content
Soft link to read files arbitrarily
4.8. File Upload
4.8.1. File Type Detection Bypass
4.8.1.1. Change Request Bypass
Some sites only detect file types on the front end, and this type of detection can be bypassed by directly modifying network requests. Similarly, some sites only check the information in the HTTP header at the back end, such as , Content-Type
etc. This check can also be bypassed by modifying the network request.
4.8.1.2. Magic Detection Bypass
Some sites use file headers to detect file types, which can be bypassed by adding the corresponding bytes before the shell. The header bytes of several common file types are shown in the following table
Types of | binary value |
---|---|
JPG | FF D8 FF E0 00 10 4A 46 49 46 |
GIF | 47 49 46 38 39 61 |
PNG | 89 50 4E 47 |
TIF | 49 49 2A 00 |
BMP | 42 4D |
4.8.1.3. Suffix Bypass
Some services only determine the file type based on the suffix, upload information, or Magic Header, which can be bypassed at this time.
Due to historical reasons, some interpreters may support /ph(p[2-7]?|t(ml)?)/
regular suffixes, such as php
// php5
/ pht
/ phtml
/ shtml
/ etc. This type can be tested when uploading php files is prohibited pwml
.phtm
The jsp engine may parse jspx
/ jspf
/ jspa
/ jsw
/ jsv
/ jtml
and other suffixes, and asp supports asa
/ asax
/ cer
/ cdx
/ aspx
/ ascx
/ ashx
/ asmx
/ asp{80-90}
and other suffixes.
In addition to these bypasses, other suffixes may also cause problems, such as vbs
/ asis
/ sh
/ reg
/ cgi
/ exe
/ dll
/ com
/ bat
/ pl
/ cfc
/ cfm
/ ini
etc.
4.8.1.4. System Naming Bypass
On Windows systems, upload index.php.
is renamed to .
, which bypasses the suffix check. Also try index.php%20
, index.php:1.jpg
index.php::$DATA
etc. In Linux systems, you can try index.php/.
uploading ./aa/../index.php/.
a file named or
4.8.1.5. .user.ini
During the execution of php, in php.ini
addition directory, PHP also scans INI files in each directory, starting from the directory where the PHP file to be executed is located and rising to the web root directory (specified by $_SERVER['DOCUMENT_ROOT'] ). If the PHP file being executed is outside the web root directory, only that directory is scanned. .user.ini
You can define options for modes other than PHP_INI_SYSTEM in , so you can use a file .user.ini
with a non-php suffix to construct a shell, eg auto_prepend_file=01.gif
.
4.8.1.6. WAF Bypass
Some wafs only process a part of the data considering performance reasons during the writing process. At this time, the processing function can be bypassed by adding a large amount of garbage data.
In addition, Waf and boundary
the handle inconsistently, you can use the wrong boundary
to complete the bypass.
4.8.1.7. Competitive upload bypass
Some servers use the method of first saving and then deleting illegal files. In this kind of server, you can repeatedly upload a file that will generate a Web Shell and try to access it, and you can obtain the Shell after many times.
4.8.2. Attack techniques
4.8.2.1. Apache Override GetShell
Apache may consider uploading .htaccess based on whether redirects are allowed
Content is
AddType application/x-httpd-php .png php_flag engine 1
You can use png or other suffixed files to make php scripts
4.8.2.2. Soft link to read files arbitrarily
When the uploaded compressed package file will be decompressed, you can consider uploading a file containing symbolic links. If the server is not well protected, the effect of reading any file can be achieved.
4.8.3. Protection techniques
- Use a whitelist to limit the types of uploaded files
- Use stricter file type checking
- Restrict Web Server parsing of upload folders