思维导图

openresty stream 黑名单过滤_web安全

文件上传常见验证

后缀名,类型,文件头等

黑名单:明确不允许上传的格式后缀

如:$deny_ext = array(’.asp’,’.aspx’,’.php’,’.jsp’);

不允许上传后缀为asp, aspx ,php ,jsp 的文件

白名单:明确只允许上传的格式后缀

如:$ext_arr = array(‘jpg’,‘png’,‘gif’);

只允许上传jpg png gif 文件

文件类型:MIME 信息

MIME(Multipurpose Internet Mail Extensions)多用途互联网邮件扩展类型。是设定某种扩展名的文件用一种应用程序来打开的方式类型,当该扩展名文件被访问的时候,浏览器会自动使用指定应用程序来打开。多用于指定一些客户端自定义的文件名,以及一些媒体文件打开方式。

通用结构

type/subtype

MIME的组成结构非常简单;由类型与子类型两个字符串中间用'/'分隔而组成。不允许空格存在。type 表示可以被分多个子类的独立类别。subtype 表示细分后的每个类型。

MIME类型对大小写不敏感,但是传统写法都是小写

常见的MIME类型(通用型):

PNG图像 .png image/png

GIF图形 .gif image/gif

JPEG图形 .jpeg,.jpg image/jpeg

任意的二进制数据 application/octet-stream

GZIP文件 .gz application/x-gzip

TAR文件 .tar application/x-tar

RTF文本 .rtf application/rtf

PDF文档 .pdf application/pdf

Word文件 .word application/msword

普通文本 .txt text/plain

html文档 .html text/html

xml文档 .xml text/xml

XHTML文档 .xhtml application/xhtml+xml

au声音文件 .au audio/basic

MIDI音乐文件 mid,.midi audio/midi,audio/x-midi

RealAudio音乐文件 .ra, .ram audio/x-pn-realaudio

MPEG文件 .mpg,.mpeg video/mpeg

AVI文件 .avi video/x-msvideo

Content-Type称之为MIME信息

openresty stream 黑名单过滤_php_02

文件头:内容头信息

百度百科文件头

各类文件头信息

常见的文件头信息对照表

gif

openresty stream 黑名单过滤_上传_03

openresty stream 黑名单过滤_上传_04

png

openresty stream 黑名单过滤_上传_05

openresty stream 黑名单过滤_web安全_06

upload-labs-master 关卡分析

pass-1(前端验证)

openresty stream 黑名单过滤_安全_07

原理:触发上传后会返回到checkFile()函数进行图片不合法检测,checkFile()函数在js代码中,即客户端使用js对不合法图片进行检查。

绕过方式:

1-直接禁用浏览器js功能,然后上传shell脚本即可。

2-上传正常的文件后缀名,上传,然后抓包,改包,改为需要的后缀名。

openresty stream 黑名单过滤_上传_08


openresty stream 黑名单过滤_上传_09

上传成功

openresty stream 黑名单过滤_上传_10

复制图像链接

http://127.0.0.1/upload-labs-master/upload/pass1.php

openresty stream 黑名单过滤_web安全_11

pass-2(白名单 MIME)


上传pass2.php,抓包,

把content-Type:application/octet-stream

改为白名单允许的类型即可

image/jpeg image/png image/gif

openresty stream 黑名单过滤_web安全_12

openresty stream 黑名单过滤_web安全_13

放包,上传成功

复制图像链接

openresty stream 黑名单过滤_前端_14

http://127.0.0.1/upload-labs-master/upload/pass2.php

openresty stream 黑名单过滤_安全_15

pass-3(黑名单 特殊解析后缀)

<?php
include '../config.php';
include '../common.php';
include '../head.php';
include '../menu.php';

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);//移除文件两端的空白符
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');//返回从点往后的字符串  .xxxx yei
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}
?>

相关函数知识

PHP trim() 函数

trim() 函数移除字符串两侧的空白字符或其他预定义字符。

trim(string,charlist)

string

必需。规定要检查的字符串。

charlist

可选。规定从字符串中删除哪些字符。如果被省略,则移除以下所有字符:"\0" - NULL “\t” - 制表符 “\n” - 换行 “\x0B” - 垂直制表符 “\r” - 回车 " " - 空格

相关函数

ltrim() - 移除字符串左侧的空白字符或其他预定义字符

rtrim() - 移除字符串右侧的空白字符或其他预定义字符

PHP strrchr() 函数

strrchr() 函数查找字符串在另一个字符串中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符

PHP str_ireplace() 函数

str_ireplace() 函数替换字符串中的一些字符(不区分大小写)

str_ireplace(find,replace,string,count)

find

必需。规定要查找的值。

replace

必需。规定替换 find 中的值的值。

string

必需。规定被搜索的字符串。

count

可选。一个变量,对替换数进行计数

str_ireplace(“WORLD”,“Shanghai”,“Hello world!”);

结果为:Hello Shanghai

不允许上传后缀为asp aspx php jsp 的文件。

可以利用 appache的特性

openresty stream 黑名单过滤_上传_16

php php3 php5 phtml 都会当做php解析执行

上传pass3.php3

openresty stream 黑名单过滤_安全_17

复制图片链接

http://127.0.0.1/upload-labs-master/upload/202203051325018349.php3

文件名变了,是因为有重命名

openresty stream 黑名单过滤_web安全_18

访问

openresty stream 黑名单过滤_web安全_19

apache 后缀名解析“漏洞”

pass-4(.htaccess解析)

仅存在于Apache中

.htaccess文件(或者"分布式配置文件"),全称是Hypertext Access(超文本入口)。提供了针对目录改变配置的方法,即在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所有子目录。作为用户,所能使用的命令受到限制

概述来说,htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过htaccess文件,可以帮我们实现:

网页301重定向、

自定义404错误页面、

改变文件扩展名、

允许/阻止特定的用户或者目录的访问、

禁止目录列表、

配置默认文档等功能。

需要的一些配置

1.要打开mod_rewrite模块

phpstudy软件界面——>其他选项菜单——PHP扩展及设置——Apache扩展——rewrite_module模块

2.AllowOverride All。
其他选项菜单——打开配置文件——httpd.conf 文件
搜索查找AllowOverride None,然后把AllowOverride None修改为 AllowOverride All,完成后保存

创建.htaccess文件

<FilesMatch "pass4">
Sethandler application/x-httpd-php
</FilesMatch >

服务器会把文件名包含pass4的文件 当做php解析执行

pass4.jpg 内容

openresty stream 黑名单过滤_web安全_20

pass4.jpg

openresty stream 黑名单过滤_上传_21

pass456.jpg

openresty stream 黑名单过滤_上传_22

pass-5(.user.ini配置文件解析控制)

查看源码

is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

把所有可以解析的后缀名都给写死了,包括大小写转换,空格,还有点号,::$DATA

正常的php类文件上传不了了,并且拒绝上传 .htaccess 文件。

.user.ini。它比.htaccess 用的更广,不管服务器是 nginx/apache/IIS,当使用 CGI/
FastCGI 来解析 php 时,php 会优先搜索目录下所有的.ini 文件,并应用其中的配置。
类似于 apache 的.htaccess,但语法与.htacces 不同,语法跟 php.ini 一致。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OIWsFwzT-1646471990992)(QQ截图20220305150225.png)]

创建.user.ini 文件

auto_prepend_file=pass5.jpg

把pass5.jpg当做php解析

pass5.jpg实际内容

<?php
echo 'good luck';
phpinfo();
?>

先上传.user.ini 文件

再上传pass5.jpg

.user.ini 文件作用:所有的 php 文件都自动包含 pass5.jpg 文件。.user.ini 相当于一个用
户自定义的 php.ini。

其他:使用大小写绕过.htaccess . . 点空点进行绕过

pass-6(大小写绕过)

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

对于文件名后缀的校验时,没有进行通用的大小转换后的校验-

strtolower()
大小写绕过原理:

Windows 系统下,对于文件名中的大小写不敏感。例如:test.php 和 TeSt.PHP 是一
样的。
Linux 系统下,对于文件名中的大小写敏感。例如:test.php 和 TesT.php 就是不一样
的。

绕过方法:文件后缀为.PHP即可

http://127.0.0.1/upload-labs-master/upload/202203051559117765.PHP

openresty stream 黑名单过滤_web安全_23

Pass-07(空格绕过)

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

对上传的文件名未做去空格的操作-> trim()

Windows 系统下,对于文件名中空格会被作为空处理,程序中的检测代码却不能自动删除空格。从而绕过黑名单。

绕过方法:burp 抓包,修改对应的文件名 添加空格。即可

openresty stream 黑名单过滤_安全_24

http://127.0.0.1/upload-labs-master/upload/202203051604535072.php

openresty stream 黑名单过滤_安全_25

Pass-08 (点号绕过)

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

代码未对对上传的文件后缀名未做去点 . 的操作 -> strrchr($file_name, ‘.’)
利用 Windows 系统下,文件后缀名最后一个点会被自动去除。

绕过方法:文件后缀名为 .php.

openresty stream 黑名单过滤_php_26

http://127.0.0.1/upload-labs-master/upload/pass8.php.

openresty stream 黑名单过滤_web安全_27

Pass-09(::$DATA 绕过)

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

未对上传的文件后缀名为做去 ::openresty stream 黑名单过滤_web安全_28DATA"会把::openresty stream 黑名单过滤_web安全_29DATA之前的文件名,他的目的就是不检查后缀名**

例如:"phpinfo.php::$DATA"

Windows会自动去掉末尾的::$DATA变成"phpinfo.php

其中内容和所上传文件内容相同,并被解析。

绕过方法:上传带有一句话木马的文件,其文件名为pass9.php::$DATA

openresty stream 黑名单过滤_php_30

http://127.0.0.1/upload-labs-master/upload/202203051608257361.php::$data

http://127.0.0.1/upload-labs-master/upload/202203051608257361.php

openresty stream 黑名单过滤_web安全_31

pass-10(拼接绕过)

点空点绕过

pass10.php. .

$file_name = deldot($file_name);//删除文件名末尾的点 pass10.php.空格
        $file_ext = strrchr($file_name, '.'); //.php.空格
        $file_ext = strtolower($file_ext); //转换为小写  .php.空格
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA    .php.空格
        $file_ext = trim($file_ext); //首尾去空  .php.

http://127.0.0.1/upload-labs-master/upload/pass10.php.

openresty stream 黑名单过滤_web安全_32

pass11(双写绕过)

源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

利用 str_ireplace()将文件名中符合黑名单的字符串替换成空,只过滤了一次,存在漏洞

绕过方式:利用双写黑名单字符,对字符串的一次过滤后拼接出 php,文件 名 .pphphp

openresty stream 黑名单过滤_安全_33

http://127.0.0.1/upload-labs-master/upload/pass11.php

openresty stream 黑名单过滤_web安全_34

pass12(白名单 GET 型 0x00 截断)

使用白名单限制上传文件类型,但上传文件的存放路径可控,存在漏洞

产生条件:

需要 php 的版本号低于 5.3.29,且 magic_quotes_gpc 为关闭状态

(打开php的配置文件php-ini,将magic_quotes_gpc设置为Off)

绕过方法:设置上传路径为 upload/phpinfo.php%00 ,添加 phpinfo.php%00 内 容为了控制路径,上传文件后缀为白名单即可 例:test.jpg,保存后为 /upload/phpinfo.php%00test.jpg,但服务端读取到%00 时会自动结束,将文件 内容保存至 phpinfo.php 中

openresty stream 黑名单过滤_php_35

http://127.0.0.1/upload-labs-master/upload/pass12.php%EF%BF%BD/6720220305165151.jpg

http://127.0.0.1/upload-labs-master/upload/pass12.php

openresty stream 黑名单过滤_php_36

pass13(白名单 POST 型 0x00 截断)

源码

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

提交方式为POST

GET会自动解码

空格 ---->url 编码 %00

%00 ---->url 编码 %00

POST不会自动解码

%00 ---->url 编码 %25%30%30

因为 POST 不会像 GET 那样对%00 进行自动解码,

需要手动对进行编码

openresty stream 黑名单过滤_web安全_37

或者在 16 进制中修改

openresty stream 黑名单过滤_web安全_38

http://127.0.0.1/uploadlabsmaster/upload/pass13.php%EF%BF%BD/9120220305171015.jpg

http://127.0.0.1/upload-labs-master/upload/pass13.php

openresty stream 黑名单过滤_前端_39