upload-labs
搭建
https://github.com/c0ny1/upload-labs
Pass-01(前端绕过)
准备php一句话木马
1 |
|
传一句话木马时提示
重命名后缀为png
在burp中修改为php
连接菜刀
用weevely 生成webshell
┌──(root💀B)-[~]
└─# weevely generate shell /root/1.php
Generated '/root/1.php' with password 'shell' of 774 byte size.
Pass-02(MIME绕过)
清空上传文件
修改Content-Type 为image/jpeg
也可以如同01中操作上传成功
Pass-03(apache解析漏洞)
上传文件发现报错
提示:不允许上传.asp,.aspx,.php,.jsp后缀文件!
那么尝试修改后缀
如php3
发现php3 不解析
那么尝试phtml
也不解析
查了下 好像要修改配置orz
修改 /etc/mime.types中
1 | service apache2 reload |
解析成功了
update-2021-12-28 15:54:41
不需要修改配置
Pass-04(Apache配置文件.htaccess)
重写解析
1 | <FilesMatch "jpg" |
Pass-05(大小写绕过)
分析源码
1 |
|
发现没有过滤大小写
尝试大写phP
Pass-06(空格绕过)
源码过滤了大小写
1 | $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); |
评论