文件上传


文件上传(File Upload)是大部分Web应用都具备的功能,例如用户上传附

件、修改头像、分享图片/视频等


DVWA靶机-全级别测试-文件上传_上传



低难度


设置如下


DVWA靶机-全级别测试-文件上传_php_02


源代码:


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
        // No
        echo '<pre>Your image was not uploaded.</pre>';
    }
    else {
        // Yes!
        echo "<pre>{$target_path} succesfully uploaded!</pre>";
    }
}

?>


DVWA靶机-全级别测试-文件上传_抓包_03


发现可以上传,并没有做任何限制


DVWA靶机-全级别测试-文件上传_php_04


访问路径,发现这个是相对路径,可以尝试访问


DVWA靶机-全级别测试-文件上传_抓包_05

我们再上传其他格式,看下能否上传


看来是没有做任何限制


DVWA靶机-全级别测试-文件上传_抓包_06


使用BP进行抓包


DVWA靶机-全级别测试-文件上传_抓包_07


看来是文件大小做了限制。


DVWA靶机-全级别测试-文件上传_上传_08


我们开启拦截,并修改数据包


DVWA靶机-全级别测试-文件上传_上传_09


竟然上传成功(说明是前端做了限制)


DVWA靶机-全级别测试-文件上传_上传_10


下面我们上传一句话木马


DVWA靶机-全级别测试-文件上传_抓包_11


打开中国菜刀


DVWA靶机-全级别测试-文件上传_php_12


选择右键,文件管理


DVWA靶机-全级别测试-文件上传_抓包_13


至此我们获得web服务的权限


DVWA靶机-全级别测试-文件上传_php_14


右键可以选择“虚拟终端管理”


DVWA靶机-全级别测试-文件上传_php_15


也可以把配置文件下载到本地


DVWA靶机-全级别测试-文件上传_php_16


我们使用中国蚁剑


DVWA靶机-全级别测试-文件上传_php_17


选择“文件管理”


DVWA靶机-全级别测试-文件上传_php_18


一样可以使用到


DVWA靶机-全级别测试-文件上传_抓包_19


中难度


设置如下


DVWA靶机-全级别测试-文件上传_上传_20


源代码:


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>


在这里,我们查看信息

发现对文件类型做了限制


DVWA靶机-全级别测试-文件上传_php_21


文件的格式必须是jpeg或者是png才行


DVWA靶机-全级别测试-文件上传_上传_22


那我们试一试能否抓包修改上传呢?


DVWA靶机-全级别测试-文件上传_抓包_23


发现竟然成功了


DVWA靶机-全级别测试-文件上传_抓包_24


既然上传了文件,我们使用哥斯拉


DVWA靶机-全级别测试-文件上传_上传_25


点击右键,选择“进入”


DVWA靶机-全级别测试-文件上传_抓包_26


基础信息


DVWA靶机-全级别测试-文件上传_php_27


太多功能


DVWA靶机-全级别测试-文件上传_上传_28


取得web服务站点即可


高难度


设置如下


DVWA靶机-全级别测试-文件上传_抓包_29


源代码:


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
        ( $uploaded_size < 100000 ) &&
        getimagesize( $uploaded_tmp ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>


上传zip文件,发现失败


DVWA靶机-全级别测试-文件上传_上传_30


修改抓包数据,再试一试


DVWA靶机-全级别测试-文件上传_抓包_31


修改数据包之后,仍发现不行

说明对文件名称,也进行了检查


DVWA靶机-全级别测试-文件上传_php_32


那我们只能制作图片木马了

但是作为图片文件不能被当作php文件执行,因此可以利用文件包含漏洞,将上传的图片文件作为php文件执行。


打开cmd命令行


aspx.jpg /b + 789.php /a 888.jpg


DVWA靶机-全级别测试-文件上传_抓包_33


将会生产一个888.jpg的图片,

我们使用16进制软件打开


DVWA靶机-全级别测试-文件上传_抓包_34


一样的函数功能

我们点击上传


DVWA靶机-全级别测试-文件上传_抓包_35


成功上传之后,我们是无法解析的

只能结合文件包含漏洞,进行执行。


DVWA靶机-全级别测试-文件上传_上传_36


此方法暂时不能使用菜刀验证,因为上传的是静态的文件不会主动执行,需要再对网站文件包含漏洞进行渗透。


不可能难度


设置如下


DVWA靶机-全级别测试-文件上传_上传_37


源代码


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );


    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

    // Where are we going to be writing to?
    $target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
    //$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
    $target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
    $temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
    $temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
        ( $uploaded_size < 100000 ) &&
        ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
        getimagesize( $uploaded_tmp ) ) {

        // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
        if( $uploaded_type == 'image/jpeg' ) {
            $img = imagecreatefromjpeg( $uploaded_tmp );
            imagejpeg( $img, $temp_file, 100);
        }
        else {
            $img = imagecreatefrompng( $uploaded_tmp );
            imagepng( $img, $temp_file, 9);
        }
        imagedestroy( $img );

        // Can we move the file to the web root from the temp folder?
        if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
            // Yes!
            echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
        }
        else {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }

        // Delete any temp files
        if( file_exists( $temp_file ) )
            unlink( $temp_file );
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>


我们发现,对文件内容进行了严格地检查,对文件进行重命名,文件大小后缀都进行了限制,同时加入token。


防御措施


1、文件类型/大小/后缀检测

2、最小权限运行web服务

3、上传文件目录修改权限

4、安装waf进入深度检测