[Upload-labs] pass-04 .htaccess bypass

Others 2021-03-28 10:20:07 views: null

[Upload-labs] pass-04 .htaccess bypass


1. Test process

Play one

First try to upload a php file:

image-20210318195356950

As shown in the figure, it prompts that this file is not allowed to be uploaded.

Try to change the suffix by capturing the packet:

Apache parsing vulnerability: Apache will parse unrecognized suffixes, such as suibianxie.php.xxx.ccc, test.php.iii, etc. from right to left. If you don’t know it, move it to the left. When you finally move to php, Apache will recognize it. The file will be parsed as a php file.

image-20210318200759462

The upload is successful as shown in the figure, and the file name has not been changed.

Use a browser to access the file:

image-20210318201033654

Found that it was successfully resolved.

This is a bit too easy, I want to change a way to bypass, so comment out those two lines in the configuration file:

image-20210318214147496

Re-access the file with the browser after restarting apache:

image-20210318214215947

Found that apache has been unable to resolve, OK.

How to play two

Another way of thinking:

What is .htaccess file ?

The htaccess file is a configuration file in the Apache server, which is responsible for the configuration of web pages in the relevant directory. Through the htaccess file, you can help us achieve: web page 301 redirection, custom 404 error page, change file extension, allow/block access to specific users or directories, prohibit directory listings, configure default documents and other functions.

The .htaccess file (or "distributed configuration file") provides a way to change the configuration for each directory, that is, place a file containing instructions in a specific directory, and the instructions apply to this directory and all its subdirectories .

But it is very important to note that the parent directory may also have .htaccess files, and the commands are effective in the search order, so the commands in the .htaccess file in a specific directory may overwrite the parent directory The instructions in the .htaccess file, that is, the instructions in the subdirectory will override the instructions in the parent directory or the main configuration file. Detailed

First create a new .htaccess file with the following content:

<FilesMatch "qianxun.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

The content of this file means to tell apache to parse it according to php when it encounters the qianxun.jpg file.

Let's create another php test file qianxun.php:

image-20210318215450082

And change the file suffix to jpg.

Upload the .htaccess file and qianxun.jpg file separately:

Upload qianxun.jpg Upload .htaccess file
image-20210318215754921 image-20210318215937408

image-20210318220050538

As shown in the figure, it has been uploaded successfully.

Visit qianxun.jpg with a browser:

image-20210318220147972

As shown in the figure, qianxun.jpg was successfully parsed!

Note: .htaccess file is the default file name of apache, so if there is a mechanism to force the uploaded file to be renamed in the background, then this method will be invalid.

2. Source code analysis

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    
    
    if (file_exists($UPLOAD_ADDR)) {
    
    
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");   //黑名单机制,过滤了好多后缀
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
    
    
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
    
    
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
    
    
            $msg = '此文件不允许上传!';
        }
    } else {
    
    
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

Vulnerability summary:

1. You can use the parsing feature of apache, that is, move left after the unknown suffix to skip trying to parse the following suffix. At this time, we can construct qianxun.php, nnn to bypass the back-end check and make apache successfully parse.

2. Upload a Trojan file with a legal suffix and a carefully configured .htaccess file when the backend does not force the name of the uploaded file to be renamed, which will bypass the check and enable apache to parse it successfully.

Guess you like

Origin blog.csdn.net/qq_43665434/article/details/114992519
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com