c0ny1/upload-labs文件上传漏洞之双写文件名绕过Pass-10


本文介绍Pass-10,后端没有检查后缀名,而是把文件名中的黑名单后缀替换成空字符串.

查看代码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

替换文件名中所有包含黑名单后缀的字符为空,之后保存文件。这样看起来全部都替换了,但是还可以利用双写来绕过。替换的做法和一旦检查到有黑名单后缀就不接着保存是有区别的。
上传文件cmd.pphphp那么其中的php这三个连着的字符就会被替换,但是被替换之后又形成了新的php后缀cmd.php
上传文件cmd.pphphp

访问http://localhost/upload/cmd.php?cmd=echo%201;
显示

1

执行成功。

声明:物博网|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - c0ny1/upload-labs文件上传漏洞之双写文件名绕过Pass-10


喜欢安全与WEB开发