点击进入第十八关,并选择显示代码:
//index.php
$is_upload = false;
$msg = null;
if (isset($_POST['submit']))
{
require_once("./myupload.php");
$imgFileName =time();
$u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
$status_code = $u->upload(UPLOAD_PATH);
switch ($status_code) {
case 1:
$is_upload = true;
$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
break;
case 2:
$msg = '文件已经被上传,但没有重命名。';
break;
case -1:
$msg = '这个文件不能上传到服务器的临时文件存储目录。';
break;
case -2:
$msg = '上传失败,上传目录不可写。';
break;
case -3:
$msg = '上传失败,无法上传该类型文件。';
break;
case -4:
$msg = '上传失败,上传的文件过大。';
break;
case -5:
$msg = '上传失败,服务器已经存在相同名称文件。';
break;
case -6:
$msg = '文件无法上传,文件不能复制到目标目录。';
break;
default:
$msg = '未知错误!';
break;
}
}
//myupload.php
class MyUpload{
......
......
......
var $cls_arr_ext_accepted = array(
".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
".html", ".xml", ".tiff", ".jpeg", ".png" );
......
......
......
/** upload()
**
** Method to upload the file.
** This is the only method to call outside the class.
** @para String name of directory we upload to
** @returns void
**/
function upload( $dir ){
$ret = $this->isUploadedFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->setDir( $dir );
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkExtension();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
$ret = $this->checkSize();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// if flag to check if the file exists is set to 1
if( $this->cls_file_exists == 1 ){
$ret = $this->checkFileExists();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here, we are ready to move the file to destination
$ret = $this->move();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
// check if we need to rename the file
if( $this->cls_rename_file == 1 ){
$ret = $this->renameFile();
if( $ret != 1 ){
return $this->resultUpload( $ret );
}
}
// if we are here, everything worked as planned :)
return $this->resultUpload( "SUCCESS" );
}
......
......
......
};分析代码,我们发现当文件上传成功,会经历文件的移动和重命名操作。此时我们在改名之前运行php代码。
考虑apache对于未知扩展名解析漏洞,只要是.php.*结尾(*可以代表一切后缀名,这里使用.7z后缀名)都会被Apache服务器解析成php文件。
修改复制info.pnp文件,并将其后缀后面加上 .7z
接下来流程同第十七关(第十七关题解),首先开启burpsuite抓包工具并开启监听状态,此时选择我们刚刚创建的文件,并上传:
将获取到的请求头,右键单击发送给 intruder 模块:
打开 intruder 面板,然后先点击Clear § 按钮 ,然后在文件后缀名后面敲一个1,并选中,然后点击 Add § 按钮:
打开Payloads 选项卡,然后设置 Payload type为Null payloads
选择Payload options为 Continue indefinately
这一关源代码有问题,文件直接上传到了www目录下面,文件名由upload开头(代码中路径拼接应该是少了一个 / ),我们先构建url地址,然后点击start attack开始爆破,同时在浏览器不断访问构建的url地址:
发现成功获取到对方服务器的php信息
上一关(网络安全 文件上传漏洞-17 第十七关 Pass-17)
下一关(网络安全 文件上传漏洞-19 第十九关 Pass-19)
