文件上传漏洞：upload-labs靶场1-10

目录

文件上传漏洞介绍

定义

产生原因

常见危害

漏洞利用方式

upload-labs详解

pass-01

pass-02

pass-03

pass-04

pass-05

pass-06

pass-07

pass-08

pass-09

pass-10

---

文件上传漏洞介绍

定义

文件上传漏洞是指网络应用程序在处理用户上传文件时，没有对上传的文件进行充分的验证和过滤，导致攻击者可以利用这个漏洞上传恶意文件到服务器，从而获取服务器的控制权或执行其他恶意操作。

产生原因

• 缺乏文件类型验证：应用程序没有对上传文件的类型进行严格检查，仅通过客户端的 JavaScript 进行验证，而这种验证很容易被绕过，攻击者可将恶意文件的后缀名修改为允许上传的文件类型，如将.php文件改为.jpg。
• 文件路径处理不当：应用程序在保存上传文件时，没有对文件路径进行正确的处理，导致攻击者可以通过构造特殊的文件名或路径，将文件上传到服务器的敏感目录，如 Web 根目录。
• 文件大小限制不足：没有对上传文件的大小进行合理限制，攻击者可能上传超大文件，耗尽服务器的磁盘空间或导致服务器拒绝服务。
• 执行权限配置错误：服务器对上传文件的存储目录或文件本身的权限设置不当，使得攻击者上传的文件具有可执行权限，从而能够在服务器上运行。

常见危害

• 网站篡改：攻击者上传恶意脚本文件，如 PHP、ASP 等脚本，一旦这些脚本被执行，攻击者就可以修改网站的内容，替换网页页面，发布违法信息等，严重影响网站的正常运行和形象。
• 数据泄露：攻击者上传恶意文件后，可能获取服务器上的敏感信息，如用户数据、数据库配置文件等，导致用户信息泄露，给用户和网站运营者带来严重损失。
• 服务器控制：通过上传可执行的恶意文件，攻击者可以进一步获取服务器的控制权，在服务器上执行任意命令，如创建新的用户账号、安装后门程序、控制服务器发起 DDoS 攻击等，使服务器完全处于攻击者的掌控之下。

漏洞利用方式

• 直接上传恶意脚本：攻击者找到网站的文件上传点，直接上传包含恶意代码的脚本文件，如 PHP webshell，然后通过访问该文件来执行恶意代码，获取服务器权限。
• 配合其他漏洞利用：文件上传漏洞往往与其他漏洞结合使用，如与 SQL 注入漏洞结合，攻击者通过 SQL 注入获取上传文件的路径和文件名，然后访问上传的恶意文件，实现进一步的攻击。

upload-labs详解

pass-01

方法一

我们可以查看一下源代码，发现这里只允许上传 .jpg|.png|.gif类型的文件。(并且前端只能上传文件的类型为.jpg|.png|.gif，所以我们利用抓包工具来修改文件类型为php)

function checkFile() {var file = document.getElementsByName('upload_file')[0].value;if (file == null || file == "") {alert("请选择要上传的文件!");return false;}//定义允许上传的文件类型var allow_ext = ".jpg|.png|.gif";//提取上传文件的类型var ext_name = file.substring(file.lastIndexOf("."));//判断上传文件类型是否允许上传if (allow_ext.indexOf(ext_name) == -1) {var errMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name;alert(errMsg);return false;}

于是，创建一个文php文件

将该文件的后缀名修改为jpg

然后利用burpsuite抓包来修改文件的类型，

将web.png修改为web.php

改为

结果： 

查看文件上传结果

成功。

方法二

我们开始尝试上传php文件，触发前端界面弹窗警告

接着尝试利用bp来进行抓包，发现无法抓包，应该是只在前端做了验证，于是我们禁用javascript,再次尝试。

上传文件

 上传成功

访问文件

漏洞点：只对前端进行了文件的过滤，后端没有过滤操作。

pass-02

首先，我们先简单上传一个php文件，做一个测试，

上传未成功，我们查看源代码

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];          if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '文件类型不正确，请重新上传！';}} else {$msg = UPLOAD_PATH.'文件夹不存在,请手工创建！';}
}

发现文件上传之后会对文件的类型进行检测，发现其存在Content-Type绕过

那么我们可以利用bp来抓包修改文件的类型

改为

结果上传成功

当然也可以利用第一关的方法，在上传之前将php文件修改为jpg文件，利用bp抓包，将jpg文件再修改为php文件，也是可以的。

本关考察的点是，检查文件的MIME类型是否为以下三种，image/jpeg，image/gif，image/png。

pass-03

 首先，简单上传php文件，发现文件的类型不允许上传，故查看源代码，发现限制了文件的后缀名，但是没有限制php1,php2之类的后缀名

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array('.asp','.aspx','.php','.jsp');$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}

于是，我们将文件的类型改为

上传成功

访问文件

漏洞点：简单的黑名单绕过。 

pass-04

该关类型同第三关，但是增加了后缀名的限制，但是没有限制.htaccess类型的文件 

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空

 编写.htaccess文件内容为

AddType application/x-httpd-php .jpg

• AddType 是 Apache 的配置指令，其作用是为指定的文件扩展名关联特定的 MIME 类型。
• application/x-httpd-php 是 Apache 服务器用来识别 PHP 脚本的 MIME 类型。当服务器遇到具有该 MIME 类型的文件时，会将其作为 PHP 脚本进行解析和执行。
• .jpg 是常见的图像文件扩展名。这行代码意味着将原本应该作为图像文件处理的 .jpg 文件，关联到了 PHP 脚本的 MIME 类型上。

然后上传web.jpg文件内容为<?php phpinfo(); ?>

 访问图片

漏洞点：

没有过滤.htaccess，利用该特点将当前目录下有以.jpg结尾的文件，就会被解析为.php

pass-05

本关漏洞点：忽略大小写

直接上传文件web.phP,即可 

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空

 访问文件：

pass-06

本关漏洞点：忽略文件后缀名的空格

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

由于windows中文件的后缀名中空格被自动过滤，故利用bp,

通过抓包修改文件名，再文件的后缀名加入空格即可

查看文件是否上传

访问文件

成功

pass-07

本关漏洞点:小数点绕过

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空

利用bp抓包修改文件名，加入小数点

 访问文件

pass-08

本关漏洞点：::$DATA绕过

::$DATA（只适用于Windows系统）在Windows的时候如果文件名"+::$DATA"会把::$DATA之后的数据当成文件流处理,不会检测后缀名，且保持::$DATA之前的文件名绕过，比如上传的文件名为info.php::$DATA会在服务器上重新生成一个test.php的文件，其中内容和所上传文件内容相同，并被解析。

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空

利用bp抓包修改上传的文件为web.php::$DATA

 

访问文件：

pass-09

本关漏洞点：windows操作环境特点

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空

利用bp抓包修改文件名为web.php. .即(web.php+点+空格+点)

访问文件：

pass-10

本关漏洞点：双写绕过

if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;        if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

先使用trim函数去除其两边的空白字符以及转义字符，再使用str_ireplace，将$file_name的字符串与$deny_ext中的黑名单对比，如果有相同的，则从$file_name中删除对应部分，通常这种情况的过滤，可以使用双写对应的字符，使其删除一次后恢复为正确的文件后缀进行绕过。例如pphphp经过绕过之后修改为php，

利用bp修改文件名为web.phpphp

访问文件

 未完待续。。。