概念
**文件上传漏洞**是网络安全中常见的漏洞之一,攻击者可以利用该漏洞上传恶意文件,进而在服务器上执行恶意代码、绕过权限验证或获取敏感数据。文件上传漏洞主要发生在允许用户上传文件的Web应用程序中,比如图像、文档上传功能等。
### 漏洞危害
1. **远程代码执行**:攻击者可以上传带有恶意代码的文件(如PHP、ASP等脚本文件),并通过访问这些文件在服务器上执行恶意代码,控制服务器。
2. **权限绕过**:攻击者上传伪装的文件,如改名为合法扩展名的文件,绕过上传限制,上传执行有害内容。
3. **Webshell**:攻击者上传一个 Webshell,允许他们通过这个入口对服务器进行进一步的操作和攻击。
4. **存储型XSS攻击**:攻击者上传包含恶意JavaScript的文件,并在其他用户查看时执行这些脚本,从而窃取用户数据或执行恶意操作。
### 文件上传漏洞的类型
1. **无文件类型限制**:应用程序没有限制上传文件的类型或扩展名,允许上传任意类型的文件。
2. **扩展名绕过**:通过将恶意文件重命名为允许的扩展名(如将 `.php` 文件重命名为 `.jpg`),绕过文件扩展名的验证。
3. **MIME类型绕过**:通过修改文件的 MIME 类型(如将 `application/x-php` 改为 `image/jpeg`),绕过服务器的检测。
4. **双扩展名攻击**:攻击者通过使用双扩展名(如 `shell.php.jpg`)迷惑上传机制,上传后服务器可能会根据最后一个扩展名来处理,导致恶意代码执行。
low
代码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
//判断上传是否为空
//文件上传时,通常会将上传的文件保存到临时目录中,然后使用move_upload_file()将其移动到最终的存储位置。
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
//定义了文件上传的目标路径,这里假设DVWA_WEB_PAGE_TO_ROOT是一个常量或变量,表示网站的根目录路径。目标路径为 “hackable/uploads/” 子目录。
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
//basename(path,suffix)函数用于获取文件名部分
//将上传的的原始文件名添加到目标路径中。
//即:$target_path = 根目录/hackable/uploads/123.php
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
//使用move_upload_file(string $filename,string $destination)函数将上传的文件从临时目录移动到目标路径
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>此代码仅做了上传判断,并没有对上传文件的后缀做判断,所以这里做任意上传即可。
上传phpinfo.php,以及一句话木马脚本。
蚂剑链接:
medium
代码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
//提取上传文件的文件名、类型、大小
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
//判断过滤上传文件的后缀类型为image/jpeg,image/png以及大小
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>此次上传木马报错:
于是我们抓包修改--抓包右键--发送至repeater:
修改为如下:
上传成功:
蚁剑链接:
high
代码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
// strrpos(string,find,start):返回指定字符串最后一次出现的位置
// string:必须。规定被搜索的字符串
// find:必须。规定要查找的字符
// start:可选。规定开始搜索的位置
//substr(string,start,length):返回指定字符串的指定一部分
//即过滤出文件后缀。
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
//strtolower():将字符转换小写,基本杜绝了大小绕过
//getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息;
//getimagesize() 函数将测定任何 GIF,JPG,PNG,SWF,SWC,PSD,TIFF,BMP,IFF,JP2,JPX,JB2,JPC,XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>由于这里使用了getimagesize()函数对上传图片做了属性验证,我们添加GIF文件头标识:GIF89a绕过:
上传成功(只试出了GIF文件头表示生效,其它的可以再试试)
接下来我们通过文件包含漏洞访问(困难度不限制):
http://[靶机ip]/DVWA/vulnerabilities/fi/?page=X:\phpStudy\WWW\DVWA\hackable\uploads\phpinfo.png
impossible
代码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
//$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
$target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
$temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
$temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
// Is it an image?
if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
( $uploaded_size < 100000 ) &&
( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
getimagesize( $uploaded_tmp ) ) {
// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
if( $uploaded_type == 'image/jpeg' ) {
$img = imagecreatefromjpeg( $uploaded_tmp );
imagejpeg( $img, $temp_file, 100);
}
else {
$img = imagecreatefrompng( $uploaded_tmp );
imagepng( $img, $temp_file, 9);
}
imagedestroy( $img );
// Can we move the file to the web root from the temp folder?
if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
// Yes!
echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
}
else {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
// Delete any temp files
if( file_exists( $temp_file ) )
unlink( $temp_file );
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
