17.文件名重命名漏洞
源码给出黑名单限制和服务器对文件名的重命名处理。
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$img_path = UPLOAD_PATH . '/' .$file_name;我们对文件重命名有两种方法。
①利用%00截断
从BP拦截的name="save_name"中可以看到,服务器对上传文件做了重命名,那么我们可以利用文件名截断的方式上传漏洞,上传文件loudong.jpg,服务器改为upload-19.jpg,我们就在拦截中改为upload-19.php%00.jpg
这是POST方式发送请求,而POST方式中不会自动对%00解码,所以选中%00手动解码,如下:
访问.php文件即可,后面的jpg直接删掉。
②利用"/"
$img_path = UPLOAD_PATH . '/' .$file_name;
//我们也可以利用这句话,使用"/"绕过上传loudong.jpg后,服务器改为upload-19.jpg,我们改为upload-19.php/.
直接访问。
