DAY14: upload labs customs clearance tutorial
Pass-01, client JS detection
Try to pass a JS prompt of php discovery browser pop-up, then go to bp directly, check Remove all JavaScript, refresh the page, and upload it.
Upload successful. Ant sword connection getshell
Pass-02, MIME file type detection
Hypertext markup language.html file: text/html Plain text.txt file: text/plain PDF file.pdf: application/pdfPNG image.png: image/png GIF image.gif: image/gif MPEG file.mpg,.mpeg: video/mpeg Binary stream: application/octet-stream
$_FILE['upload_file']['type'] #Get the MIME type of the uploaded file
Here we can bypass the upload by modifying the content type file type through bp packet capturing. Specifically, we can modify why it is modified according to its allowed type
f (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
Here we see that jpeg, png and gif types are allowed to upload. Upload php files directly.
Change application / octet stream to image/gif
Contract awarding, upload successful, ant sword connection getshell
Pass-03, suffix modification bypass
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = deldot($file_name);//Delete the point at the end of the file name
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);//Remove string:: $DATA
$file_ext = trim($file_ext); //Close and empty
According to the code discovery, this level does not allow uploading the first line of code suffixes, bypassing spaces, bypassing file stream formats, bypassing uppercase and lowercase, and bypassing dot suffixes. However, we have many kinds of php with different suffixes:
php,php2,php3,php5,phtml
You can modify the name and upload it at will.
Ant sword connection getshell
Pass-04, apache configuration.htaccess parsing file bypass
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//Delete the point at the end of the file name
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);//Remove string:: $DATA
$file_ext = trim($file_ext); //Close and empty
Call php's parser through a.htaccess file to parse any file whose file name contains the string "as.png", so no matter what the file name looks like, as long as it contains the string "as.png", it can be parsed in the way of php. A customized.htaccess file can bypass many upload verification mechanisms in various ways.
Create a new.htaccess file name with the content
SetHandler application/x-httpd-php
It means that all uploaded files are parsed in php, that is, php format.
First upload the.htaccess file. Next upload the picture horse.
Picture horse production method:
Prepare a pure picture and a written one sentence code, open the terminal in this directory and enter the following code:
copy name1.jpg/b + name2.php name3.jpg
You can see that the parsing is successful, and the ant sword is connected to the geishell
Pass-05, case bypass
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//Delete the point at the end of the file name
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//Remove string:: $DATA
$file_ext = trim($file_ext); //Empty head and tail
It is forbidden to use dot suffix bypass, space bypass, file transmission bypass, and consider using case bypass,
Under windows system, it is insensitive to the case in the file name, and under Linux system, it is sensitive to the case in the file name.
You can upload the file name as 111. The PHP file name is uploaded successfully, and 111.PHP is uploaded successfully
Ant sword connection getshell
Pass-06, space bypass
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//Delete the point at the end of the file name
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);//Remove string:: $DATA
Check the code, and it is easy to find that the space bypasses
In windows system, the spaces in the file name will be treated as empty, but the monitoring code in the program cannot automatically delete the spaces, so as to bypass the blacklist. In this case, bp needs to be used to truncate the httpp request, modify the corresponding file name + add spaces
1.php + Space
Upload successful, ant sword connection getshell
Pass-07,. No. bypass
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);//Remove string:: $DATA
$file_ext = trim($file_ext); //Empty head and tail
According to the code analysis, the point suffix can be bypassed
1.php + .
The parsing is successful, and the ant sword is connected to the getshell
Pass-08, path splicing bypass
Under windows system, if the uploaded file name contains text.php::$DATA, a text.php file will be generated on the server, in which the content is the same as that of the uploaded file, and it will be parsed
1.php + ::$DATA
Upload successful, ant sword connection getshell
Pass-09, path splicing bypass
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//Delete the point at the end of the file name
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);//Remove string:: $DATA
$file_ext = trim($file_ext); //Empty head and tail
This level prohibits bypassing dot suffixes, case,:: $DATA, spaces, etc
Consider path splicing bypass
1.php .+ Space +.
Upload successful, ant sword connection getshell
Pass-10, suffix double write bypass
$file_name = trim($_FILES['upload_file']['name']); $file_name = str_ireplace($deny_ext,"", $file_name);
1.p+ php +hp
After filtering, the file name 1.php is obtained
Ant sword connection getshell
Pass-11, path 00 truncation (POST type)
White list judgment, but $img_path is a direct splice, so%00 truncation can be used to bypass
Truncation condition: php Version less than 5.3.4,php of magic_quotes_gpc by OFF state
%00 is a url encoding. After the url is sent to the server, it is decoded by the server. At this time, it has not been transmitted to the verification function, that is, what is received in the verification function is not%00 characters, but%O0 decoded content, that is, it is decoded into Ox00, such as
https://localhost/upfile/?file=test.txt
At this time, the output is test Txt plus%00
https://localhost/upfile/?file=test.php%00.txt
At this time, the output is test PHP, bypassing the suffix limit, can upload webshell
Upload is successful. Enter the path and find a character that cannot be encoded after 1.php. Remove it and you can get the shell and ant sword connection.
Pass-12, pathname 00 truncation (post)
Because POST will not automatically decode%00 like GET, it needs to be modified in binary
Add a space to the path, change the corresponding number of lines to 00 in hex, and then run. The upload is successful
Delete the special symbol after 1.php in the path, the access is successful, and the ant sword connects to the getshell
Pass-13. File header parsing bypass
Picture horse: the above has taught how to make it
Read the first two bytes of the source code to judge the type of uploaded file. After passing the judgment, give the file a new suffix
Structure: include.php?file=upload/shell.jpg, include will read the shell in the form of this article The contents of JPG exist in shell A sentence in JPG, the Trojan horse
Can execute
Only check the type of file header, write GIF89a, which can be parsed into GIF file. After uploading, upload the picture horse according to the characteristics of the include function, and find the include PHP path, which can be accessed by using the file containing vulnerability. Ant sword connects to the getshell
Pass-14. Document content detection
image_type_to_extension Returns the corresponding suffix according to the specified image type
The method is the same as above. Use the include function to check the type of the file body
Ant sword connection getshell
Pass-15. Document content detection
The method is the same as above
Pass-16, image secondary rendering, content detection
is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// Get the basic information of the uploaded file, file name, type, size, and temporary file path
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.'/'.basename($filename);
// Get the extension of the uploaded file
$fileext= substr(strrchr($filename,"."),1);
//Judge the file suffix and type, and upload only when it is legal
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path)){
//Generate a new picture using the uploaded picture
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "The file is not jpg Format picture!";
@unlink($target_path);
}else{
//Assign a file name to the new picture
srand(time());
$newfilename = strval(rand()).".jpg";
//Display the image after secondary rendering (new image generated by user uploaded image)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagejpeg($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "Upload error!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path)){
//Generate a new picture using the uploaded picture
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "The file is not png Format picture!";
@unlink($target_path);
}else{
//Assign a file name to the new picture
srand(time());
$newfilename = strval(rand()).".png";
//Display the image after secondary rendering (new image generated by user uploaded image)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagepng($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "Upload error!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path)){
//Generate a new picture using the uploaded picture
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "The file is not gif Format picture!";
@unlink($target_path);
}else{
//Assign a file name to the new picture
srand(time());
$newfilename = strval(rand()).".gif";
//Display the image after secondary rendering (new image generated by user uploaded image)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagegif($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "Upload error!";
}
}else{
$msg = "Only upload suffixes of.jpg|.png|.gif Picture file of!";
}
}
As above, it's good to search online for the pictures that need to be processed (the code that can resist two image rendering is still alive)
Pass-17. Document content detection
Ditto, use include.php
