upload-labs靶场Pass-02

upload-labs靶场Pass-02

分析源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '文件类型不正确，请重新上传！';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建！';
    }
}

源码中

if ((${}_{F}ILES{[}^{\prime }uploa{d}_{f}il{e}^{\prime }]{[}^{\prime }typ{e}^{\prime }]={=}^{\prime }image/jpe{g}^{\prime })||($_FILES[‘upload_file’][‘type’] == ‘image/png’) || ($_FILES[‘upload_file’][‘type’] == ‘image/gif’))

可以看出验证方式是文件类型，使用白名单验证
选择上传文件并抓包，修改文件类型可以绕过
上传php文件，本来是不容许的

抓包

修改Content-Typr字段为源码中提到的任意一种，放包
查看服务端，有了我们上传的php文件，由此绕过成功

OVER！