服务端检测绕过 MIME检测绕过
常见的白名单
| 扩展名 | MIME TYPE |
|---|---|
| jpg | image/jpeg |
| png | image/png |
| txt | text/plain |
| zip | application/zip |
| doc | application/msword |
文件上传漏洞演示脚本–MIME验证实例
<?php
//文件上传漏洞演示脚本之MIME验证
$uploaddir = 'uploads/';
if (isset($_POST['submit'])) {
if (file_exists($uploaddir)) {
if (($_FILES['upfile']['type'] == 'image/gif') || ($_FILES['upfile']['type'] == 'image/jpeg') ||
($_FILES['upfile']['type'] == 'image/png') || ($_FILES['upfile']['type'] == 'image/bmp')
) {
if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir . '/' . $_FILES['upfile']['name'])) {
echo '文件上传成功,保存于:' . $uploaddir . $_FILES['upfile']['name'] . "\n";
}
} else {
echo '文件类型不正确,请重新上传!' . "\n";
}
} else {
exit($uploaddir . '文件夹不存在,请手工创建!');
}
//print_r($_FILES);
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>文件上传漏洞演示脚本--MIME验证实例</title>
<body>
<h3>文件上传漏洞演示脚本--MIME验证实例</h3>
<form action="" method="post" enctype="multipart/form-data" name="upload">
请选择要上传的文件:<input type="file" name="upfile"/>
<input type="submit" name="submit" value="上传"/>
</form>
</body>
</html>
burpsuite截断后修改Content-Type为可以放行的MIME TYPE类型
上传php文件时burpsuite截到
Content-Disposition: form-data; name="upfile"; filename="phpinfo.php"
Content-Type: application/octet-stream
修改后缀名绕过前端,修改Content-Type绕过MIME检测
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
对应upload-labs的pass-02,检测代码都只对Content-Type进行了检查
浙公网安备 33010602011771号