File Download Vulnerability Overview:
Many sites will offer file download function, which users can click on the download link to download the file link corresponding to, however, if the improper file download function design, it may result in an attacker can thus get to the back-end server by constructing a file path the other sensitive documents. (Also known as: arbitrary file download)
Let me show you page download vulnerabilities in file pikachu
Enter the page, just click on the image to download a player
We find that file can be downloaded
It's full link should be http://192.168.131.246/pikachu-master/pikachu-master/vul/unsafedownload/down_nba.php? filename = ai.png
Front-end transmission of information to the back end, back-end look ai.png files and output to the front-end, users can download information at the front end,
So one explanation is not to make us think of the file that contains the vulnerability, too, the way we exploit this vulnerability and files containing similar direct link to modify the front-end access to information
For example, it is speculated linux operating system, then we can go to obtain the password information of its users
http://192.168.131.246/pikachu-master/pikachu-master/vul/unsafedownload/down_nba.php?filename=../../../../../../../etc/password
This command preventive measures like injection vulnerabilities:
1. The name of the incoming file and define strict filtering
2. Download the file directory will be strictly limited
File Upload Vulnerability Overview:
File upload function are common in web applications, such as many sites registered when the need to upload picture, upload attachments, and so on. When the user clicks the Upload button, the background will upload the file to determine whether such is the specified type, extension, size, etc., and then rename the directory after storage in accordance with the format specified design. If the background of the uploaded files without any judgment or judgment of the security condition is not stringent enough, an attacker could upload a malicious file, such as a word Trojan, causing back-end server is webshell.
So, when designing a file upload function, be sure to strict security file passed in. For example:
- Verify the file type, extension, size;
- uploading verification documents;
- the file certain complex renaming;
- Do not expose the path after file upload;
- and so on ...
File upload vulnerability testing process:
File upload vulnerability - client authentication (client check):
We found only upload pictures to upload files, other files will be rejected
We can open the browser web console, look at how it was for us to upload files to judge
When the input method calls checkFileExt tag state change occurs onchange i.e.
We can look at the source code
We found it to file operation judgment based solely on javascript front-end, written checkFileExt method only accepts the file extension "jpg, png, gif" files
Then we can call checkFileExt method to remove the front directly modify the source code, and then pass a sentence Trojan php file
Then we can go to get access to the file path to the page background information (before closing Access Proxy)
http://192.168.131.246/pikachu-master/pikachu-master/vul/unsafeupload/uploads/a.php?x=ipconfig
File upload vulnerability - side validation service:
I have two main ways of presentation file upload vulnerability: MIME type and class Getimagesize
MIME type:
Before the presentation we need to understand MIME and $ _FILES function
Enter the page, we find that still pictures can only submit documents, we look at the source code directly
We still find the back-end file type detection,
Next we upload a word Trojan php file and capture
The packet sent to the repeater caught module, content-Type bottom to image / jpg (any image format), click on the Send
We see the file path,
Then we can construct links accessible (close proxy before the visit)
http://192.168.131.246/pikachu-master/pikachu-master/vul/unsafeupload/uploads/a.php?x=ipconfig
Getimagesize类:
getimagesize () function Overview:
the getimagesize () function is used to acquire an image and size information, a successful return array, and FALSE if it fails to generate a E_WARNING level error message.
Syntax:
array getimagesize ( string $filename [, array &$imageinfo ] )
getimagesize () function will determine any GIF, JPG, PNG, SWF, SWC, PSD, TIFF, BMP, IFF, JP2, JPX, JB2, JPC, XBM or size WBMP image file and return to the size and file type and picture images height and width.
Getimagesize () returns the result has the file size and file type, if use this function to get the type to judge whether the picture, there will be problems.
We first need to create an image Trojans
Direct method 1
Desktop build a c.php file, a file c.png
Command Line input information
Trojan file abc.png making success
In the pages Trojan upload pictures, access to the file path
Then we can make the link go to get information
File upload vulnerability precautions:
