Pass-1&Pass-2 修改數(shù)據(jù)包繞過

#Pass-1
function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("請(qǐng)選擇要上傳的文件!");
        return false;
    }
    //定義允許上傳的文件類型
    var allow_ext = ".jpg|.png|.gif";
    //提取上傳文件的類型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判斷上傳文件類型是否允許上傳
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "該文件不允許上傳，請(qǐng)上傳" + allow_ext + "類型的文件,當(dāng)前文件類型為：" + ext_name;
        alert(errMsg);
        return false;
    }
}

#Pass-2
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
            $msg = '文件類型不正確，請(qǐng)重新上傳！';
        }
    } else {
        $msg = $UPLOAD_ADDR.'文件夾不存在,請(qǐng)手工創(chuàng)建！';
    }
}

Pass-1提示

Pass-2提示

Pass-1是js過濾，js不進(jìn)行攔截就可以
Pass-2是服務(wù)端對(duì)請(qǐng)求包校驗(yàn)，不過只是對(duì)字段文件類型的校驗(yàn)
所以Pass-1可以burpsuit對(duì)文件名進(jìn)行更改
兩個(gè)Pass可以都通

修改文件名

上傳路徑

Pass-3 采用其他可執(zhí)行的文件后綴名

#Pass-3 
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
                 $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
                 $is_upload = true;
            }
        } else {
            $msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件！';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夾不存在,請(qǐng)手工創(chuàng)建！';
    }
}

Pass-3提示

同樣，burpsuite改后綴名就好，不過過濾了asp、aspx、php、jsp
大小寫繞不過
php版本5.3.2，pht后綴可以直接用，不加后綴別名的話，pass3
連接用的是蟻劍。
php5，phps不能運(yùn)行，phtml，pht可以運(yùn)行
如果上面幾種可以運(yùn)行，可以在apache的配置文件httpd.conf里加上這一句（沒怎么調(diào)過，發(fā)現(xiàn)初始是空的,看的CSDN這位大佬的文章https://blog.csdn.net/weixin_44677409/article/details/92799366）

AddType application/x-httpd-php .php .phtml .phps .php5 .pht

修改文件名

上傳路徑

Pass-4 .htaccess繞過

#Pass-4
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允許上傳!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夾不存在,請(qǐng)手工創(chuàng)建！';
    }
}

修改文件名

上傳路徑

這里只是說明可以繞過上傳，但并不能直接執(zhí)行.htaccess文件
此方法是借鑒自這位大佬的博客https://www.cnblogs.com/feizianquan/p/11109390.html
所以我們采用這種辦法，在.htaccess里放這樣一句代碼

AddType  application/x-httpd-php    .png

修改.htaccess文件

這樣我們就可以把png文件解析成php文件了,當(dāng)然也可以修改成其他可上傳的文件類型名字。

上傳一句話

測(cè)試

Pass-5 大小寫繞過

#Pass-5
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允許上傳';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夾不存在,請(qǐng)手工創(chuàng)建！';
    }
}

.htaccess也被過濾了，不過統(tǒng)一轉(zhuǎn)化為小寫這句去掉了，可以采用大小寫繞過

修改文件名

測(cè)試

Pass-6

#Pass-6
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允許上傳';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夾不存在,請(qǐng)手工創(chuàng)建！';
    }
}

全轉(zhuǎn)化為小寫加上了，但沒有了空格的檢測(cè)
可以通過加空格，繞過

修改文件名

測(cè)試

上傳確實(shí)是上傳上去了，但是蟻劍連不上

陷入沉思

陷入沉思*2

文件帶空格不解析

可能是服務(wù)器的問題，留個(gè)坑

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av

upload-labs(隨緣更新)

upload-labs(隨緣更新)

Pass-1&Pass-2 修改數(shù)據(jù)包繞過

Pass-3 采用其他可執(zhí)行的文件后綴名

Pass-4 .htaccess繞過

Pass-5 大小寫繞過

Pass-6

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九 欧美,1769亚洲,黄色成人av

upload-labs(隨緣更新)

Pass-1&Pass-2 修改數(shù)據(jù)包繞過

Pass-3 采用其他可執(zhí)行的文件后綴名

Pass-4 .htaccess繞過

Pass-5 大小寫繞過

Pass-6

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av