Upload-labs文件上传漏洞(::$DATA)——Pass08

拼搏现实的明天。 2023-03-02 04:53 163阅读 0赞

0×00 题目描述

20200727171642987.png

我不怕你

0×01 源码分析

  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_name = deldot($file_name);//删除文件名末尾的点
  8.         $file_ext = strrchr($file_name, '.');
  9.         $file_ext = strtolower($file_ext); //转换为小写
  10.         $file_ext = trim($file_ext); //首尾去空
  12.         if (!in_array($file_ext, $deny_ext)) {
  13.             $temp_file = $_FILES['upload_file']['tmp_name'];
  14.             $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
  15.             if (move_uploaded_file($temp_file, $img_path)) {
  16.                 $is_upload = true;
  17.             } else {
  18.                 $msg = '上传出错!';
  19.             }
  20.         } else {
  21.             $msg = '此文件类型不允许上传!';
  22.         }
  23.     } else {
  24.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  25.     }
  26. }

和魔鬼Pass04相比

  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
  6.         $file_name = trim($_FILES['upload_file']['name']);
  7.         $file_name = deldot($file_name);//删除文件名末尾的点
  8.         $file_ext = strrchr($file_name, '.');
  9.         $file_ext = strtolower($file_ext); //转换为小写
  10.         $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
  11.         $file_ext = trim($file_ext); //收尾去空
  13.         if (!in_array($file_ext, $deny_ext)) {
  14.             $temp_file = $_FILES['upload_file']['tmp_name'];
  15.             $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
  16.             if (move_uploaded_file($temp_file, $img_path)) {
  17.                 $is_upload = true;
  18.             } else {
  19.                 $msg = '上传出错!';
  20.             }
  21.         } else {
  22.             $msg = '此文件不允许上传!';
  23.         }
  24.     } else {
  25.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  26.     }
  27. }

看到第十行,本题没有去除字符串::$DATA

所以抓包加上就可以了

2020072717205463.png

20200727172102966.png

成功是成功了,就是不知道为啥forbidden了,留坑

2020072717214183.png

发表评论

表情:
评论列表 (有 0 条评论,163人围观)

还没有评论,来说两句吧...

相关阅读

    相关 文件漏洞详解

    0x01 上传漏洞定义 文件上传漏洞是指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力。这种攻击方式是最为直接和有效的,“文件上传”本身没有

    左手的ㄟ右手左手的ㄟ右手/ 0/ 233 阅读

    相关 文件漏洞概述

    文件上传漏洞是指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力,这种攻击方式是最为直接和有效的,有时候几乎没有什么技术门槛。 文件上传后导致的常

    墨蓝墨蓝/ 0/ 356 阅读

    相关 预防文件漏洞

    预防文件上传漏洞 1.为了防范用户上传恶意的可执行文件和脚本,以及将文件上传服务器当做免费的文件存储服务器使用,需要对上传的文件类型进行白名单(非黑名单,这点非常重要)校

    川长思鸟来川长思鸟来/ 0/ 491 阅读