upload-labs problem solving

Pass-01 js check

Condition: The front end restricts the suffix name (.jpg/.png/.gif)

Pass-02 verify Content-type

Condition: The backend restricts MIME

Pass-03 blacklist bypass

Condition: The backend restricts the suffix (.asp/.aspx/.php/.jsp) (blacklist).
You can upload .phtml .phps .php5 .pht on the
premise that there is the following configuration code in Apache's httpd.conf

AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml

Pass-04 .htaccess bypass

Conditions: .htaccess bypassed the
blacklist and rejected almost all problematic suffixes, except for the .htaccess
prerequisite (1.mod_rewrite module is enabled. 2.AllowOverride All),
so first upload a .htaccess file with the following content:

SetHandler application/x-httpd-php 

In this way, all files will be parsed as php

Pass-05 dot+space+dot bypass

You can use the tenth level method to bypass, that is, the dot space dot bypass (. .), because its verification first deletes the spaces at both ends of the file name, but the suffix name we construct has no spaces at both ends, so this The verification is invalid, then it will delete the last dot in our suffix, and then filter out one of our spaces. At this time, the suffix of the uploaded file is .php. It is not in the blacklist, so it can be uploaded successfully, and again Because of the windows operating system, the last dot of the file suffix will also be deleted, so we have completed the bypass.

Supplement : In fact, this question is going to be bypassed through **.user.ini**, but I tried several times without success, and succeeded in the future, I am adding this method.

Pass-06 case bypass

Condition: Case bypass

Pass-07 space bypass

Condition: Bypass the space
This question does not remove the suffix name, so it can be bypassed by adding spaces to the suffix name

Pass-08 point bypass

Condition: Dot bypass
The dot at the end of the suffix name is not processed. Using the windows feature, the last "." in the suffix name will be automatically removed. You can add "." to the suffix name to bypass:

Pass-09::$DATA bypass

The':: DATA' in the suffix name is not $DATA\text{'}into\; thelinethrough\; thefilter.Atphp+WIn-DOWSof\; thesituationconditionsat:asif\; thetextelementname+"::$ DATA" will treatthe data after::DATA as a file stream, and will not check the suffix name. And keep ":: Thedata afterDATA will be$DATA\text{'}safterthenumber\; ofdataastothe\; textpieceflowatprocessing,Notbeseizedmeasuredafter\; thesuffixname.AndPaulhold"::$ DATA" before the file name. Using windows features, you can add "::$DATA" to the suffix name to bypass:

Pass-10 dot+space+dot bypass

The code first removes all the. At the end of the file name, then removes the spaces before and after the file name, and then uses the strrchar function to find the. To confirm the suffix of the file name, but the original file name is used without renaming when the file is finally saved, resulting in You can use 1.php... (dot+space+dot) to bypass

Pass-11 double write bypass

Blacklist filtering, replace the suffix in the blacklist with empty and only replace once, so it can be bypassed by double writing

Pass-12 00 truncated

Whitelist judgment, but $img_path is directly spliced, so it can be bypassed with %00 truncation.

Truncation condition: The PHP version is less than 5.3.4, and the magic_quotes_gpc of PHP is OFF.

Pass-13 00 truncated

The save_path parameter is passed through POST, or truncated with 00, because POST will not automatically decode %00 like GET, so it needs to be modified in binary

Pass-14 picture horse bypass

Judge the file type by reading the first 2 bytes of the file, so you can upload the image directly to make the image horse:


direct access to the image does not treat the image as a PHP parsing, so you need to use the file inclusion vulnerability

Pass-15 getimagesize()-Picture Horse

This question is to use the getimagesize function to determine the file type, or it can be bypassed by the picture horse, the method is the same as pass-14

Pass-16 exif_imagetype()-Picture Horse

Here, the php exif_imagetype module is used to determine the file type, and the picture horse is used to bypass, the method is the same as pass-14

Pass-17 secondary rendering

After judging the suffix name, content-type, and using imagecreatefromgif to determine whether it is a gif image, and finally doing a second rendering, you can refer to the link: this article for details . However, when recurring, the PHP code is still modified after the second rendering.

Pass-18 race condition

Here is a conditional competition. First upload the file to the server, and then determine whether the file suffix is ​​in the whitelist, if it is, rename it, otherwise delete it, so we can upload 1.php just need to access it before it is deleted, you can use Burp's intruder module keeps uploading, and then we keep visiting and refreshing the address.

Pass-19 competition

There is also the problem of conditional competition, but this question makes a whitelist judgment on the file suffix name, and then checks the file size, whether the file exists, etc. step by step. Therefore, you can upload pictures continuously. Due to conditional competition, it may be too late to rename. Thus the upload is successful.

Pass-20 00 truncated

The img_path in the move_uploaded_file() function is controlled by the post parameter save_name, so it can be bypassed with 00 truncation in save_name