Note that before uploading files, you must first figure out what the supported server-side scripts are. Not all websites are php, but jsp, asp, asp.net, jsp, etc.
1. Front-end (client) inspection bypass
1) Debugging with FireBug
Remove the onsubmit event bound to the upload event (which contains a js program for judging the file type) to bypass the js function verification
2) Local construction html upload
After knowing the file upload interface, write an html by yourself (write the interface url for the action attribute value), and upload the file without front-end verification
3) BP middleman structure
First upload the normal file extension (the code is the webshell code), then use the webshell to capture the package, change the legal extension to the extension corresponding to the script supported by the server, such as .jpg---->.php and then put the package
Note: If the file is asdfjkl.jpg modified to 1.php, the corresponding content-length should also be subtracted by 6 (7-1), otherwise the upload may fail
4) Upload picture horse
If the jpg file is legal, it can be used with some tools, or Windows direct cmd command, write the webshell into the picture and then run it with the parsing vulnerability
.
2. Backend (server) inspection bypass
1) Blacklist bypass
Try different extensions: jsp, asp, php, php5, asa, aspx, cer...
In addition, if it is determined to be a windows system, the file suffix name can be "jsp.", "jsp_", "jsp" (space)
If it is Apache's "phpml", "php3" can be parsed as php
Case bypass: "Php"
2) Whitelist bypass
Upload xxx.asp;1.jpg with a Trojan horse and execute it as asp with the parsing vulnerability of IIS6.0
3) MIME type verification bypass
If a php file is uploaded, the content-type in the data packet is application/php
After the discovery, the upload will be organized, but if it is changed to image/jpeg, it may be uploaded successfully
4) Upload to other directories to cooperate with parsing vulnerabilities
Modify the address of the file upload by the front end or capture the package, so that the upload is uploaded to the pentest.asp directory, and cooperate with IIS6 (the files in the directory will be executed as asp files) and upload the picture immediately.
5) 00 truncation
The name of the file is 1.asp and the space is 1.jpg Use bp to capture the packet and modify the hexadecimal number 20 to 00, and then send the data packet to upload successfully
6) Add ::$DATA to the extension
The upload file name is 1.php::$DATA, and the extension may not be detected
7) Add \x0A to the extension
1.php\x0A is to add a newline character to bypass
8) Bypass one-time filtering
If the program can filter "php", you can try 1.pphphp after filtering once -----> 1.php
9) Garbage data overflow (use with caution)
Add garbage data between parameters such as Content-Disposition name filename in the data packet
For example: name="xxx";a lot of junk data asdfasdf;filename=""
Note: Please use this method with caution, serious cases may cause the server to crash
10) Waf quotation mark matching defect bypass
Some waf is to match the quotes of filename="", but try the quotes are not closed without quotes
For example: filename="1.php filename =1.php
11) Waf semicolon matching defect bypass
filename="x.jpg;1.php" In this example, waf will only check whether the content before the semicolon is legal, and will not check the following 1.php. After successful upload, it will be a file with the suffix php
12) Editor vulnerability
Many pages with file upload function will directly use some editors, such as kindeditor and other xxxeditors, you can try to exploit the loopholes in the history of these editors
After the file is successfully uploaded, it does not mean that you are done. Some platforms just upload a malicious script file. You will be asked to prove that the file can be parsed and getshell , otherwise it will be considered harmless, or phishing vulnerabilities will not be accepted. , so the following judgments need to be made:
File upload address, whether the file can be parsed, whether the file is deleted, whether the file is renamed, whether the file can be accessed