA        $file_ext = trim($file_ext); //收尾去空        if (!in_array($file_ext, $deny_ext)) {            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];                $is_upload = true;            }        } else {            $msg = '此文件不允许上传!';        }    } else {        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';    }}

 可以看到这一关非常丧心病狂啊,直接黑名单了几乎所有的后缀名,而且有很多是我没见过的qwq

创建.htaccess文件

SetHandler application/x-httpd-php

开始上传

上传.htaccess、test.png

上传成功

访问

直接访问一下test.png

成功执行phpinfo()

上传成功!拿webshelll就直接上传一句话木马就ok了

 有的黑名单没有对后缀名的大小写进行严格判断(一般不会有),导致可以更改后缀大小写绕过,如PHP、Php、pHp、PhP、pHP....

upload-labs pass-05

代码分析

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {    if (file_exists($UPLOAD_ADDR)) {        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");        $file_name = trim($_FILES['upload_file']['name']);        $file_name = deldot($file_name);//删除文件名末尾的点        $file_ext = strrchr($file_name, '.');        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA        $file_ext = trim($file_ext); //首尾去空        if (!in_array($file_ext, $deny_ext)) {            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {                $img_path = $UPLOAD_ADDR . '/' . $file_name;                $is_upload = true;            }        } else {            $msg = '此文件不允许上传';        }    } else {        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';    }}

仔细看跟上一题的代码有什么区别

 $file_ext = strtolower($file_ext); 

 这句代码是将接收到的文件名都转成小写,然后再与黑名单比对,而这道题显然是没有的

我们可以尝试上传test.PhP

上传

直接上传成功了

访问

成功

还是黑名单中,如果没对空格进行过滤,可以利用在后缀名中加空格来进行绕过

pass-06

代码分析

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {    if (file_exists($UPLOAD_ADDR)) {        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");        $file_name = trim($_FILES['upload_file']['name']);        $file_name = deldot($file_name);//删除文件名末尾的点        $file_ext = strrchr($file_name, '.');        $file_ext = strtolower($file_ext); //转换为小写        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA                if (!in_array($file_ext, $deny_ext)) {            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {                $img_path = $UPLOAD_ADDR . '/' . $file_name;                $is_upload = true;            }        } else {            $msg = '此文件不允许上传';        }    } else {        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';    }}

这次少了这一行

        $file_ext = trim($file_ext); //首尾去空

没有进行首尾去空

尝试上传

 这里php后面加了一个空格但是看不出来

尝试上传

感觉像是浏览器自动把空格去掉了,我们抓包,在数据包里加

 这里空格就比较明显了,发送数据包

上传成功!

访问

 访问成功

Windows中后缀名.,系统会自动忽略末尾的".",所以可以通过在末尾加.来进行绕过

到这里我们能发现,前面的代码没有一行是没用的,每一行都针对一种上传方法!

pass-07

代码分析

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {    if (file_exists($UPLOAD_ADDR)) {        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");        $file_name = trim($_FILES['upload_file']['name']);        $file_ext = strrchr($file_name, '.');        $file_ext = strtolower($file_ext); //转换为小写        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA        $file_ext = trim($file_ext); //首尾去空                if (!in_array($file_ext, $deny_ext)) {            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {                $img_path = $UPLOAD_ADDR . '/' . $file_name;                $is_upload = true;            }        } else {            $msg = '此文件不允许上传';        }    } else {        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';    }}

 这里少了一行去掉末尾的点,看到没

如果少了这一行,正巧传入的参数中末尾有点,经过strrchr的处理后,$file_ext就只有一个点了,跟$deny_ext中任何值都不匹配绕过黑名单

并且下面是使用$.file_name所以不会影响后面的转存

尝试上传

我们在windows中尝试修改后缀名为php.

 

 很遗憾,改不了,因为这个是windows的特性啊,自动忽略

所以我们抓包修改,最后访问test.php就行啦,传到文件夹里这个点就没了

先清空前面传的文件

上传成功,尝试访问test.php

 成功

来源地址:https://blog.csdn.net/qq_40345591/article/details/127466181

阅读原文内容投诉

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

软考中级精品资料免费领

  • 历年真题答案解析
  • 备考技巧名师总结
  • 高频考点精准押题
  • 2024年上半年信息系统项目管理师第二批次真题及答案解析(完整版)

    难度     813人已做
    查看
  • 【考后总结】2024年5月26日信息系统项目管理师第2批次考情分析

    难度     354人已做
    查看
  • 【考后总结】2024年5月25日信息系统项目管理师第1批次考情分析

    难度     318人已做
    查看
  • 2024年上半年软考高项第一、二批次真题考点汇总(完整版)

    难度     435人已做
    查看
  • 2024年上半年系统架构设计师考试综合知识真题

    难度     224人已做
    查看

相关文章

发现更多好内容

猜你喜欢

AI推送时光机
位置:首页-资讯-后端开发
咦!没有更多了?去看看其它编程学习网 内容吧
首页课程
资料下载
问答资讯