File_Upload.script分析
-> = true -> 插件运行结束
-> == false -> 判断是否存在或 -> **TestPerlJam2()alertPerljam2()**无论是否有漏洞,漏洞都会继续运行 -> 继续运行
-> == false -> 判断是否存在或 -> **TestZipSymlinkUpload()alertZipSymlink()**无论是否有漏洞,漏洞都会继续运行 -> **TestImageUploadExifXSS()**判断是否存在 **alertEXIFXSS()**无论是否有漏洞,漏洞都会继续运行 -> == false -> 结束插件运行
-> == false -> 判断是否存在或 -> **TestZipSymlinkUpload()alertZipSymlink()**无论是否有漏洞,漏洞都会继续运行 -> **TestImageUploadExifXSS()**判断是否存在 **alertEXIFXSS()**无论是否有漏洞,漏洞都会继续运行 -> == true -> 第一次调用 -> == false-> 插件运行结束
-> == false -> 判断是否存在或 -> **TestZipSymlinkUpload()alertZipSymlink()**无论是否有漏洞,漏洞都会继续运行 -> **TestImageUploadExifXSS()**判断是否存在 **alertEXIFXSS()TestFileUpload()alert()**插件运行结束
startTesting()
1.如果检测到文件传输()
然后调用
2.1如果插件运行结束
2.2如果插件继续运行
3.0如果调用aws s3 调用接口 (调用方法见此函数的详细说明)
不管 是否报洞(),函数继续运行
4.若获得路径(),路径上有后缀名,后缀名称(公网接口脚本)或(是用Perl编译和操作脚本),调用
5.0调用,调用方法为
6.0调用,调用方法为
7.0调用**this.existFileUpload()**判断上传的文件是否可见,如果不可见,将不再测试
8.0调用,调用方法为
这里base64解码为下图,带有php输出句
9.1 == false ,结束插件运行
9.2 == true
依次调用**TestFileUpload()alert()**插件运行结束
if
(
!await this.TestFileUpload
(
"Applet" + random
(maxRandomNumber
) +
".class",
"image/jpeg", appletPayload, appletPayload
)) await this.TestFileUpload
(
"Applet" + random
(maxRandomNumber
) +
".jar",
"image/jpeg", appletPayload, appletPayload
)
; //
test xss via svg await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".svg",
"application/xml", b642plain
(
"PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4NCjx1c2UgeGxpbms6aHJlZj0iZGF0YTphcHBsaWNhdGlvbi94bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNE5DanhrWldaelBnMEtQR05wY21Oc1pTQnBaRDBpZEdWemRDSWdjajBpTlRBaUlHTjRQU0l4TURBaUlHTjVQU0l4TURBaUlITjBlV3hsUFNKbWFXeHNPaUFqUmpBd0lqNE5Danh6WlhRZ1lYUjBjbWxpZFhSbFRtRnRaVDBpWm1sc2JDSWdZWFIwY21saWRYUmxWSGx3WlQwaVExTlRJaUJ2Ym1KbFoybHVQU2RoYkdWeWRDZ3hLU2NnYjI1bGJtUTlKMkZzWlhKMEtESXBKeUIwYnowaUl6QXdSaUlnWW1WbmFXNDlJakZ6SWlCa2RYSTlJalZ6SWlBdlBnMEtQQzlqYVhKamJHVStEUW84TDJSbFpuTStEUW84ZFhObElIaHNhVzVyT21oeVpXWTlJaU4wWlhOMElpOCtEUW84TDNOMlp6NGcjdGVzdCIvPg0KPC9zdmc+ICAg"
),
'<use xlink:href="data:application/xml;base64,',
0,
'svg'
)
; //
test xsscanonUrl
if
(
!await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".htm",
"text/html", b642plain
(
"PHNjcmlwdD5hbGVydCgnc2FuZ2ZvciB4c3MgdGVzdCcpOzwvc2NyaXB0Pg=="
),
"<script>alert('sangfor xss test');</script>",
0,
'html'
)) await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".htm",
"image/jpeg", b642plain
(
"PHNjcmlwdD5hbGVydCgnc2FuZ2ZvciB4c3MgdGVzdCcpOzwvc2NyaXB0Pg=="
),
"<script>alert('sangfor xss test');</script>",
0,
'html'
)
; //
test shell upload ScriptProgress
(ComputeProgress
(
2, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
3, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php.php.rar ",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
4, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php3",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
5, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php\x00.jpg",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEARwBHAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAEAAQAwEiAAIRAQMRAf/EABYAAQEBAAAAAAAAAAAAAAAAAAQAAf/EACIQAAEEAgEEAwAAAAAAAAAAAAIBAwQFBhEHABITMSFBYf/EABUBAQEAAAAAAAAAAAAAAAAAAAQH/8QAIhEBAAECBAcAAAAAAAAAAAAAERIAEwMEFUEiJTJCYqGx/9oADAMBAAIRAxEAPwB1CxxdV8a01pk9Lb3OQ2kmajcaHZymyMQlutivaDqCKIIiKaT5169r1t9H4utONLm1xelt6bIauTCRyNMs5ThNi5LabJe03VEkUSIV2nxv16XovHzvH7IVFhkmT2tfMhx7CG/EYqZZkPklSDbcbeBshRex7e039fvVyA7x+63cWGN5Ra2EybHr4jEN+plgReKVHNxxx420FV7Gd7XX3+dI5vqvfC55BL5VPhlmLiXVeIZ9IAb+9q//2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
6, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".phtml",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
7, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php",
"text/plain", b642plain
(
"PD9waHAgZWNobyhtZDUoJ2FjdW5ldGl4LWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+"
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
8, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php.jpg",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
9, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php.123",
"image/png", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
10, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php::$DATA",
"image/png", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
11, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".htaccess",
"image/jpeg", b642plain
(
"I1Nhbmdmb3IgLmh0YWNjZXNzIEZpbGUgVXBsb2FkIHRlc3QNCkFkZFR5cGUgYXBwbGljYXRpb24veC1odHRwZC1waHAgLmpwZyAucG5nIC5naWYgLmh0bSAuaHRtbCA="
),
"# .htaccess File Upload test"
))
return
; ScriptProgress
(ComputeProgress
(
12, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".php.ajpg",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEARwBHAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAEAAQAwEiAAIRAQMRAf/EABYAAQEBAAAAAAAAAAAAAAAAAAQAAf/EACIQAAEEAgEEAwAAAAAAAAAAAAIBAwQFBhEHABITMSFBYf/EABUBAQEAAAAAAAAAAAAAAAAAAAQH/8QAIhEBAAECBAcAAAAAAAAAAAAAERIAEwMEFUEiJTJCYqGx/9oADAMBAAIRAxEAPwB1CxxdV8a01pk9Lb3OQ2kmajcaHZymyMQlutivaDqCKIIiKaT5169r1t9H4utONLm1xelt6bIauTCRyNMs5ThNi5LabJe03VEkUSIV2nxv16XovHzvH7IVFhkmT2tfMhx7CG/EYqZZkPklSDbcbeBshRex7e039fvVyA7x+63cWGN5Ra2EybHr4jEN+plgReKVHNxxx420FV7Gd7XX3+dI5vqvfC55BL5VPhlmLiXVeIZ9IAb+9q//2Q=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
13, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".asp",
"image/jpeg", b642plain
(
"PCUgUmVzcG9uc2UuV3JpdGUoIjRkMDIwNzBlZmZkZDdlMzE5IiArICJjYTU2MWJjNjY2MTdhOGEiKSAlPg=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
14, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".aspx",
"image/png", b642plain
(
"PHNjcmlwdCBydW5hdD0ic2VydmVyIiBsYW5ndWFnZT0iQyMiPg0Kdm9pZCBQYWdlX0xvYWQob2JqZWN0IHNlbmRlciwgRXZlbnRBcmdzIGUpew0KICBSZXNwb25zZS5Xcml0ZSgiNGQwMjA3MGVmZmRkN2UzMTkiICsgImNhNTYxYmM2NjYxN2E4YSIpOw0KfQ0KPC9zY3JpcHQ+DQo="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
15, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".asp",
"text/plain", b642plain
(
"PCUgUmVzcG9uc2UuV3JpdGUoIjRkMDIwNzBlZmZkZDdlMzE5IiArICJjYTU2MWJjNjY2MTdhOGEiKSAlPg=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
16, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".asp;.jpg",
"image/jpeg", b642plain
(
"PCUgUmVzcG9uc2UuV3JpdGUoIjRkMDIwNzBlZmZkZDdlMzE5IiArICJjYTU2MWJjNjY2MTdhOGEiKSAlPg=="
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
17, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".jsp",
"image/jpeg", b642plain
(
"PCUgb3V0LnByaW50KCI0ZDAyMDcwZWZmZGQ3ZTMxOSIgKyAiY2E1NjFiYzY2NjE3YThhIik7ICU+"
),
"963151c21d0fe4a98606a053e7cc9208"
))
return
; ScriptProgress
(ComputeProgress
(
18, numberTests
))
;
if
(await this.TestFileUpload
(
"SanTest" + random
(maxRandomNumber
) +
".jpg",
"image/jpeg", b642plain
(
"/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="
),
"963151c21d0fe4a98606a053e7cc9208",
1
))
return
;
prepareUploadURLs()
为所有的文件输入创建数组
判断输入类型是否是文件,如果是则加入到数组中
如果长度为0则说明不存在文件上传漏洞,返回
如果长度不为0
则将数组提交给框架函数处理,这个函数的作用是把数组上传到架构中,并声明为数组
定义数量为数组长度的中的值都赋值为**{TO_BE_DETECTED}**
运行结束
TestXXEFileUpload()
首先创建一个长度为10的随机值,并把写入一个xml格式的中
为所有的文件输入创建类
判断输入类型是否是文件,如果是则加入到类中
如果类中没有值则返回true
如果类中的数组不为空和则将数组提交给框架函数处理,这个函数的作用是把数组上传到架构中,同时将类中数组的值赋值给数组
对数组中的值依次进行加载(),
然后依次使用、、**setInputValue()**创建文件名(调用函数时传入)、文件类型(调用函数时传入)、文件内的值()(随机字符串在这里)
将这个带有dnslog的文件发包,如果响应包不报错或错误代码为,且能监听到随机数,则调用
漏洞。 (xxe漏洞)
startTesting()调用方式:
先用**this.TestXXEFileUpload(“SanTest” + random(maxRandomNumber) + “.xml”, “text/xml”)**方式调用,如果返回为false,
则用**this.TestXXEFileUpload(“SanTest” + random(maxRandomNumber) + “.jpg”, “image/jpeg”)**方式调用。
不管上述两次调用结果如何都再用**this.TestXSLTFileUpload(“SanTest” + random(maxRandomNumber) + “.xml”, “text/xml”)**方式调用一次
TestPerlJam2()
初始化变量在输入点内匹配输入类型为FILE的输入点,如果匹配到就退出循环并赋值给
构造一个带有的数据包
发送带有数据包的form类型数据的数据包,如果响应包里有一些特殊字符串(root、bin等),就调用。
漏洞。 (目录穿越漏洞)
TestZipSymlinkUpload()
创建变量为一串base64的解密结果,base64解码后的内容我也没看懂。。。?网上说是一种软链接,其包含有一条以绝对路径路径_(计算机科学))或者相对路径的形式指向其它文件或者目录的引用。
为所有的文件输入创建类
判断输入类型是否是文件,如果是则加入到类中
如果类中没有值则返回true
如果类中的数组不为空和则将数组提交给框架函数处理,这个函数的作用是把数组上传到架构中,同时将类中数组的值赋值给数组
对数组中的值依次进行加载(),
然后依次使用、、**setInputValue()**创建文件名(调用函数时传入)、文件类型(调用函数时传入)、文件内的值()
然后发包,如果响应包不报错
先判断响应包中带是否有特殊字符串(root、bin等),有则调用
没有则将响应包的数据进行一次base64解密,解密后的内容如果带有特殊字符串(root、bin等)则调用
漏洞。 (压缩包软链接文件上传漏洞)
TestImageUploadExifXSS()
创建变量为一串base64的解密结果,base64解码后的内容应该是图片马,有很多的弹窗命令
为所有的文件输入创建类
判断输入类型是否是文件,如果是则加入到类中
如果类中没有值则返回true
如果类中的数组不为空和则将数组提交给框架函数处理,这个函数的作用是把数组上传到架构中,同时将类中数组的值赋值给数组
对数组中的值依次进行加载(),
然后依次使用、、**setInputValue()**创建文件名(调用函数时传入)、文件类型(调用函数时传入)、文件内的值()
然后发包,如果响应包不报错且html解析之后识别到
漏洞。 (文件上传触发XSS漏洞)
TestFileUpload()
1.0为所有的文件输入创建类
判断输入类型是否是文件,如果是则加入到类中
如果类中没有值则返回true
如果类中的数组不为空和则将数组提交给框架函数处理,这个函数的作用是把数组上传到架构中,同时将类中数组的值赋值给数组
对数组中的值依次进行加载(),
然后依次使用、、**setInputValue()**创建文件名(调用函数时传入)、文件类型(调用函数时传入)、文件内的值()
然后发包。
如果文件名中带有“”则把他“”删除
如果响应包不报错
2.1判断**this.uploadURLs[varIndex]this.uploadURLs[varIndex] == {NOT_FOUND}**则直接退出此函数运行
2.2如果 或
先测试之前判定的文件上传目录,构造url = 扫描路径 + 文件名
2.2.1调用函数,如果,则定义变量,从扫描到的文件路径最后一个“”截取url,并赋值给,如果 (调用函数时传入) = ,退出此函数运行
2.2.2调用函数,如果,则创建类=,如果”截取url,并赋值给,同时让如果 (调用函数时传入) = ,退出此函数运行
2.2.3如果2.2.1、2.2.2判断都没成功,则创建变量和数组(此数组是3.2创建的),创建一个新数组,如果数组中的某个值的结尾是 ,则将数组中的某个值添加到数组中
如果数组中的长度不为0,就将此长度赋值给变量,变量长度不能超过5,如果大于5,就重新被赋值为5,如果url的传递方式是http且存在域名(),从扫描到的文件路径最后一个“”截取url,并赋值给,同时让如果 (调用函数时传入) = ,退出此函数运行
2.2.4如果2.2.3判断也没有成功,就将变量
2.3 变量 或
如果变量,创建类
如果则,否则
随后调用函数**TestUploadedFileOnUrl()**如果返回为true,并且 (调用函数时传入) = ,退出此函数运行
3.0上述条件都不符合,说明不存在文件上传漏洞,return false
TestUploadedFileOnUrl()
直接发包(发包信息在调用函数时传入),如果响应包中存在变量(在调用函数时传入)且文件类型为变量(在调用函数时传入)则返回true,否则返回false
existFileUpload()
为所有的文件输入创建类
判断输入类型是否是文件,如果是则加入到类中
如果类中的数组不为空和则将数组提交给框架函数处理,这个函数的作用是把数组上传到架构中
然后依次使用setInputFileName、setInputContentType、setInputValue从fileInputList中创建文件名、文件类型、文件内的值(随机字符串在这里)
然后发送带有随机字符串的数据包,如果响应包不报错或者错误代码为0xF0003,且响应包内有之前发送的随机字符串则调用
漏洞