Readers can refer to and subscribe to the column: Upload-Labs shooting range offensive and defensive combat
Antsword Ant Sword
The use of Ant Sword tool can refer to:
[Network Security] AntSword (ant sword) actual combat problem solving detailed analysis (entry)
posture
Backend logic code:
<?php
include '../config.php';
include '../common.php';
include '../head.php';
include '../menu.php';
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
/*
$file_name = trim($_POST['save_name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
*/
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<li>
<h3>任务</h3>
<p>上传一个<code>webshell</code>到服务器。</p>
</li>
<li>
<h3>上传区</h3>
<form enctype="multipart/form-data" method="post">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<p>保存名称:<p>
<input class="input_text" type="text" name="save_name" value="upload-19.jpg" /><br/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
<div id="img">
<?php
if($is_upload){
echo '<img src="'.$img_path.'" width="250px" />';
}
?>
</div>
</li>
<?php
if($_GET['action'] == "show_code"){
include 'show_code.php';
}
?>
</ol>
</div>
<?php
include '../footer.php';
?>
Simply put, a blacklist is defined, and then the move_uploaded_file function is used to move the temporary uploaded file to the specified target path
Since the move_uploaded_file function ignores the /. at the end of the file
Therefore, when we upload shell.php/., we can not only bypass the blacklist, but also change to shell.php when moving the path, so as to achieve the purpose of command execution.
Then upload:
Capture packets:
Repackage:
Packing:
Exploiting the files provided by the range contains the vulnerability:
Successfully achieved command execution:
Summarize
The above is the detailed analysis of [Network Security] upload-labs Pass-20 problem solving, and the detailed analysis of [Network Security] xss-labs Pass-21 problem solving will be shared later.
I am Qiu said , see you next time.