Article Directory
In the last article on file upload vulnerabilities, we mentioned that the "file upload" function itself is not a problem. Knowledge can be exploited by network attackers under certain conditions and thus become a vulnerability. So how can the "file upload" function be designed to be safer?
File upload directory is set to non-executable permission
According to the attack method, as long as the WEB container cannot parse the files in the directory, even if the network attacker uploads the script file, the server itself will be affected in any way. In actual network applications, especially the upload function of some large-scale network applications, after uploading the files, they will be placed in a separate storage area (such as the separation of the station and library) for static file processing. On the one hand, it is for the convenience of use Cache acceleration reduces the performance loss of the server; on the other hand, it also eliminates the possibility of script execution.
If the uploaded file is not placed in a separate storage area, but the upload directory is not executable, it can also be bypassed to getshell. For specific bypass methods, please refer to the " Upload File Directory " in the previous article Permission bypass ".
Another situation is that for some small applications on the corners of large web applications, if there is a file upload function, you still need to pay more attention.
Determine file type (whitelist)
In the previous article, we gave some instructions on how to bypass the blacklist and whitelist. The blacklist method has been proven unreliable countless times. The method of whitelisting is strongly recommended here.
When judging the file type, you can combine MIME Type, suffix check, file content check and other methods. In addition, for the processing of picture horses, you can use the compression function or the risize function to destroy the HTML code that may be contained in the picture while processing the picture.
Use random numbers and timestamps to rewrite the file name and file path
After the script file is uploaded, if you want to execute the code, you must be able to access this file.
In some specific environments, users can upload but not access. If the network application uses random numbers to rewrite the file name and path, it will increase the attack cost of the network attacker.
At the same time, for script files like shell.php.rar.aaa, or files like crossdomain.xml, soy milk has been rewritten because the file name has been rewritten, causing the attacker to be unable to successfully carry out the attack.
Set file server domain name separately
Due to the browser's same-origin policy, a series of client-based attack methods will be invalid, such as uploading crossdomain.xml, uploading XSS containing JavaScript and other issues will be effectively resolved. But whether it can be set in this way or not depends on the actual business implementation scenario.
Although the problem of file upload is simple, it is not easy to implement a secure upload function. If viruses, Trojan horses, pornographic images, video screens, reactionary political documents, terrorism and violence, and other related issues are also considered in conjunction with specific businesses, more targeted work needs to be done.
Only by constantly discovering problems and solving problems in accordance with actual business needs can we design the safest and most reasonable upload file function that meets the application.
summary
File upload is often closely related to code execution. Therefore, the upload function that needs to be used in all scenarios in network applications should be strictly checked by security engineers and penetration test engineers. At the same time, file uploads may have business risks such as phishing, Trojan horses, and viruses that endanger product users. Therefore, there will be more and more issues to be considered in the file upload function.