“你知道国内现在把人分成高富帅和屌丝么?高富帅就是那种漂亮女孩子争着去倒贴,倒贴不成或者被甩了之后,她们就会去找那种很喜欢她们但是她们看不上的男孩子哭诉,那种男孩就是屌丝。”“她们不小心怀了高富帅的孩子,屌丝就会难过地带着她们去医院,安慰她们,等到她们恢复了她们又去找别的高富帅啦,屌丝们在QQ上给她们留言她们再也不回……”
黑盒测试
尝试上传m.php木马文件,提示此文件不允许上传 。遂继续尝试修改后缀,改成m.PHp,没想到居然直接上传成功了….查看源码后发现原来刚刚好不在黑名单里面。
然后试着burp抓包,使用爆破模块,把所有的后缀包括大小写全都作为爆破字典进行爆破
发现的确可以上传成功,当然在实际渗透中该方法仅供参考,要根据实际情况来分析处理。
白盒测试
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
就像lab3-4一样,使用黑名单机制,$deny_ext数组里面的后缀名不要允许上传,并且过滤pHp这样的大小写,但是仔细发现,代码中并没有把后缀从大写转换成小写,上传m.PHp刚好不在黑名单里面,运气也是实力的一部分啊,很多时候如果发现m.pHp禁止上传后,要想想可能是黑名单机制,应该不断尝试m.Php,m.PHP,m.phP,等等
