Chapter VII unsafe file downloads and uploads
1. unsafe file download and presentation principles
Scene demo
Can be downloaded by clicking on the name, opens in new tab
We look at the process of downloading the url
The ai.png this filename spread to the background, the background to find the file, this file is read, and respond to front-end output, the browser can download it down.
File download vulnerability, you can use directory traversal way to do the test. The filename entered here enough ../../../../ can skip to the root directory. And then to do the root directory of the relevant read as a starting point.
You can download this file
Look at the code behind
When you click on the picture, in fact, it passed a a label by a label ( GET requests) passed a parameter, and then passed exedownload.php .
To get to the file name, and then spliced directly to the download directory, pictures are exist download , without any treatment under.
Done after splicing, to the fopen , read it, and its length is calculated, and then into the header in response to the leading end.
After the face of the document reading cycle, all the inside of the byte stream read out, echo to the front end.
The main problem is that there is no front-end file transfer over the judge, not whether a file is not its directory exists, it is directly read. Should be passed in at a check is also necessary to define a range.
2. unsafe file upload client to bypass the principles and
Scene demo
Try to upload a php file, not
This is a pop-up box directly through the front end
We look limitation is not done by the front end
When the input label to onChange (changed) and they will go to call checkFileExt ()
Look at the page source
This function is through JavaScript to judge the uploaded content. This determination operation is done entirely at the front end. Here it is easily bypassed. Just before xss like to get rid length.
The onchange parameters removed, once again try to upload
success
Here we must know what we upload files uploaded to the path
We copy the path to access it
By x to transmit a command parameter
Here we are directly bypass the restrictions client uploads an unexpected file, System, PHP file written word Trojan, we uploaded a Trojan file word, sentence by Trojan access control back-end server.
3. upload vulnerability of the MIME type validation principles and bypass (server)
When the file browser recognition, it will give this file to define a type, but will put this type HTTP in advance.
You can get file information.
Scene demo
Image uploaded successfully
Look at the source code
First front-end acquisition request submitted.
The key point is that the type of the file acquired by the function, which is defined and compared type.
The problem is that this function from the browser's HTTP to get ahead to the Content of the type , Content of the type is a user front end can be controlled. This acquisition is not reliable information.
We came for packet capture and upload a word about the Trojan files for uploading pictures
Pictures of:
Upload successful
Trojan file
This data packet is sent to the repeater in
We content-type modified to image / png see how
Success, through HTTP modify the header, bypassing MIME type restrictions. The word Trojan files uploaded successfully, we can be controlled through mass participation