前言：文件上傳漏洞有很多種繞過技巧，這次就通過upload-labs進行學習

第一關

上傳有限制，只讓上傳JPEG或PNG格式的圖片，就先嘗試一下抓包修改上傳格式的方法看看是否可行

先將一句話木馬PHP文件后綴名改為PNG格式，上傳攔截抓包

攔截請求包后，將1.png改為1.php，再發包，用菜刀進行連接，在此之前需要知道上傳的文件上傳到哪個目錄下，查看源碼查出圖片上傳路徑

路徑也知道了，就用菜刀進行連接

連接成功

觀察一下第一關的源碼

function checkFile() {var file = document.getElementsByName('upload_file')[0].value;if (file == null || file == "") {alert("請選擇要上傳的文件!");return false;}//定義允許上傳的文件類型var allow_ext = ".jpg|.png|.gif";//提取上傳文件的類型var ext_name = file.substring(file.lastIndexOf("."));//判斷上傳文件類型是否允許上傳if (allow_ext.indexOf(ext_name + "|") == -1) {var errMsg = "該文件不允許上傳，請上傳" + allow_ext + "類型的文件,當前文件類型為：" + ext_name;alert(errMsg);return false;} }

通過觀察只是限制了在上傳時的類型，所以中途攔截抓包改格式的方法是完成可行的。

方法：改包繞過上傳

第二關
做第二關時發現沿用第一關的方法也是可行的，不過應該不會再考同一個點了

就查看一下源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'] if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '文件類型不正確，請重新上傳！';}} else {$msg = UPLOAD_PATH.'文件夾不存在,請手工創建！';} }

發現這一段代碼判斷content-type,那就可以通過修改content-type進行繞過：

if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))

抓包將application/octet-stream修改為image/png或image/gif都可以
連接成功

方法：修改content-type進行繞過

第三關

上傳PHP文件時，發現有這樣的提示

應該是源碼中限制了這些文件的后綴名，查看大師傅們的博客發現還可以用

phtml，php3，php4, php5, pht

這些后綴名進行繞過，就來嘗試一下，發現連接不上去，查了一下才知道原來前提是apache的httpd.conf中有如下配置代碼

AddType application/x-httpd-php .php .phtml .phps .php5 .pht

我這里使用的是phpstudy+windows，即使添加了也不管用，查了大師傅的博客才知道是由于配置原因是解析不了php5等等這些后綴的，所以復現不了，可以在虛擬機中復現這關。
不過也知道了這一關是采用拓展名繞過
查看一下源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array('.asp','.aspx','.php','.jsp');$file_name = trim($_FILES['upload_file']['name']);//trim() 函數移除字符串兩側的空白字符或其他預定義字符$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');//strrchr() 函數查找字符串在另一個字符串中最后一次出現的位置，并返回從該位置到字符串結尾的所有字符。$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {//in_array() 函數搜索數組中是否存在指定的值$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

觀察源碼就會發現這里確實采用黑名單來限制

方法：拓展名繞過

第四關
沒什么思路，查看一下提示

發現基本上將所有非法的腳本后綴都禁用了，還是黑名單限制，查看一下源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件不允許上傳!';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

果然是將所有非法的腳本后綴都禁用了，但是沒有禁用.htaccess，先來了解一下htaccess文件的作用，.htaccess的基本作用及相關語法介紹

在這里使用htaccess文件目的是為了將所有文件都當成php文件來解析
創建一個.htaccess文件

SetHandler application/x-httpd-php

在文件中寫入該段代碼，上傳時將文件名去掉，只要后綴名

上傳后，上傳圖片馬，由于連接菜刀麻煩，這里就修改一句話語句為

<?php phpinfo(); ?>

上傳圖片馬成功后，進行查看

解析成功

方法：.htaccess文件進行繞過

第五關

上傳.htaccess文件，發現該后綴名也被加入黑名單了

查看源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件類型不允許上傳！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

通過觀察，發現黑名單中限制的后綴名沒有將大小寫統一，采用大小寫方式進行繞過


上傳成功，進行查看

方法：大小寫繞過

第六關

無論如果改后綴名都無法上傳，說明這關代碼已經統一了大小寫
查看源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件不允許上傳';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

還是采用了黑名單來進行限制，不過與前幾關先比較會發現少了這一行代碼

$file_ext = trim($file_ext); //首尾去空

那么就可以采用后綴名中加空繞過

在后綴名中加入空格.php空格，再發包，上傳成功

方法：后綴名加空繞過

第七關

查看源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件類型不允許上傳！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

還是黑名單，這次又有什么不一樣的，通過與前幾關對比發現少了這行代碼

$file_name = deldot($file_name);//刪除文件名末尾的點

所以可以采用后綴名加.的方式繞過，在這之前，先來了解一下對Windows系統文件命名規則的特殊利用

shell.php. ———-文件名后加點‘.’shell.php(空格) ———-文件名后加括號空格shell.php:1.jpg ———-文件名后加冒號’:’shell.php::$DATA ———-文件名后加NTFS ADS特性::$DATAshell.php::$DATA…… ———-文件名后::$DATA……會被windows系統自動去掉不符合規則符號后面的內容。

windows系統文件命名規則的特殊利用

因此我們可以先抓包然后在后綴名后加上.，文件上傳時由于不符合windows文件命名規則而將.去掉，從而將.php的文件上傳進去

訪問

繞過方法：后綴名加.繞過

第八關
查看源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件類型不允許上傳！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

還是黑名單限制，觀察一下與之前有那些不同

發現少了這一段代碼

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

沒有去除字符串::$DATA，根據Windows系統文件命名規則進行抓包修改即可

shell.php::$DATA ———-文件名后加NTFS ADS特性::$DATA

原理和第七關類似

訪問成功

繞過方法：后綴名加::$DATA繞過

第九關

查看源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//刪除文件名末尾的點$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件類型不允許上傳！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

觀察看與前幾關的代碼有什么不同的地方，發現

$img_path = UPLOAD_PATH.'/'.$file_name;

路徑拼接的是處理后的文件名$file_name，而不是$file_ext，也就是說最后保存文件的時候沒有重命名而使用的原始的文件名，那相當于$file_name只經過那兩段代碼的過濾

$file_name = trim($_FILES['upload_file']['name']);//移除字符串兩側的空白字符 $file_name = deldot($file_name);//刪除文件名末尾的點

那就可以采用**后綴名（點+空格+點）**的方法來繞過

上傳時，代碼會先將末尾的.去除，剩余.+空格，利用Windows系統文件命名規則，windows會忽略文件末尾的.和空格，這樣即可上傳進取

繞過方法：后綴名+.+空格+.進行繞過

第十關

查看源碼

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} } #str_ireplace() 函數替換字符串中的一些字符（不區分大小寫） /*str_ireplace(find,replace,string,count) find 必需。規定要查找的值。 replace 必需。規定替換 find 中的值的值。 string 必需。規定被搜索的字符串。*/

這一段代碼將后綴名全部替換成了空

$file_name = str_ireplace($deny_ext,"", $file_name);

之前學習XSS時也碰到這種情況，可以采用雙寫進行繞過

過濾了php，前后再拼接成PHP
訪問成功：

繞過方法：雙寫繞過

總結：通過這十關又學到了很多文件上傳的技巧，下次繼續學習后十關，這次先學習到這里。

總結

以上是生活随笔為你收集整理的文件上传漏洞——upload-labs(1-10)的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。