Recently the company was hiring a cybersecurity engineer, and I also participated in part of the interview. In fact, many are talking about their own understanding and attitude towards network security. As for technical things, as long as you have more contact with the work, you will gradually become familiar with it. Here, I also summarize some frequently asked questions. Opened a new column: "Network Security Engineer Interview Collection"
https://blog.csdn.net/weixin_42350212/category_11066978.html?spm=1001.2014.3001.5482
File check bypass and upload
content
4.8.1. File Type Detection Bypass
4.8.1.1. Change Request Bypass
4.8.1.2. Magic Detection Bypass
4.8.1.7. Competitive upload bypass
4.8.2.1. Apache Override GetShell
4.8.2.2. Soft link to read files arbitrarily
4.8.1. File Type Detection Bypass
4.8.1.1. Change Request Bypass
Some sites only detect file types on the front end, and this type of detection can be bypassed by directly modifying network requests. Similarly, some sites only check the information in the HTTP header at the back end, such as , Content-Typeetc. This check can also be bypassed by modifying the network request.
4.8.1.2. Magic Detection Bypass
Some sites use file headers to detect file types, which can be bypassed by adding the corresponding bytes before the shell. The header bytes of several common file types are shown in the following table
| Types of | binary value |
|---|---|
| JPG | FF D8 FF E0 00 10 4A 46 49 46 |
| GIF | 47 49 46 38 39 61 |
| PNG | 89 50 4E 47 |
| TIF | 49 49 2A 00 |
| BMP | 42 4D |
4.8.1.3. Suffix Bypass
Some services only determine the file type based on the suffix, upload information, or Magic Header, which can be bypassed at this time.
For historical reasons, some interpreters may support /ph(p[2-7]?|t(ml)?)/regular suffixes,
Such as php// php5/ pht/ phtml/ shtml/ etc. can test the type when uploading php files is prohibited pwml.phtm
The jsp engine may parse jspx/ jspf/ jspa/ jsw/ jsv/ jtmland other suffixes,
asp supports suffixes such as //////// . asa_ asax_ cer_cdxaspxascxashxasmxasp{80-90}
In addition to these bypasses, other suffixes may also cause problems,
Such as vbs/ asis/ sh/ reg/ cgi/ exe/ dll/ com/ bat/ pl/ cfc/ cfm/ inietc.
4.8.1.4. System Naming Bypass
On Windows systems, upload index.php.is renamed to ., which bypasses the suffix check.
Also try index.php%20, index.php:1.jpg index.php::$DATAetc.
In Linux systems, you can try index.php/.uploading ./aa/../index.php/.a file named or
4.8.1.5. .user.ini
During the execution of php, in php.iniaddition , PHP also scans each directory for INI files, starting from
The directory where the executed PHP file is located starts to rise to the web root directory ($_SERVER['DOCUMENT_ROOT']
specified). If the PHP file being executed is outside the web root directory, only that directory is scanned.
.user.iniOptions that can define modes other than PHP_INI_SYSTEM in , so you can use.user.ini
Add a file with a non-php suffix to construct a shell,
for exampleauto_prepend_file=01.gif
4.8.1.6. WAF Bypass
Some wafs only process part of the data in consideration of performance reasons during the writing process.
At this time, its processing function can be bypassed by adding a lot of garbage data.
In addition, Waf and Web boundarysystems handle inconsistently,
The bypass can boundarybe .
4.8.1.7. Competitive upload bypass
Some servers use the method of saving first and then deleting illegal files.
You can upload a file that will generate a Web Shell repeatedly and try to access it, and you can get the Shell after many times.
4.8.2. Attack techniques
4.8.2.1. Apache Override GetShell
Apache may consider uploading .htaccess based on whether redirects are allowed
Content is
AddType application/x-httpd-php .png
php_flag engine 1You can use png or other suffixed files to make php scripts
4.8.2.2. Soft link to read files arbitrarily
When the uploaded compressed package file will be decompressed, you can consider uploading a file containing symbolic links. If the server is not well protected, the effect of reading any file can be achieved.
4.8.3. Protection techniques
- Use a whitelist to limit the types of uploaded files
- Use stricter file type checking
- Restrict Web Server parsing of upload folders