File Upload
1. Principle
When using the upload function, there is no strict inspection of the uploaded files, resulting in malicious scripts that can be executed by the attackers.
2. Harm
Upload webshell, get server permissions
3. Judgment and possible location
a. Judgment
Can upload, can find the path, can execute
b. Possible location
Any upload point, database backup, edit template.
4. Basic use
Upload the file, find the upload path, find a way to execute the script
5.bypass
- a. File header detection---use the picture horse, use the copy command to stitch the picture and the pony together and upload it.
copy 1.gif/b + shell1.php/a shell2.php
- b. Client-side js detection---disable js or upload .jpg files and change them to php in burp.
- c. Blacklist detection --- Use undetected suffixes, such as Asp, Aspx, asa, phtml, etc.
- d. MIME type detection --- Modify the Content-type in the request header to image/jpg in burp
- e. Use 00 to cut off-upload 1.php+jpg and change + to 00 in burp (requires php version less than 5.2)
- f. Exploit analysis vulnerabilities:
iis6.0 analysis vulnerabilities---1.asp;xx.jpg
ii7.0/7.5 analysis vulnerabilities/Nginx analysis vulnerabilities---www.wenjian.com/test.jpg/noexist.php (test Put php code in .jpg, noexist.php may not exist)
Apache file parsing vulnerability --- upload webshell.php.aa.bb (Apache encounters an unknown extension, it will parse from the back forward, which can be used to bypass Blacklisted) - g. Content detection---Use a shell without numeric characters, use commas instead of semicolons, and use = instead of php
- h. Secondary rendering bypass---upload pictures will be rendered, download the picture to observe the rendered part, and put a sentence in the unmodified part.
- i. Coordinating documents include use
- j.htaccsess upload
upload .htaccess files, file upload shell, the shell server will parse the file to php form<FilesMatch "shell"> #shell为文件名 SetHandler application/x-httpd-php </FilesMatch>
Use htaccess to start cgi, execute bash scripts, upload .htaccess and solve.sh files.
htaccessOptions +ExecCGI AddHandler cgi-script .sh
solve.sh
#!/bin/bash echo "Content-Type: text/plain" cat /flag exit 0
6. Defense
Verify the upload path and randomly rename the uploaded files. The upload path prohibits execution permissions.