白帽子分享之代码审计的艺术系列—第八季
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x00前言:</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">作者:李斌,现汽车之家高级安全工程师。曾职于奇虎360<span style="color: black;">数年</span>,熟悉代码审计、渗透测试等Web安全<span style="color: black;">行业</span>。乌云核心白帽子。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">之前的白帽子分享之代码审计系列已有七篇非常经典的内容,之前<span style="color: black;">无</span>看过的<span style="color: black;">朋友</span><span style="color: black;">能够</span><span style="color: black;">瞧瞧</span>以下的链接:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">代码审计的艺术系列—<span style="color: black;">第1</span>篇</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码的艺术系列—第二篇</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码审</a>计的艺术系列第三季</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码审计的艺术系列第四季</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码审计的艺术系列—第五季</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码审计的艺术系列—第六季</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">接上篇<a style="color: black;">白帽子分享之代码审计的艺术系列—第七季</a><span style="color: black;">说到</span>了一个上传漏洞搜索和挖掘的简单案例。 文件上传漏洞是一种非常<span style="color: black;">平常</span>的漏洞类型,<span style="color: black;">亦</span>是直接获取服务器权限最直接的方式,<span style="color: black;">因此</span>快速发掘一套源码文件上传漏洞进行getshell是这篇要讨论的,<span style="color: black;">重点</span>分为危险函数、上传技巧和<span style="color: black;">要求</span>竞争漏洞三方面展开。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">正文:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x01危险函数:</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">move_uploaded_file()</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">getimagesize()</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">copy()</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x02文件上传漏洞的脑图:</strong></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic2.zhimg.com/80/dd892a0870bb4df5d070fe0835baf4b5_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x03 上传技巧 :</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">PHP%00截断</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">截断<span style="color: black;">要求</span>:</p>①PHP版本<span style="color: black;">少于</span>5.3.4,详情请查看(<a style="color: black;"><span style="color: black;">https://</span><span style="color: black;">web.nvd.nist.gov/view/v</span><span style="color: black;">uln/detail?vulnId=CVE-2006-7243</span></a>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">②magic_quotes_gpc=Off,否则%00这种空字符会被转义为\0</p>搭建好满足上面两个<span style="color: black;">要求</span>的测试环境后,<span style="color: black;">能够</span>用下面的漏洞代码来测试:
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic2.zhimg.com/80/512b461632af9f8715023b8d860c2641_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic3.zhimg.com/80/8fccd2e4567dd0af486de977c39d7a3e_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">成功截断上传获取webshell</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/50896560b6a414c44ba3c7505a190060_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/856958825e8b9f30cb0ffb9ca970bdcc_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">文件头Content-type绕过</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>将上传文件里面加上"GIF89a"后进行上传在<span style="color: black;">必定</span>环境下<span style="color: black;">能够</span>绕过<span style="color: black;">照片</span>文件检测后getshell,<span style="color: black;">原由</span>是<span style="color: black;">运用</span>了类似getimagesize()这种函数对上传文件<span style="color: black;">是不是</span>是<span style="color: black;">照片</span>进行判断,<span style="color: black;">咱们</span><span style="color: black;">能够</span>用如下代码进行测试:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/96c78ace24d04539b7dcb65eb1e5db78_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">测试<span style="color: black;">发掘</span>加上GIF89a头后该函数会判断为x.php为<span style="color: black;">照片</span>文件</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic3.zhimg.com/80/6a66048e44786fac5bf5e501d44dba76_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0x04 <span style="color: black;">要求</span>竞争漏洞 :</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">缺陷代码:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/d018467925a80a14b45fec7336b15cb4_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">意思是利用copy函数将上传的<span style="color: black;">照片</span>image.jpg复制到$path里,<span style="color: black;">而后</span>删除目录下非jpg的文件,<span style="color: black;">因此</span>正常的攻击流程:上传<span style="color: black;">照片</span>image.jpg-->利用copy函数生成shell.php-->shell.php被删。shell被删就鸡肋了~</p><strong style="color: blue;"><span style="color: black;">那样</span>换个Hacker的思路:上传头像-->生成临时文件(tmp.php)--><span style="color: black;">持续</span>请求tmp.php在上层目录生成shell.php文件-->删除当前目录下tmp.php等非jpg文件,但留下了上层目录下的shell.php文件-->成功!</strong><span style="color: black;">因此</span>image.jpg的代码如下:
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/4d5b6a6c9073871d2d476e894e57a234_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">用burp进行测试,一个执行缺陷代码<span style="color: black;">持续</span>生成tmp.php如下:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/b103dbcc5749bb87d7a7961a78551be8_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">一个<span style="color: black;">持续</span><span style="color: black;">拜访</span>tmp.php从而<span style="color: black;">能够</span>在上级目录下生成shell.php如下:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/f45be6acfa6beee20ee43db60697268c_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">爆破一会儿就<span style="color: black;">发掘</span>在主目录下写下shell.php了~</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">本篇的内容,<span style="color: black;">咱们</span>就介绍到<span style="color: black;">这儿</span>,下一篇欢迎<span style="color: black;">连续</span>关注。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">其他<span style="color: black;">举荐</span>:</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">0、<a style="color: black;">重磅分享 | 白帽子黑客</a>浅谈顾问式<span style="color: black;">营销</span>与服务</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1、<a style="color: black;">安全观点:<span style="color: black;">公司</span>信息安全十大痛点,你中招了?</a></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2、</strong><a style="color: black;">成长型互联网<span style="color: black;">公司</span>该<span style="color: black;">怎样</span>构建安全团队—<span style="color: black;">第1</span>季</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3、</strong><a style="color: black;">这才是互联网与安全团队<span style="color: black;">必须</span>的几种人才!</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4、</strong><a style="color: black;">白帽子黑客:EX,还记得<span style="color: black;">咱们</span><span style="color: black;">一块</span>去太平山顶的约定么?</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5、</strong><a style="color: black;">少年黑客:我的初恋女友,你在哪里?</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6、</strong><a style="color: black;">开春巨献!<span style="color: black;">全世界</span>TOP500安全<span style="color: black;">机构</span>到底在做些什么</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7、</strong><a style="color: black;">2015年<span style="color: black;">迄今</span>国内信息安全<span style="color: black;">行业</span><span style="color: black;">哪些</span>投资<span style="color: black;">哪些</span>事</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">8、</strong><a style="color: black;">301:浅谈互联网安全<span style="color: black;">状况</span>与攻击趋势</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">9、</strong><a style="color: black;">招人必看!301浅谈国内安全人才薪酬<span style="color: black;">状况</span></a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十、</span></strong><strong style="color: blue;"><a style="color: black;">301:从安全<span style="color: black;">方向</span>浅谈云计算服务平台<span style="color: black;">状况</span>与发展</a></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">长按二维码关注301公众号</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">合作联系:2036234(备注单位+名字)</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;"><span style="color: black;">http://</span><span style="color: black;">weixin.qq.com/r/8</span></a>kVZQQj<span style="color: black;">EDlVxrUwi9xDg</span> (二维码自动识别)</p>
哈哈、笑死我了、太搞笑了吧等。 谷歌网站排名优化 http://www.fok120.com/
页:
[1]