靶场搭建
| 配置项 | 配置 | 描述 |
|---|---|---|
| 操作系统 | Window or Linux | 推荐使用Windows,除了Pass-19必须在linux下,其余Pass都可以在Windows上运行 |
| PHP版本 | 推荐5.2.17 | 其他版本可能会导致部分Pass无法突破 |
| PHP组件 | php_gd2,php_exif | 部分Pass依赖这两个组件 |
| 中间件 | 设置Apache以moudel方式连接 |
第一关
使用js来检测文件的后缀是否为图片
那么只需要控制台禁用JavaScript即可
第二关
检测了Content-Type:的类型来判断是否为图片
关键代码
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))
抓包,将Content-Type: 改为 image/jpeg
第三关
关键代码
$deny_ext = array('.asp','.aspx','.php','.jsp'); //后缀黑名单
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.'); //搜索 .在字符串中的位置,并返回从该位置到字符串结尾的所有字符(获得后缀名)
/*实际上这是第八九关的,放在第三关这里难度有点高了...
$file_name = deldot($file_name);//删除文件名末尾的点
*$file_ext = strtolower($file_ext); //将后缀名转换为小写
*$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除后缀中的::$DATA
*$file_ext = trim($file_ext); //首尾去除空白字符
*/
if(!in_array($file_ext, $deny_ext)) {
...(略)
}
虽然不允许上传.asp,.aspx,.php,.jsp后缀的文件,但.phtml .phps .pht .php2 .php3等并未过滤(很明显作者也是想让我们用这种方法)
第四关
核心代码
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']); //获得上传的文件名称
$file_ext = strrchr($file_name, '.'); //搜索 .在字符串中的位置,并返回从该位置到字符串结尾的所有字符(获得后缀名)
if (!in_array($file_ext, $deny_ext)) { //判断我们获得的后缀在不在黑名单
if (move_uploaded_file($temp_file, $img_path)) { //保存文件
}}
重写文件解析规则绕过。上传先上传一个名为.htaccess文件,内容如下:
<FilesMatch "4.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
然后再上传一个4.jpg,访问4.jpg查看解析规则是否生效
第五关
过滤了
.php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"
直接变换大小写
第六关
利用Windows系统的文件名特性。抓包修改文件名在后缀增加空格,写成06.php
第七关
同理利用Windows系统的文件名特性,抓包后后缀加点,改成07.php.
第八关
使用Windows文件流特性绕过,文件名改成8.php::$DATA,上传成功后保存的文件名其实是08.php
第九关
删除了文件末尾的点并去掉了::$DATA,所以末尾得变成9.php. .,这样他删除末尾的点后倒数第二个点还是会加载
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
第十关
核心代码
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = str_ireplace($deny_ext,"", $file_name); //使用正则表达式,去除黑名单中的关键字
...(略)
所以可以像xss一样,双写、拼写、混写啊之类的
十一关
核心代码
$ext_arr = array('jpg','png','gif'); //设置后缀名的白名单数组
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); //获取上传文件的后缀名
if(in_array($file_ext,$ext_arr)){ //检测上传文件的后缀名是否在白名单中
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext; //接受GET传入sava_path作为图片路径
...(略)
虽然有白名单校验后缀名,但$img_path是接受参数直接拼接的,可以利用%00截断绕过。