目录
文件上传漏洞介绍
定义
文件上传漏洞是指网络应用程序在处理用户上传文件时,没有对上传的文件进行充分的验证和过滤,导致攻击者可以利用这个漏洞上传恶意文件到服务器,从而获取服务器的控制权或执行其他恶意操作。
产生原因
- 缺乏文件类型验证:应用程序没有对上传文件的类型进行严格检查,仅通过客户端的 JavaScript 进行验证,而这种验证很容易被绕过,攻击者可将恶意文件的后缀名修改为允许上传的文件类型,如将
.php文件改为.jpg。 - 文件路径处理不当:应用程序在保存上传文件时,没有对文件路径进行正确的处理,导致攻击者可以通过构造特殊的文件名或路径,将文件上传到服务器的敏感目录,如 Web 根目录。
- 文件大小限制不足:没有对上传文件的大小进行合理限制,攻击者可能上传超大文件,耗尽服务器的磁盘空间或导致服务器拒绝服务。
- 执行权限配置错误:服务器对上传文件的存储目录或文件本身的权限设置不当,使得攻击者上传的文件具有可执行权限,从而能够在服务器上运行。
常见危害
- 网站篡改:攻击者上传恶意脚本文件,如 PHP、ASP 等脚本,一旦这些脚本被执行,攻击者就可以修改网站的内容,替换网页页面,发布违法信息等,严重影响网站的正常运行和形象。
- 数据泄露:攻击者上传恶意文件后,可能获取服务器上的敏感信息,如用户数据、数据库配置文件等,导致用户信息泄露,给用户和网站运营者带来严重损失。
- 服务器控制:通过上传可执行的恶意文件,攻击者可以进一步获取服务器的控制权,在服务器上执行任意命令,如创建新的用户账号、安装后门程序、控制服务器发起 DDoS 攻击等,使服务器完全处于攻击者的掌控之下。
漏洞利用方式
- 直接上传恶意脚本:攻击者找到网站的文件上传点,直接上传包含恶意代码的脚本文件,如 PHP webshell,然后通过访问该文件来执行恶意代码,获取服务器权限。
- 配合其他漏洞利用:文件上传漏洞往往与其他漏洞结合使用,如与 SQL 注入漏洞结合,攻击者通过 SQL 注入获取上传文件的路径和文件名,然后访问上传的恶意文件,实现进一步的攻击。
upload-labs详解
pass-01
方法一
我们可以查看一下源代码,发现这里只允许上传 .jpg|.png|.gif类型的文件。(并且前端只能上传文件的类型为.jpg|.png|.gif,所以我们利用抓包工具来修改文件类型为php)
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name) == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}于是,创建一个文php文件
将该文件的后缀名修改为jpg
然后利用burpsuite抓包来修改文件的类型,
将web.png修改为web.php
改为
结果:
查看文件上传结果
成功。
方法二
我们开始尝试上传php文件,触发前端界面弹窗警告
接着尝试利用bp来进行抓包,发现无法抓包,应该是只在前端做了验证,于是我们禁用javascript,再次尝试。
上传文件
上传成功
访问文件
漏洞点:只对前端进行了文件的过滤,后端没有过滤操作。
pass-02
首先,我们先简单上传一个php文件,做一个测试,
上传未成功,我们查看源代码
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}发现文件上传之后会对文件的类型进行检测,发现其存在Content-Type绕过
那么我们可以利用bp来抓包修改文件的类型
改为
结果上传成功
当然也可以利用第一关的方法,在上传之前将php文件修改为jpg文件,利用bp抓包,将jpg文件再修改为php文件,也是可以的。
本关考察的点是,检查文件的MIME类型是否为以下三种,image/jpeg,image/gif,image/png。
pass-03
首先,简单上传php文件,发现文件的类型不允许上传,故查看源代码,发现限制了文件的后缀名,但是没有限制php1,php2之类的后缀名
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}于是,我们将文件的类型改为
上传成功
访问文件
漏洞点:简单的黑名单绕过。
pass-04
该关类型同第三关,但是增加了后缀名的限制,但是没有限制.htaccess类型的文件
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空编写.htaccess文件内容为
AddType application/x-httpd-php .jpg
AddType是 Apache 的配置指令,其作用是为指定的文件扩展名关联特定的 MIME 类型。application/x-httpd-php是 Apache 服务器用来识别 PHP 脚本的 MIME 类型。当服务器遇到具有该 MIME 类型的文件时,会将其作为 PHP 脚本进行解析和执行。.jpg是常见的图像文件扩展名。这行代码意味着将原本应该作为图像文件处理的.jpg文件,关联到了 PHP 脚本的 MIME 类型上。
然后上传web.jpg文件内容为<?php phpinfo(); ?>
访问图片
漏洞点:
没有过滤.htaccess,利用该特点将当前目录下有以.jpg结尾的文件,就会被解析为.php
pass-05
本关漏洞点:忽略大小写
直接上传文件web.phP,即可
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空访问文件:
pass-06
本关漏洞点:忽略文件后缀名的空格
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA由于windows中文件的后缀名中空格被自动过滤,故利用bp,
通过抓包修改文件名,再文件的后缀名加入空格即可
查看文件是否上传
访问文件
成功
pass-07
本关漏洞点:小数点绕过
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空利用bp抓包修改文件名,加入小数点
访问文件
pass-08
本关漏洞点:::$DATA绕过
::$DATA(只适用于Windows系统)在Windows的时候如果文件名"+::$DATA"会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且保持::$DATA之前的文件名绕过,比如上传的文件名为info.php::$DATA会在服务器上重新生成一个test.php的文件,其中内容和所上传文件内容相同,并被解析。
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空利用bp抓包修改上传的文件为web.php::$DATA
访问文件:
pass-09
本关漏洞点:windows操作环境特点
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空利用bp抓包修改文件名为web.php. .即(web.php+点+空格+点)
访问文件:
pass-10
本关漏洞点:双写绕过
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}先使用trim函数去除其两边的空白字符以及转义字符,再使用str_ireplace,将$file_name的字符串与$deny_ext中的黑名单对比,如果有相同的,则从$file_name中删除对应部分,通常这种情况的过滤,可以使用双写对应的字符,使其删除一次后恢复为正确的文件后缀进行绕过。例如pphphp经过绕过之后修改为php,
利用bp修改文件名为web.phpphp
访问文件
未完待续。。。