[Upload-labs] Detailed explanation of the principle and operation of file upload vulnerabilities
What is a file upload vulnerability?
File upload vulnerability refers to the fact that the programmer can upload executable dynamic script files to the server beyond his own authority due to insufficient control of the user's file upload part or processing defects . The files uploaded here can be Trojan horses, viruses, malicious scripts, or WebShell, etc. This attack method is the most direct and effective. There is no problem with "file upload" itself. The problem is how the server handles and interprets the file after the file is uploaded. If the server's processing logic is not secure enough, it will lead to serious consequences.
webshell?
WebShell is to asp, php, jsp or cgi and other web files form one kind of existence of the command execution environment , it can be described as a web page back door. After an attacker invades a website, they usually mix these asp or php backdoor files with normal webpage files in the web directory of the website server, and then use a browser to access these backdoors to obtain a command execution environment to control the website The purpose of the server (upload, download or modify files, operate the database, execute arbitrary commands, etc.).
Causes of file upload vulnerabilities
- There are no strict restrictions on the suffix (extension) of uploaded files
- The MIMETYPE (content-type) of the uploaded file is not checked
- In terms of permissions, there is no non-executable permission set for the file directory of the file upload
- The server does not limit the behavior of uploading files or specifying directories
The principle of file upload in the web is to set the form as multipart/from-data, and add the file domain at the same time, and then send the content of the file to the server through the HTTP protocol, and the server side reads the multipart data Information, and extract and save the contents of the file.
Usually, when saving a file, the server will read the original file name of the file, and get the file extension from the original file name, and then randomly assign a file name to the file (in order to prevent duplication), and Add the extension of the original file to save it on the server.
harm
- Upload web Trojan files, control web server files, remote command execution, etc.
- Upload system viruses and Trojan files for mining and botnets.
- Upload system overflow program for privilege escalation.
- Modify the web page to implement operations such as phishing, hanging horses, and dark links.
- Intranet penetration.
- In the case of elevated privileges, do whatever you want.
Common defensive positions
- Front-end JS verification
- MIME type verification
- Blacklist/whitelist
- Check the contents of the file
- Prohibit local files from containing vulnerabilities
- Use secure web services (apache (a.php.xxx), nginx (/test.png/xxx.php), IIS parsing vulnerability (1.php; jpg))
Bypass posture
- Front-end JS bypass
- MIME type bypass
- Suffix name case bypass/php4, php5
- 00 truncated
- Overwrite .htaccess
- Windows file streaming feature bypass
- Double write file name bypass
- Conditional competition
[Pass-01] JS detection bypass
Try uploading a Bing Scorpion Malaysia:
As a result, there is a pop-up window prompting to intercept. It is guessed that the front-end js may be intercepted.
View the source code of the webpage:
When uploading a file and clicking submit, the checkFile() function will be executed
This is the checkFile() function:
It can be seen that this function uses whitelist filtering and only allows uploading of files with suffixes of .jpg, .png, and .gif.
Because it is a front-end limitation, we directly modify the code and delete the checkFile() function.
As shown in the figure, the upload is successful!
As shown in the picture, the ice scorpion is successfully connected!
[Pass-02] File type bypass
1. Test process
Try to upload a Malaysian:
Capture the packet and change the value of the Content-Type field to: image/png
Put the package and upload successfully!
2. Source code analysis
<?php
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
}
}
?>
Analysis of the above code shows that the backend first uses to $_FILES['file']['type']
obtain the file type (Content-Type content in the http request body), and whitelists the content (image/gif, image/jpeg, image/png) (no wonder it was changed to image just now) /jpg cannot be uploaded), at this time, directly capture the package and modify the Content-Type field value to any one of the three to bypass it.
move_uploaded_file(file,newloc)
: Move the uploaded file to the new location newloc.
[Pass-03] Blacklist bypass
1. Test process
Change the suffix to php4 to capture the package | Uploaded successfully! |
---|---|
Use the browser to visit, the result is unresolved.
Modify the apache configuration file
Add the suffix parsed by apache.
Use a browser to access the file:
The result is a blank page, indicating that shell.php4 has been successfully parsed.
But I can’t connect with ice scorpion
I checked the information on the Internet and said that it was a php version problem, php5+ could not be connected, php7 could. Finally, the php7 version was changed, and the connection was successful!
2. Source code analysis
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']); //去除开头结尾空格和其他预定义字符
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.'); //查找字符串在另一个字符串中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符。
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
//黑名单过滤
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
to sum up
Suffixes parsed by common scripts:
ASP: asa / cer / cdx
ASPX: ashx/asmx/ascx
PHP: php4/php5/phtml
JSP: jspx/jspf