第五關在第四關的黑名單中又加進了.htaccess,所以上傳.htaccess這個思路沒戲了
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
可以看看過濾內容,過濾的還挺多,這裡apache版本為2.4.23,所以apache文件名(x.php.xxx)解析漏洞不能在這用
並且在做該黑名單檢查之前將上傳文件後的.和空格字符都給刪除了
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允許上傳';
}
這樣做是為了防止用戶上傳是在後綴名後加上.和空格去繞過黑名單,windows在創建文件時會刪除後綴名後的.和空格,並且後綴名為php.的文件也是可以當作php解析的(windows和linux環境都可以)
同時對文件名後綴名大小寫寫做了檢查,防止大小寫繞過
但是通過代碼發現在黑名單檢查之前處理文件名時只刪除了一次.,於是可以上傳一個後綴名為php. .的文件去繞過,這個在黑名單檢查之前後綴名就會被處理為php.
可以看到成功繞過了上傳檢測
By the way,許多對安全感興趣但沒有這方面經驗的小朋友,看到這裡總是感覺顯示一個phpinfo的頁面能代表什麼,能夠執行phpinfo(),這個函數證明,上傳的文件可以執行PHP腳本,這個時候如果上傳的是一句話木馬,就可以直接配合『菜刀』拿下整個站點,查看源碼,甚至修改數據庫或者控制操作系統。
閱讀更多 Web安全陪跑團 的文章