[题目信息]:
| 题目名称 | 题目难度 |
|---|---|
| 文件上传-Windows点空格点绕过 | 1 |
[题目考点]:
Windowsw文件特性考察
[Flag格式]:
SangFor{UDOaJfziTs4c-dceIyGxa53-Ybrg9dtF}
[环境部署]:
docker-compose.yml文件或者docker tar原始文件。
docker-compose up -d
[题目writeup]:
扫描到index.txt备份文件;
修改Url地址内容,将index.txt修改为indeX.txt;发现可以成功访问;
证明服务端服务器是Linux系统;
<?php
include "config.php";
function deldot($s){
for($i = strlen($s)-1;$i>0;$i--){
$c = substr($s,$i,1);
if($i == strlen($s)-1 and $c != '.'){
return $s;
}
if($c != '.'){ return substr($s,0,$i+1); } } }
$is_upload = false;
$msg = null;
if (isset($_POST[‘submit’])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES[‘upload_file’][‘name’]);
$file_name = deldot($file_name);//删除文件名末尾的点 #1
$file_ext = strrchr($file_name, ‘.’);
$file_ext = strtolower($file_ext); //转换为小写 #2
$file_ext = str_ireplace(’::$DATA’, ‘’, $file_ext);//去除字符串::$DATA #3
$file_ext = trim($file_ext); //首尾去空 #4
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
echo $msg = '上传出错!';
}
} else {
echo $msg = '此文件类型不允许上传!';
}
} else {
echo $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
- #1处删除末尾的点;
- #2处将上传的文件名转换为小写;
- #3处如果上传文件后缀包含::$DATA,会替换为空;
- #4处去除前后空格;
那么前面所述的4种Windows绕过方案均无法使用;
但是假设我们上传的文件后缀为.php. .(php点号空格点号)
#1删除点号,剩余点号空格,#4删除空格,剩余点号,那么php.可以绕过黑名单验证;
抓包之后修改文件后缀为.php进行测试;
修改文件后缀为. .(点空格点)
证明该文件已经上传成功
访问upload/1.php
php文件成功解析;
