buuctf-upload-labs

刷了下buuctf搭建的upload-labs,记录一下。

地址:https://buuoj.cn/

Pass 01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}

先用蚁剑生成一个PHP木马

查看源码,只允许.jpg|.png|.gif后缀文件上传,分析为前端过滤,有调用checkFile进行检查,所以可直接让function checkFile()为空

f12开启控制台输入function checkFile() {}或者直接禁用浏览器的js

上传成功,右键文件查看上传文件的地址,蚁剑连接成功

Pass 02

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}

['type'] == 'image/jpeg'这个地方是关键,直接burp改包,伪造Content-Type就能绕过验证

蚁剑连接,查看flag

待更。。。

Thank you very much if you can.

欢迎关注我的其它发布渠道