Welcome to the Upload-Labs pass of file upload, and then introduce the upload bypass method for each level. There are multiple ways to bypass each level.

less-1-js limit

method 1

1. Directly upload a 1.php file with a one-sentence Trojan horse

<?php phpinfo(); ?>

We turned on bp capture when uploading. When we clicked to upload, a dialog box popped up, but the traffic did not go through the proxy software bp. From this we guessed that it was a limitation of the front-end upload. We checked the source code and found that there was a js upload limitation. function

Find this function in the element and delete it directly

Then click upload, the upload is successful, this is where we can view the uploaded file address in the page element, and access it

Method 2

Or we can upload a png file first, and then change the suffix of php to capture the package to bypass

Method 3

bp set to automatically remove the front-end js, you can directly upload the upload successfully bp remove js

less-2-MIME type detection

method 1

Principle: Its content-type (mime) is generated by the client based on the file you upload

When I clicked to upload php, bp captured the traffic. Exclude front-end restrictions

1. The displayed file type is incorrect

2. Change the php suffix to the png suffix, but it still doesn't work, then we think that the content is checked? So I changed the content to 1, but it still didn’t work

3. Then we thought that it restricts the content type of the file. Through MIME type detection, that is, the server detects whether it meets the upload type according to the Content-Type value. If it does not, upload is not allowed, so we modify the Content- Type is image/png, and the upload is successful at this time. The php suffix can also be uploaded successfully

4. View the source code

Method 2

Because the content-type (mime) is generated by the client based on the file you upload, upload a png file directly, and the content-type is in place as image/png, and the upload is successful.

less-3-Blacklist restriction

Upload file suffixes that are not in the blacklist, such as php3, php5, phtml, etc.

less-4 -

Method 1: .htaccess

Using the blacklist restriction method, observe the code and find that the .htaccess file is not filtered, about the .htaccess attack

1. Execute the png file as a php file

2. Upload another png file, the content is php code

3. Access pictures

Method 2: Apache file name parsing vulnerability

It can be bypassed by exploiting Apache file name resolution vulnerabilities (under 5.2.x) (info.php.x bypass), portal-》apache file name resolution vulnerabilities

less-5-Uppercase suffix PHP bypass

It is also a blacklist, just change the suffix to uppercase PHP

less-6-space bypass

It is also blacklist detection. The file suffix in the source code is filtered with dots, but no spaces are filtered, so adding spaces or dots or dots after the file suffix can be bypassed

less-7-click to bypass

It is also a blacklist detection. The file suffix in the source code is filtered with spaces, but there is no filter point, so adding a dot or a dot after the file suffix can be bypassed

less-8 - ::DATA

It is also blacklist detection, without filtering ::$DATA. In the window, if the file name + "::$DATA" will treat the data after ::$DATA as a file stream, it will not detect the suffix name, and keep the file name before ::$DATA, his purpose is not Check the suffix

For example: "phpinfo.php::$DATA" Windows will automatically remove the ending ::$DATA into "phpinfo.php"

less-9-Dot space dot bypass

It is also blacklist detection. The file suffix in the source code is filtered with dots and spaces, so the suffix with dots and spaces can be bypassed

less-10-Double write bypass

Observe that the source code does not replace the suffix of the file with lowercase, and the suffix in the blacklist will be replaced with empty, so it can be bypassed by double writing

less-11-GET type 00 truncation

Starting from this level will enter the whitelist

Seeing that it is a whitelist judgment, we can control the upload path, but $img_path is directly spliced, so it can be bypassed by using %00 truncation:

less-12-POST type 00 truncation

The difference between this level and the previous level is that the 00 truncation is used in POST and is modified in binary. Because POST will not automatically decode %00 like GET. Modify 2e to 00

less-13-picture horse

This level requires the upload of picture horses. Image horses can be used in conjunction with file inclusion vulnerabilities, using the feature of unconditionally parsing file names of file inclusion vulnerabilities, portal-" file inclusion .

Portal-"How to generate picture horses "

less-14-picture horse

This level requires us to upload a GIF picture horse

Portal-"How to generate picture horses "

less-15-picture horse

Same as level 13

less-16-picture horse

This level comprehensively judges the suffix name, content-type, and uses imagecreatefromgif to judge whether it is a gif picture. Just upload a JIF picture

less -17-race condition

How to send packets repeatedly, portal- " intruder sends data packets without payload

Then we visited the shell, kept pressing F5 to refresh the browser, and found that we can access through competition:

less-18-Conditional Competition-Picture Horse

This level needs to upload a picture horse, check the code and find that: this level makes a whitelist judgment on the file extension, and then checks the file size, whether the file exists, etc. step by step. After the file is uploaded, the file is renamed, and the same conditions exist The loopholes in competition. You can continuously use burp to send data packets for uploading image horses. Due to conditional competition, the program will have a problem of too late to rename. The following image horses are uploaded successfully and it is too late to rename.

less-19-system features

At this level, we can rename the uploaded image

We set the name of the saved image to .php., which can bypass the filtering

——If the heart has no place to live, it will be wandering everywhere.

Upload-Labs pass for file upload

File upload attack framework