• upload上传通关游戏


    第一关:后缀名限制,抓包改一下后缀。

    前端脚本检测文件扩展名。当客户端选择文件点击上传的时候,客户端还没有向服务器发送任何消

    息,前端的 js 脚本就对文件的扩展名进行检测来判断是否是可以上传的类型

    代码:
    function checkFile() {
        var file = document.getElementsByName('upload_file')[0].value;
        if (file == null || file == "") {
            alert("请选择要上传的文件!");
            return false;
        }
        //定义允许上传的文件类型
        var allow_ext = ".jpg|.png|.gif";
        //提取上传文件的类型
        var ext_name = file.substring(file.lastIndexOf("."));
        //判断上传文件类型是否允许上传
        if (allow_ext.indexOf(ext_name + "|") == -1) {
            var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
            alert(errMsg);
            return false;
        }
    }
    

    第二关:后端通过对上传文件的 Content-Type 类型进行黑白名单检测过滤

    源代码:
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists($UPLOAD_ADDR)) {
            if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
                if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                    $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                    $is_upload = true;
    
                }
            } else {
                $msg = '文件类型不正确,请重新上传!';
            }
        } else {
            $msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
        }
    }
    

    第三关:扩展名绕过

    把.php改成 .phtml 或者php2, php3后直接上传

    菜刀连接测试

    代码:
    s_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists($UPLOAD_ADDR)) {
            $deny_ext = array('.asp','.aspx','.php','.jsp');
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //收尾去空
    
            if(!in_array($file_ext, $deny_ext)) {
                if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
                     $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
                     $is_upload = true;
                }
            } else {
                $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
            }
        } else {
            $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
        }
    }
    
    常见扩展名绕过
    Asp:asa cer cdx
    
    aspx:ashx,asmx,ascx
    
    php: php3 phtml
    
    jsp: jspx jspf
    

    如果是windows服务器,可以把后缀名改成 ”.php.“ , 因为在windows系统是不允许出现 "."

    如果是白名单检测的话,我们可以采用00截断绕过。00截断利用的是php的一个漏洞。在 php<5.3.4

    版本中,存储文件时处理文件名的函数认为0x00是终止符。 如我们上传1.php%00.jpg

    第四关:

    虽然还是黑名单,但几乎过滤了所有有问题的后缀名,除了.htaccess,于是首先上传一个.htaccess内

    容如下的文件:

    SetHandler application/x-httpd-php
    

    这样所有文件都会解析为php,然后再上传图片马,就可以解析:

    制作图片马
    源代码:
    $is_upload = false;
    $msg = null;
    if (isset($_POST['submit'])) {
        if (file_exists($UPLOAD_ADDR)) {
            $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
            $file_name = trim($_FILES['upload_file']['name']);
            $file_name = deldot($file_name);//删除文件名末尾的点
            $file_ext = strrchr($file_name, '.');
            $file_ext = strtolower($file_ext); //转换为小写
            $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
            $file_ext = trim($file_ext); //收尾去空
    
            if (!in_array($file_ext, $deny_ext)) {
                if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                    $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                    $is_upload = true;
                }
            } else {
                $msg = '此文件不允许上传!';
            }
        } else {
            $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
        }
    }
    
  • 相关阅读:
    对Request.Url片段解析
    Php学习之路四
    解析bmp图像(某年全国软件大赛题目)
    工信部软件大赛(解析bmp)
    Php学习之路三(字符串操作)
    C++二维数组做形参
    php学习之路五(表单验证)
    PHP(学习之路一)
    PHp学习之路二(数组练习)
    解析网页(KMP算法实现部分)
  • 原文地址:https://www.cnblogs.com/dyanbk/p/11503633.html
Copyright © 2020-2023  润新知