First, download unsafe files
1. Concept
Overview of unsafe file download
file download function will appear on many web systems, generally when we click on the download link, it will send a download request to the background, this request will usually contain the name of a file to be downloaded, backstage after receiving the request after the meeting started the download code, the file name of the corresponding file response to the browser to complete the download. If the file name backstage after receiving the request, it will download the file directly into the fight in the path of its security without judgment, then it could lead to unsafe file download vulnerability.
At this time, if a program is not expected to submit attacker file name, but a carefully constructed path (such as ../../../etc/passwd), it is likely to be the specified file directly download. Resulting in a sensitive background information (password files, source code, etc.) is downloaded.
Therefore, in the design file download function, if the downloaded file is passed by the goal came in the front, then the file must be passed in safety considerations. Remember: All data and front-end interaction is unsafe and can not be taken lightly!
You can "Unsafe file download" corresponding test section, to a better understanding of the vulnerability.
2.Unsafe Filedownload
We select the right open in a new tab in the name of the hyperlink
Observation source found without any security, directly to get the string concatenation download
We construct a url to download the file
../../../password.txt
In fact, this is a document I've created, and in order to facilitate the presentation so choose to download it.
Second, insecure file upload
1. Concept
Overview of unsafe file upload vulnerability
file upload function are common in web applications, such as many sites registered when the need to upload picture, upload attachments, and so on. When the user clicks the Upload button, the background will upload the file to determine whether such is the specified type, extension, size, etc., and then rename the directory after storage in accordance with the format specified design. If the background of the uploaded files without any judgment or judgment of the security condition is not stringent enough, an attacker could upload a malicious file, such as a word Trojan, causing back-end server is webshell.
So, when designing a file upload function, be sure to strict security file passed in. For example:
- Verify the file type, extension, size;
- uploading verification documents;
- the file certain complex renaming;
- Do not expose the path after file upload;
- and so on ...
2. The client bypasses the client check
<Script> function checkFileExt (filename) { var = In Flag to false; // state var ARR = [ "JPG", "PNG", "GIF"]; // remove upload extension var index = filename.lastIndexOf ( " . "); var EXT = filename.substr (+ index. 1); // comparison for (var I = 0; I <arr.length; I ++) { IF (EXT == ARR [I]) { In Flag = to true; // Once the appropriate found, immediately exit the loop BREAK; } } // conditional IF (Flag!) { Alert ( "upload file does not meet the requirements, please re-select!"); location.reload (to true); } } </script>
Whether checkFileExt here () is to determine the uploaded file is a picture format, if not the pop-up dialog box.
We use Inspect Element will delete it out
Then upload our word Trojan file
Then we can use a kitchen knife or a structure connected to url
url example:
http://127.0.0.1/pikachu-master/vul/unsafeupload/uploads/yijuhua.php/?czs=ipconfig
3. The server MIME type
IF (isset ($ _ the POST [ 'Submit'])) { // var_dump ($ _ the FILES); $ MIME = Array ( 'Image / JPG', 'Image / JPEG', 'Image / PNG'); // specified MIME type, MIME type here just to do judgment. $ save_path = 'uploads'; // create a directory specified in the current directory $ upload = upload_sick ( 'uploadfile' , $ mime, $ save_path); // call the function IF ($ Upload [ 'return']) { $ HTML. = "<p class = 'notice '> file uploaded successfully </ p> <p class = 'notice'> saved file path: {$ Upload [ 'new_path']} </ P>"; } the else { $ . HTML = "<P class = Notice> {$ Upload [ 'error']} </ P>"; } }
Upload the correct file format, use packet capture burpsuite
Upload a word Trojan
We read the papers and found a word Trojan has uploaded a success
Then we can use a kitchen knife or URL to connect.
http://192.168.233.138/pikachu-master/vul/unsafeupload/uploads/1.php/?czs=ipconfig
4.getimagesize
Getimagesize () returns the result has the file size and file type, if use this function to get the type to judge whether the picture, there will be problems.
The background will be compared according to several former hexadecimal format to upload pictures, the first few are fixed in line with the picture is really, png: 8950 4e47
We prepare a normal picture and a php file that contains malicious code
Enter a command in cmd
copy /b 1.png+1.php yi.png
After a good production can upload a successful return path
http://localhost/pikachu-master/vul/fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2020/03/31/5349015e830f4b00004846209034.png&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2