Unsafe file upload vulnerability
1 Overview
File upload function are common in web applications, such as many sites registered when the need to upload picture , upload attachments , and so on. When the user clicks the Upload button, the background will upload the file to determine whether such is the specified type, extension, size, etc., and then rename the directory after storage in accordance with the format specified design. If the background of the uploaded files without any judgment or judgment of the security condition is not stringent enough , an attacker could upload a malicious file, such as a word Trojan, causing back-end server is webshell.
So, when designing a file upload function, be sure to strict security file passed in. For example:
- Verify the file type, extension, size;
- uploading verification documents;
- the file certain complex renaming;
- Do not expose the path after file upload;
- and so on ...
Unsafe file upload vulnerability catalog:
- client check client authentication
- MIME type Multipurpose Internet Mail Extensions type
- getmagesize
2. Experimental demonstration
(1) client check to verify the client
We found only upload pictures, view the source code, the file extension is carried out to determine
That fact, we can directly change the front-end code, such as delete function extension judge
Then upload other types of files, uploaded successfully found
Of course, you can also upload other files Trojan attack! !
Types Multipurpose Internet Mail Extensions (MIME), is some way to set the type of file extension with an application to open when the extension of the file being accessed, the browser will automatically use the specified application program is to open. Some are used for clients to specify custom file names, as well as some media files Open.
Common MIME types are:
- HTML text .html text / html
- Plain text .txt text / plain
- RTF text .rtf image / gif
- JPEG 图形 .ipeg .jpg image / jpeg
- GIF graphics .gif image / gif
I uploaded were once allowed to be uploaded image file and does not allow uploading files to compare the Trojan
Content-Type is not found to the same, that we can change this value, you can successfully bypass
(3)getimagesize
getimagesize(string filename) 函数
Function will determine any GIF, JPG, PNG, SWF, SWC, PSD, TIFF, BMP, IFF, JP2, JPX, JB2, JPC, XBM or size WBMP image file and return to the size and file type and picture height and width of the image . That function by reading the file header, returns an image of length, width and other information, if no relevant picture file header, function error.
You can see, High-level code to read the file name last. "" String, and that is to take a final suffix, expected to limit the file types by file name, thus requiring the upload file name in the form must be "* .jpg "," *. jpeg "," *. png "one. Meanwhile, getimagesize function is to limit the upload file header must be the type of image.
We tried on a related method
The server may directly determine the file type suffix, and we will continue to try suffix to jpg:
Even if the script of type jpg, but when the content of the non-image format can not be uploaded.
There are two ways to bypass:
- Jpg picture format added to the script head
GIF89 <?php phpinfo(); ?>
- jpg + php portfolio
Use the command:
echo '<?php phpinfo(); ?>' >> 1g.jpg
The word Trojan written to the end of the picture 1g.jpg
And then upload to bypass the detection
But the server will become a Trojan file parsing image files, so their execution request to send the file, the server will return to the "Picture" file, and does not execute the appropriate command. We need to use File Inclusion Vulnerabilities file image formats can be executed as a php file to resolve :
HTTP: // 127.0.0.1/pikachu-master/vul/fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2020/4/3/4297605e4fd433f3445241700590.jpg&submit= submit inquiry