File Upload
Unlimited
Direct upload word back door, using ant sword connection:
Obtaining flag:
Front-end verification
Try uploading directly back door, I found to be intercepted, after a judge for the Javascript
front-end verification:
Here you can use the Firefox browser plug-in to disable js code page, or use a burp suite bypass the front-end verification.
Here shows how to use burp suite bypass the front-end verification
First file name changed 1.jpg
, by burp suite will change the file name to upload 1.php
, you can bypass the authentication.
Use ant sword obtain flag.
.htaccess
.heaccess
What is
.htaccess files (or "distributed configuration files") provides a method for changing the configuration of the directory, i.e., in a particular document directory are placed one or more instructions contained in a file, directory and all of this to act subdirectory. As a user, can be used by the command is limited.
Overview speaking, htaccess file is the Apache server configuration file, which is responsible for the configuration page under the relevant directory. By htaccess file, you can help us achieve: page 301 redirects, custom 404 error page, change the file extension to allow / block access to specific users or directory, prohibit directory listings, configure the default document and other functions.
Simply put, I uploaded a .htaccess file to the server, it will be resolved to a specific format file format after php server.
.htaccess
Exploit
//方法一
SetHandler application/x-httpd-php //所有的文件当做php文件来解析
//方法二
AddType application/x-httpd-php .jpg //.jpg文件当作php文件解析
Problem solution process
Configuration .htaccess
file and upload.
Upload a word back door, using tools connected ants Sword, get flag:
MIME verification
What is MIME
Multipurpose Internet Mail Extensions type. The original purpose of it is to design additional multimedia data when sending e-mail, so mail client can be processed according to their type. However, when it is supported by the HTTP protocol, its significance is even more significant. It makes HTTP transport is not only plain text, and more colorful.
Each MIME type consists of two parts, the front of a large class of data, such as sound audio, image and other image, define specific types later.
Common MIME types
超文本标记语言文本 .html text/html
普通文本 .txt text/plain
GIF图形 .gif image/gif
JPEG图形 .jpeg,.jpg image/jpeg
MIME type of server is detected by checking the value of the Content-Type http packet field to determine whether the file upload valid. It easier to handle, no matter what type of file I uploaded, I just modify the Content-Type field to make detection by on the line.
Problem solution process
Php file upload, tips:
View the source code and found no front-end verification, validation guess to MIME.
modifyContent-Type
Upload Success:
Use ant sword connect, get flag
Header detection
Upload php file, an error, suggest the following:
Modify the MIME format is jpg upload:
Error, suggest the following:
I guess the contents of the file should be detected.
Create an image horse:
copy 原图片.jpg/b + 后门.php/a 图片马.php
b表示二进制文件
a表示ASCII码文件
Use ant sword connect, get flag
00 Truncated
For details check out this article
00 cut-off principle
0x00 is the hex representation, is ascii character code 0, when some processing functions, will put this character as a terminator. This can be used in bypassing the file type name.
00 using the method of truncating
I used to think 00 so-called cut-off is added to the file name %00
truncation, but this approach is wrong, why? For example, an attacker constructs File Name: admintony.php%00a.jpg
In the extraction time extension encountered %00
is considered the end of the string, and then he extracted extension would be .php
, .php
suffix and not allowed to upload so upload failed.
Should the packet must contain the situation after the directory upload files before they can use, such as packet exists path: uploads/
, the attacker can be constructed by modifying the value of the path of paylod:uploads/aa.php%00
Why can modify the path, because the program is detected in the file extension, if the result of splicing the splicing suffix legal path and file name, then the attacker modifies the path for the future: uploads/aaa.php%00/2018051413370000.php
move the file when the file will be saved as uploads/aaa.php
to achieve Getshell effect.
Problem solution process
Php file upload, test
Find url contains the upload path, file name guess is spliced to verify suffix in the directory name before.
Use 00
cut, 00% are decoded server 0x00 played a role cut
Ant sword, flag:
Source code analysis
<?php
header("Content-type: text/html;charset=utf-8");
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", dirname(__FILE__) . "/upload/");
define("UPLOAD_URL_PATH", str_replace($_SERVER['DOCUMENT_ROOT'], "", UPLOAD_PATH));
if (!file_exists(UPLOAD_PATH)) {
mkdir(UPLOAD_PATH, 0755);
}
if (!empty($_POST['submit'])) {
$name = basename($_FILES['file']['name']);
$info = pathinfo($name);
$ext = $info['extension'];
$whitelist = array("jpg", "png", "gif");
if (in_array($ext, $whitelist)) {
$des = $_GET['road'] . "/" . rand(10, 99) . date("YmdHis") . "." . $ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $des)) {
echo "<script>alert('上传成功')</script>";
} else {
echo "<script>alert('上传失败')</script>";
}
} else {
echo "文件类型不匹配";
}
}
?>
basename(path,suffix) //函数返回路径中的文件名部分。
parameter | description |
---|---|
path | essential. To check the specified path. |
suffix | Optional. Provision file extension. If the file has a suffix, it will not output this extension. |
pathinfo() //返回一个关联数组包含有 path 的信息。
<?php
print_r(pathinfo("/testweb/test.txt"));
?>
/*
Array
(
[dirname] => /testweb
[basename] => test.txt
[extension] => txt
)
*/
Upload the document as a unified renamed happened here cut off, to achieve the attack.
Double the suffix
$name = basename($_FILES['file']['name']);
$blacklist = array("php", "php5", "php4", "php3", "phtml", "pht", "jsp", "jspa", "jspx", "jsw", "jsv", "jspf", "jtml", "asp", "aspx", "asa", "asax", "ascx", "ashx", "asmx", "cer", "swf", "htaccess", "ini");
$name = str_ireplace($blacklist, "", $name);
Code only blacklist replaced with a blank, only need to construct: .pphphp
it can be bypassed.
Upload the back door, ants, sword, flag