最近在做靶机的时候遇到如下代码审计题目:
在接收文件时会校验文件后缀。但是如果在上传文件时,同时post一个secure参数,就可以接受php文件的上传
<?php if(isset($_FILES['file']['name'])){ // file name $filename = $_FILES['file']['name']; // Location $location = 'owls/'.$filename; // file extension $file_extension = pathinfo($location, PATHINFO_EXTENSION); $file_extension = strtolower($file_extension); // Valid extensions if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&MsR'){ if(isset($_POST['secure']) && $_POST['secure'] == 'val1d'){ $valid_ext = array("pdf","php","txt"); } else{ $valid_ext = array("txt"); } } else{ $valid_ext = array("txt"); } $response = 0; if(in_array($file_extension,$valid_ext)){ // Upload file if(move_uploaded_file($_FILES['file']['tmp_name'],$location)){ $response = 1; } } echo $response; exit; }
curl -X POST时,-F和-d只能选一个,解决方法记录如下:
来自:https://www.shuzhiduo.com/A/D854pE165E/
一般使用linux原生态的命令curl上传文件时命令如下
假如要上传文件是myfile.txt
curl -F "file_name=@myfile.txt" -X POST "http://192.168.1.111/server"
其中file_name是接收的key 后面的myfile.txt是要上传的文件,在=后面加上@符号表示要上传的是文件
如果要单独上传参数则是
curl -d "usernaem=u1&age=13" -X POST "http://192.168.1.111/server"
要同时上传文件与参数,则需要将参数分开一次指定,如下:
curl -F "file_name=@myfile.txt" -F "usernaem=u1" -F "age=13" -X POST "http://192.168.1.111/server"
有多少个参数,后面就跟多少个-F指定要上传携带的参数值
所以通过-F参数,不加@前缀提交多个参数即可,对应的数据包如下
POST /server HTTP/1.1 Host: 192.168.1.111 User-Agent: curl/7.64.0 Accept: */* Content-Length: 426 Content-Type: multipart/form-data; boundary=------------------------e83ac844d0d2372c Connection: close --------------------------e83ac844d0d2372c Content-Disposition: form-data; name="file_name"; filename="myfile.txt" Content-Type: text/plain sjfkjfsalfjsdalfjaslfjsalfjsafjsalfjasl --------------------------e83ac844d0d2372c Content-Disposition: form-data; name="usernaem" u1 --------------------------e83ac844d0d2372c Content-Disposition: form-data; name="age" 13 --------------------------e83ac844d0d2372c--