上传漏洞 Upload-Labs-6-7 实战笔记

先哲赫拉克利特说，“人不能两次踏进同一条河流。”这句话深刻地说明了事物不断变化的本质，昨天的我已经死去，今天的我还活着，明天的我正在孕育，昨天死掉的那个死鬼爱上了妹子A，今天的我正跟妹子B热恋，明天的我看你们年级那个叫零的俄罗斯妹子身材容貌都颇为不错！每天的我都是全新的，我爱每个妹子的时候都是全心全意的，但我没法阻止自己不断地死去。

黑盒测试

上传m.php，提示此文件不允许上传 。遂继续尝试修改后缀，Php,PHP,PhP等等皆不允许上传，猜测可能是过滤了大小写（代码中把上传文件的后缀都大小写转换了），上传htaccess也不可以，修改contype也不可以，看来代码层的过滤是绕不过去了，尝试一些服务器层的解析漏洞。

在本系列课程的lab 1 中有提起大部分服务器层的解析漏洞，并且通过探测发现服务器为win，试一下win的后缀解析漏洞。

上传m.php.,提示不允许上传，看来在代码层已经把后缀中的点号过滤了，那么试一下m.php[空格]发现上传成功了。即代码中只过滤了后缀的点号，并没有过滤后缀中的空格，因为win的命名规则，成功上传m.php。

在lab 7 中用同样的套路流程，发现过滤了后缀后面的空格，但是没有过滤后缀后面的点号。

因为6-7中都只是过滤了后缀中的点号和空格号，你可以上传m.php.[空格].[空格]，该后缀名在6-7都可以成功上传。

白盒测试

Lab 6

if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
    $file_name = $_FILES['upload_file']['name'];
    $file_name = deldot($file_name);//删除文件名末尾的点
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

Lab 7

if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //首尾去空

和前面的过滤机制一样，采用黑名单机制，并且对上传文件的后缀做了处理，转换成小写，去除末尾点或者空格，去除字符串。

在上传木马过程中，首先第一步就是先探测服务器的信息，考虑服务器层解析漏洞和代码层的漏洞，代码层无非就是黑名单机制，大小写过滤，文件重命名，服务器层也就那么几个解析漏洞，灵活运行在一起才能成功上传，并且上传木马中，返回的结果无非只有不允许上传和上传成功，没有更多可以探测的信息，就需要不断的猜测，不断的测试。