第21天-WEB漏洞-文件上传之后端黑白名单绕过

思维导图

文件上传常见验证

后缀名，类型，文件头等

黑名单：明确不允许上传的格式后缀

如：$deny_ext = array(’.asp’,’.aspx’,’.php’,’.jsp’);

不允许上传后缀为asp, aspx ，php ，jsp 的文件

白名单：明确只允许上传的格式后缀

如：$ext_arr = array(‘jpg’,‘png’,‘gif’);

只允许上传jpg png gif 文件

文件类型：MIME 信息

MIME(Multipurpose Internet Mail Extensions)多用途互联网邮件扩展类型。是设定某种扩展名的文件用一种应用程序来打开的方式类型，当该扩展名文件被访问的时候，浏览器会自动使用指定应用程序来打开。多用于指定一些客户端自定义的文件名，以及一些媒体文件打开方式。

通用结构

type/subtype

MIME的组成结构非常简单；由类型与子类型两个字符串中间用'/'分隔而组成。不允许空格存在。type表示可以被分多个子类的独立类别。subtype 表示细分后的每个类型。

MIME类型对大小写不敏感，但是传统写法都是小写

常见的MIME类型(通用型)：

PNG图像 .png image/png

GIF图形 .gif image/gif

JPEG图形 .jpeg,.jpg image/jpeg

任意的二进制数据 application/octet-stream

GZIP文件 .gz application/x-gzip

TAR文件 .tar application/x-tar

RTF文本 .rtf application/rtf

PDF文档 .pdf application/pdf

Word文件 .word application/msword

普通文本 .txt text/plain

html文档 .html text/html

xml文档 .xml text/xml

XHTML文档 .xhtml application/xhtml+xml

au声音文件 .au audio/basic

MIDI音乐文件 mid,.midi audio/midi,audio/x-midi

RealAudio音乐文件 .ra, .ram audio/x-pn-realaudio

MPEG文件 .mpg,.mpeg video/mpeg

AVI文件 .avi video/x-msvideo

Content-Type称之为MIME信息

文件头：内容头信息

百度百科文件头

各类文件头信息

常见的文件头信息对照表

gif

png

upload-labs-master 关卡分析

pass-1(前端验证）

原理：触发上传后会返回到checkFile（）函数进行图片不合法检测，checkFile()函数在js代码中，即客户端使用js对不合法图片进行检查。

绕过方式：

1-直接禁用浏览器js功能，然后上传shell脚本即可。

2-上传正常的文件后缀名，上传，然后抓包，改包，改为需要的后缀名。

上传成功

复制图像链接

http://127.0.0.1/upload-labs-master/upload/pass1.php

pass-2(白名单 MIME）

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-W91vhbqH-1646471990985)(QQ截图0305121039.png)]

上传pass2.php，抓包，

把content-Type：application/octet-stream

改为白名单允许的类型即可

image/jpeg image/png image/gif

放包，上传成功

复制图像链接

http://127.0.0.1/upload-labs-master/upload/pass2.php

pass-3(黑名单 特殊解析后缀）

<?phpinclude '../config.php';include '../common.php';include '../head.php';include '../menu.php';$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array('.asp','.aspx','.php','.jsp');$file_name = trim($_FILES['upload_file']['name']);//移除文件两端的空白符$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');//返回从点往后的字符串 .xxxx yei$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}}?>

相关函数知识

PHPtrim() 函数

trim() 函数移除字符串两侧的空白字符或其他预定义字符。

trim(string,charlist)

相关函数

ltrim() - 移除字符串左侧的空白字符或其他预定义字符

rtrim() - 移除字符串右侧的空白字符或其他预定义字符

PHPstrrchr() 函数

strrchr() 函数查找字符串在另一个字符串中最后一次出现的位置，并返回从该位置到字符串结尾的所有字符

PHPstr_ireplace() 函数

str_ireplace() 函数替换字符串中的一些字符（不区分大小写）

str_ireplace(find,replace,string,count)

str_ireplace(“WORLD”,“Shanghai”,“Hello world!”);

结果为：Hello Shanghai

不允许上传后缀为asp aspx php jsp 的文件。

可以利用 appache的特性

php php3 php5 phtml 都会当做php解析执行

上传pass3.php3

复制图片链接

http://127.0.0.1/upload-labs-master/upload/03051325018349.php3

文件名变了，是因为有重命名

访问

apache 后缀名解析“漏洞”

pass-4(.htaccess解析）

仅存在于Apache中

.htaccess文件(或者"分布式配置文件"）,全称是Hypertext Access(超文本入口)。提供了针对目录改变配置的方法，即在一个特定的文档目录中放置一个包含一个或多个指令的文件， 以作用于此目录及其所有子目录。作为用户，所能使用的命令受到限制

概述来说，htaccess文件是Apache服务器中的一个配置文件，它负责相关目录下的网页配置。通过htaccess文件，可以帮我们实现：

网页301重定向、

自定义404错误页面、

改变文件扩展名、

允许/阻止特定的用户或者目录的访问、

禁止目录列表、

配置默认文档等功能。

需要的一些配置

1.要打开mod_rewrite模块

phpstudy软件界面——>其他选项菜单——PHP扩展及设置——Apache扩展——rewrite_module模块

2.AllowOverride All。

其他选项菜单——打开配置文件——httpd.conf 文件

搜索查找AllowOverride None，然后把AllowOverride None修改为 AllowOverride All，完成后保存

创建.htaccess文件

<FilesMatch "pass4">Sethandler application/x-httpd-php</FilesMatch >

服务器会把文件名包含pass4的文件 当做php解析执行

pass4.jpg 内容

pass4.jpg

pass456.jpg

pass-5(.user.ini配置文件解析控制）

查看源码

is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}}

把所有可以解析的后缀名都给写死了，包括大小写转换，空格，还有点号，::$DATA

正常的php类文件上传不了了，并且拒绝上传 .htaccess 文件。

.user.ini。它比.htaccess 用的更广，不管服务器是 nginx/apache/IIS，当使用 CGI／

FastCGI 来解析 php 时，php 会优先搜索目录下所有的.ini 文件，并应用其中的配置。

类似于 apache 的.htaccess，但语法与.htacces 不同，语法跟 php.ini 一致。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OIWsFwzT-1646471990992)(QQ截图0305150225.png)]

创建.user.ini 文件

auto_prepend_file=pass5.jpg

把pass5.jpg当做php解析

pass5.jpg实际内容

<?phpecho 'good luck';phpinfo();?>

先上传.user.ini 文件

再上传pass5.jpg

.user.ini 文件作用：所有的 php 文件都自动包含 pass5.jpg 文件。.user.ini 相当于一个用

户自定义的 php.ini。

其他：使用大小写绕过.htaccess . . 点空点进行绕过

pass-6(大小写绕过）

源码

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}}

对于文件名后缀的校验时，没有进行通用的大小转换后的校验-

strtolower()

大小写绕过原理：

Windows 系统下，对于文件名中的大小写不敏感。例如：test.php 和 TeSt.PHP 是一

样的。

Linux 系统下，对于文件名中的大小写敏感。例如：test.php 和 TesT.php 就是不一样

的。

绕过方法：文件后缀为.PHP即可

http://127.0.0.1/upload-labs-master/upload/03051559117765.PHP

Pass-07(空格绕过）

源码

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件不允许上传';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}}

对上传的文件名未做去空格的操作-> trim()

Windows 系统下，对于文件名中空格会被作为空处理，程序中的检测代码却不能自动删除空格。从而绕过黑名单。

绕过方法：burp 抓包，修改对应的文件名 添加空格。即可

http://127.0.0.1/upload-labs-master/upload/03051604535072.php

Pass-08 (点号绕过）

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}}

代码未对对上传的文件后缀名未做去点 . 的操作 -> strrchr($file_name, ‘.’)

利用 Windows 系统下，文件后缀名最后一个点会被自动去除。

绕过方法：文件后缀名为 .php.

http://127.0.0.1/upload-labs-master/upload/pass8.php.

Pass-09(::$DATA 绕过）

源码

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}}

未对上传的文件后缀名为做去 :: D A T A 处 理 ∗ ∗ W i n d o w s 系 统 下 ， 如 果 文 件 名 + " : : DATA 处理 **Windows 系统下，如果文件名+":: DATA处理∗∗Windows系统下，如果文件名+"::DATA"会把:: D A T A 之 后 的 数 据 当 成 文 件 流 处 理 , 不 会 检 测 后 缀 名 ， 且 保 持 : : DATA之后的数据当成文件流处理,不会检测后缀名，且保持:: DATA之后的数据当成文件流处理,不会检测后缀名，且保持::DATA之前的文件名，他的目的就是不检查后缀名**

例如:"phpinfo.php::$DATA"

Windows会自动去掉末尾的::$DATA变成"phpinfo.php

其中内容和所上传文件内容相同，并被解析。

绕过方法：上传带有一句话木马的文件，其文件名为pass9.php::$DATA

http://127.0.0.1/upload-labs-master/upload/03051608257361.php::$data

http://127.0.0.1/upload-labs-master/upload/03051608257361.php

pass-10(拼接绕过)

点空点绕过

pass10.php. .

$file_name = deldot($file_name);//删除文件名末尾的点 pass10.php.空格$file_ext = strrchr($file_name, '.'); //.php.空格$file_ext = strtolower($file_ext); //转换为小写 .php.空格$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA .php.空格$file_ext = trim($file_ext); //首尾去空 .php.

http://127.0.0.1/upload-labs-master/upload/pass10.php.

pass11(双写绕过)

源码

$is_upload = false;$msg = null;if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}}

利用 str_ireplace()将文件名中符合黑名单的字符串替换成空，只过滤了一次，存在漏洞

绕过方式：利用双写黑名单字符，对字符串的一次过滤后拼接出 php,文件

名 .pphphp

http://127.0.0.1/upload-labs-master/upload/pass11.php

pass12(白名单 GET 型 0x00 截断)

使用白名单限制上传文件类型，但上传文件的存放路径可控，存在漏洞

产生条件：

需要 php 的版本号低于 5.3.29，且 magic_quotes_gpc 为关闭状态

（打开php的配置文件php-ini，将magic_quotes_gpc设置为Off）

绕过方法：设置上传路径为 upload/phpinfo.php%00 ,添加 phpinfo.php%00 内

容为了控制路径，上传文件后缀为白名单即可 例:test.jpg，保存后为

/upload/phpinfo.php%00test.jpg，但服务端读取到%00 时会自动结束，将文件

内容保存至 phpinfo.php 中

http://127.0.0.1/upload-labs-master/upload/pass12.php%EF%BF%BD/670305165151.jpg

http://127.0.0.1/upload-labs-master/upload/pass12.php

pass13(白名单 POST 型 0x00 截断)

源码

$is_upload = false;$msg = null;if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传失败";}} else {$msg = "只允许上传.jpg|.png|.gif类型文件！";}}

提交方式为POST

GET会自动解码

空格 ---->url 编码 %00

%00 ---->url 编码 %00

POST不会自动解码

%00 ---->url 编码 %25%30%30

因为 POST 不会像 GET 那样对%00 进行自动解码，

需要手动对进行编码

或者在 16 进制中修改

http://127.0.0.1/uploadlabsmaster/upload/pass13.php%EF%BF%BD/910305171015.jpg

http://127.0.0.1/upload-labs-master/upload/pass13.php