(1) File upload vulnerability
File upload vulnerability, sending In the function of user uploading files, many URLs restrict the uploaded file format, but the attacker finds the loophole, uploads Trojan horses and viruses, and then controls the server. The uploaded file format is not unlimited, but restricted, and attackers still have ways to bypass it with special methods.
A penetration testing guru said: In our line of work, we must have perverted thinking and rigorous behavior. It is necessary to use extraordinary eyes and thinking to crack the security detection mechanism set by the programmer.
The websites are all developed by programmers. This time, from the perspective of liars, we will deceive the detection methods developed and set by programmers.
Not much to say, let's be a liar today, cheating which file upload detection methods to deceive. Know yourself and the enemy, be a liar and be a liar with style. We first understand how website programmers detect the format of uploaded files, and then try to cheat.
The following is a common file upload detection method, we cheat
(2) Upload restriction methods and cheating methods
1. Front-end js
Scenario: This is to use front-end js to realize upload detection.
Use js to implement the upload detection process:
- Bind a change event to the input element of the uploaded file
- Get the file selected by the user in the change event
- Determine the file type, suffix, size and other attributes, such as restricting the file size to not exceed a specific value, or restricting the file type to only certain types (such as pictures)
- If the file attributes do not meet the requirements, a prompt box will pop up to inform the user, and at the same time clear the selected file in the input element
- If the file attributes meet the requirements, upload the file or perform other related operations.
Deception method:
Method 1: Disable js directly in the browser.
This is a shooting range that can only upload pictures. We press F12 to enter the developer mode, and directly delete the binding method (directly violently delete, so that you can’t even detect it. See if you still do this. detection), so that it is directly bypassed.
The effect is as follows: the text file has been uploaded successfully.
2. Method 2: Burp captures packets and modifies the suffix of the uploaded file
. We upload a file that conforms to the file format. After clicking upload, use burpsuite or other Http proxy tools to intercept and modify the request, change the file name suffix back to the original format, and then.txt(先用符合的png文件上传,骗骗前端的js,然后点击上传之后,我们在修改回来)again send request.
The result is also uploaded successfully.
The reason why burp is used to capture packets is that different environments and configurations may result in different verification methods for uploaded files, so some simple shooting ranges may allow you to directly modify the file extension without using proxy tools such as Burp Suite.However, in some actual environments, the verification of uploaded files may be strict, especially if some protection measures (such as WAF) are used in web applications, directly modifying the file extension may be blocked or cause upload failure. At this time, it will be safer to use proxy tools to modify
)
2. The file name contains bypass
Scenario: File detection using MIME checksums
explain:
MIME type refers to a multipurpose file type defined on the Internet, which is expressed by adding the Content-Type field in the HTTP header. Any web application typically uses MIME types for detection and validation of uploaded files.
Upload file content verification can be divided into two stages. First, perform the first step of verification on the local client to check whether the size of the uploaded file meets the requirements, and then send the file to the server. Secondly, the second step of verification is performed on the server to verify whether the size, type and content of the file meet expectations.MIME type detection is a kind of server detection. For MIME verification, the server usually judges whether the file type is legal according to the MIME type of the file. If the uploaded file does not contain or contains the wrong MIME type, the server will refuse to upload the file and return a related error message. Common checks are as follows
• text/plain (plain text)• text/html (HTML document)• text/javascript (js code)• application/xhtml+xml (XHTML document)• image/gif (GIF image)• image/jpeg (JPEG image)• image/png (PNG image)• video/mpeg (MPEG animation)• application/octet-stream (binary data)• application/pdf (PDF document)To put it simply, when we click to upload, we will add a Content-Type field to the header of the request information to identify the file type. When the data is transmitted to the server, the server will use the value of the Content-Type field to Determine whether the type of the uploaded file matches.
Deception method: modify the value of Content-Type
Upload illegal files directly, and then use burpsuite or other Http proxy tools to intercept and modify the request. You can see that the Content-Type of the originally uploaded file is assigned application/octet-stream, which describes binary data or an unknown data type. For network transmission, due to the existence of various unknown data types and different operating systems, when sending binary data, many servers use the application/octet-stream type to represent unknown file types or uncertain file types to assign Content-
Type It is: image/jpeg, this is the ipg image format, after retransmission,
3. getimagesize detection
Scenario: In the php webpage, use the getimagesize function to detect file uploads
explain:
In PHP, the getimagesize () function is a function used to obtain image information, including the type, width, height and other related information of the image, and will return an array. The specific information is as follows:
- Image width, in pixels
- Image height, in pixels
- Image type identifier, representing the constant value of the image type, for example
IMAGETYPE_GIF,IMAGETYPE_JPEG,IMAGETYPE_PNG- Image type description, a human-readable string representing the image type, such as "PNG", "JPEG", etc.
- The image width used in HTML tags, in pixels
- The height of the image used in HTML tags, in pixels
- Other image information (if the parameter
$imageinfois provided)
This is the server segment detection. In a URL that only allows image uploads, use the getimagesize function to obtain and upload files
Deception method: splicing files and pictures together and uploading
Use copy to stitch pictures and files together (this kind of deception method is like a wolf in sheep's clothing, using the external characteristics of sheep's clothing to deceive), after uploading, because there is ordinary information in it, when using the getimagesize function to obtain it, because There is still image information in the spliced content, and all servers that can successfully obtain the information will think that the uploaded image is a picture.
Method:
In cmd, enter the path of the file, enter:copy 1.jpg /b + 1.php /a test.jpg
copy 1.jpg /b + 1.php /a test.jpgThe function of the command is to merge the sum file1.jpginto1.phpone filetest.jpg, and splice the contents of the two files together in binary mode. The specific explanation is as follows:
1.jpg: is the file to factor one in the output file./b: Copy in binary mode.+: Indicates that the text content of1.jpgand will1.phpbe spliced together.1.php: is the file to be factor two in the output file./a: Appends the ASCII text content to the end of the file.test.jpg: It is the output file after merging, including the content of the1.jpgtwo1.phpfiles. Because the file extension is.jpg, this file is not actually a true JPEG image, but a merged fileThe function of this command is to merge the two files into one and stitch their contents together.
The result is as follows, you can see that the access is successful
Because this is a file and a picture spliced together, when uploaded, it exists in the form of a picture, so it cannot be directly used, and other vulnerability information is required, such as the file contains a vulnerability, and access to the file we just uploaded
4. Blacklist bypass
Scenario: When a file is uploaded to the background server, the server will identify the file type and match it with a list that prohibits uploading. If the uploaded file type is in the list, the upload is prohibited. This list is the blacklist, which explicitly prohibits file types that are not allowed to be uploaded. In fact, in reality, there are many restrictive rules, here are a few examples.
Deception method:
Method 1: Find the fish that slipped through the net
Some URLs are just .asp .aspx .php .jsp and other file types, which can be bypassed by other fish that slip through the net (you don’t let me pass, I let my brother go, I am not alone, I have a group of brothers) For example: special File name bypass: .php3 .php4 .php5 .phtml .phtm .phps .phpt .php3 (But there is a condition here, the server configuration of the other party must also configure the parsing settings for these other php file names, otherwise, even if the upload is successful , and can’t parse it)
Method 2: Case bypass
Some URLs only have no restrictions on the case of the file, only php files are restricted, but there are no restrictions on Php, pHp, PHP, etc. files, we can try to change some capitalization (this kind of deception method is like: Lu Xun drinks, follow me What’s the matter with Zhou Shuren), if the server does not have case filtering, we may upload successfully
Method 3: Use upload.htaccess
In some URLs, there are already many examples of its blacklist, such as php3 .php4 .php5, etc. are also included, which is very complete, so that we cannot start from the fish that slipped through the net. At this time, we need to transfer the object (there are so many vulnerability targets, we can’t just stare at one place), let’s try to upload the .htacess file to see, there are some files that are not prohibited from uploading this file.
The htaccess file is a configuration file in the Apache server. It is responsible for the configuration of web pages in the relevant directory, and it is the configuration of writing some rules. Through the htaccess file, you can realize: webpage 301 redirection, custom 404 error page, change file extension, allow/block access to specific users or directories, prohibit directory listing, configure default documents, etc.
In exploiting the file upload vulnerability, we can use the htaccess file to write rules to convert the read png image into a parsing layer php file, that is, although we upload image formats such as png, after passing htaccess, the server will Parse it into a php file (this deception method is like wearing "colored glasses" on the server, and then whenever I upload a picture, the server treats the picture as a php file, and when I access the picture, the server also treats the picture as a php file and then render back)
The specific method is as follows:
Create a new .htaccess file with the content:
<FilesMatch ".png">
SetHandler application/x-httpd-php
</FilesMatch>
Function: Create a 1.txt file for any file in .png format and the protocol is php
, store the probe immediately (for testing), and modify the file suffix As a png, camouflage, click upload and
the result is uploaded successfully. When we access the 1.png file, the probe file can be triggered
