XXE vulnerability prevention?
A
Disable the import of external entities
For example, libxml_disable_entity_loader(true); is used in PHP language.
Filter sensitive keywords such as SYSTEM to prevent abnormal and offensive external entities from introducing operations.
Q
The principle of the file upload vulnerability?
A
The file upload function in the web page does not filter the uploaded files reasonably and rigorously, so users can use this function to upload files that can be parsed and executed by the server, and obtain the ability to execute server commands through this file.
Q
How to bypass the file upload vulnerability?
A
Front-end JS disable bypass
Disable JS on the front-end page, of course, it may affect the normal page display but it is useless
Simply modify the suffix to bypass
If only the front-end page restricts the uploaded file suffix, then we can use tools such as burp suite to modify the file suffix to bypass.
Capture packets to modify MIME type
Common image MIME types: image/gif, image/png, image/jpeg, image/bmp, image/webpimage/x-iconimage/vnd.microsoft.icon
The server code judges the type of the file by the value of Content-Type, so we can directly modify the Content-Type value of the file to bypass it.
Suffix name case bypass
If the source code does not convert the case of the file suffix, then just change the case of the file name suffix to bypass the blacklist
picture horse bypass
Use tools or commands such as edjpgcom to make pictures and WebShell into a picture horse
GIF89a image header spoofing
For example, GIF89a, add GIF89a in front of the webshell, the background will think it is a picture, and then execute the Trojan horse after uploading, a more effective way is to combine other bypass methods to bypass more targeted.
%00, Ox00 truncated
For example, if the file name is changed to 1.php%00.jpg, if the php version is <5.3.4, %00 in the url means 0 of the ascll code, and 0 of the ascii code means the end of the string, so when %00 appears in the url will consider the read to be over and will finally be parsed
It is 1.php, so as to achieve bypass
.htaccess file bypass
The .htaccess file is a configuration file in the Apache server, which is responsible for the configuration of web pages in the relevant directory. Through the .htaccess file, you can help us realize: web page 301 redirection, custom 404 error page, change file extension, allow/block access to specific users or directories, prohibit directory listing, configure default documents, etc.
For example, if there is the following content AddType application/x-httpd-php.png in the htaccess file, then we can bypass it by uploading the png suffix picture
.user.ini.bypass
The meaning in the .user.ini file is: all php files automatically include the specified files. For example, if a website restricts the upload of .php files, you can upload a .user.ini, and then upload a picture horse, including Get up and getshell. But the premise is that there must be a normal php file under the folder containing .user.ini, otherwise it cannot be included. For another example, if you just want to hide a back door, this method is the most convenient.
conditional race bypass
The logic of uploading files on some websites is to first allow any file to be uploaded, then check whether the uploaded file contains a webshell script, and delete the file if it does. The problem here is that there is a short time difference between when the file is successfully uploaded and when the file is deleted (because the operations of checking the file and deleting the file need to be performed), the attacker can use this short time difference to complete the conditional competition upload vulnerability attack. For example, upload a php file and write it like this
<?php fputs(fopen(../shell.php','w'),");?>: $DATA bypass