Table of contents
What is a file upload vulnerability
What are the dangers of a file upload vulnerability?
File upload attack methods\steps
Arbitrary file upload vulnerability
Bypass front-end JS detection upload file
Directory controllable %00 truncation bypass
What is a file upload vulnerability
Many websites can upload files to it, such as uploading avatars, uploading backgrounds of personal homepages, and so on.
The file upload vulnerability is to use this mechanism of the server to upload some special files (such as Trojan horses). If the server website does not filter them strictly, the Trojan horse files will be successfully uploaded to the server, and the attacker can use the uploaded Trojan horse files. Perform a series of operations on the server (privilege escalation, shell rebound, etc.), thus causing asset loss on the target website, which is the file upload vulnerability.
The process of file upload
The client selects the file to send -> server receives -> website program judgment -> temporary file -> move to the specified path
file upload return value
0: uploaded successfully
1: The uploaded file size exceeds the php.ini limit
2: The size of the uploaded file exceeds the limit of the HTML form
3: Only part of the file is uploaded
4: No file was uploaded
What are the dangers of a file upload vulnerability?
Attackers can gain control of the website and even the server through the uploaded files. If the uploaded files are not cleaned up in time, they will form persistent control.
This file is usually called WebShell, WebShell backdoor, through which the backdoor website is almost completely transparent to the attacker, causing very large losses.
What is a webshell?
So what is WebShell?
As mentioned above, Webshell is a kind of web page backdoor, usually written in asp, jsp or php. The common functions of WebShell include executing system commands, stealing user data, deleting web pages, modifying home pages, etc. After hackers have invaded a website, they often place these asp or php Trojan horse backdoor files in the web directory of the website server and mix them with normal webpage files.
Classification of webshells
Classification |
volume |
features |
malaysia |
Large size, contains many functions |
It usually contains key functions that call the system, so the code is usually encrypted to hide it. |
pony |
Small in size, usually only includes file upload function |
|
one word trojan horse |
Very short code (only one line) |
It is easy to use and can be used as a single file or inserted into other normal files; it has many deformations and is difficult to kill. |
Anyway, all kinds of horses...
File upload attack methods\steps
Find the upload point of the target website (Avatar Upload, Beijing Upload, etc.) and try to upload dynamic script language files such as .php, .aspx, etc. to test whether it can be uploaded directly, and try to bypass it if not.
Common website file suffixes: asp asa cdx cer php aspx ashx jsp php3 php.a shtml phtml Some websites will filter asp or php and turn them into empty and use these suffixes. aspasp asaspp phpphp
Arbitrary file upload vulnerability
As the name suggests, the arbitrary file upload vulnerability is a vulnerability that can directly upload any file without any filtering. It is also called a file direct upload vulnerability. An attacker can directly upload malicious files and obtain the authority of the website or even the server.
upload bypass
Bypass front-end JS detection upload file
Some websites will detect the uploaded files through the front-end JS. These data are controllable without passing through the target server. There are many ways to bypass the front-end JS detection:
- Disable browser JS functionality
The browser itself has a setting page. Take FireFox as an example, enter about:config in the address bar of the browser to enter the bottom layer settings of the browser, search for java to find the following options, and change true to false to realize the JS Disabled, if the JS file is not loaded, the suffix of the file cannot be detected on the front end, and the file upload can be realized. (Be sure to change it back after uploading the file)
- F12 to delete the corresponding rule
- Burp and other tools to capture packets
Generally, disabling JS is the easiest way. Only when the webpage is completely abnormal after disabling JS will other methods be considered.
Bypass contnet-type detection
Some websites will detect the contnet-type in the request header of the HTTP request when uploading files. By using software such as Burp to capture packets and modify the contnet-type in the request header, the file upload can be realized.
Take the second level of the uploads-lab shooting range as an example:
If you upload directly, you will be prompted that the file type is incorrect, please upload again. At this time, we open burpsuit to capture packets:
Modify the Contnet-type option in the HTTP request package to image/png and send the package to successfully upload the file:
Use the China Ant Sword webshell management tool to connect and verify the upload result:
blacklist bypass
Some websites will obtain the file extension and compare it with the blacklist when uploading files. If the file extension of the attacker is in the blacklist, the uploaded file will be blocked.
For the blacklist, we only need to change the file extension to one that is not in the blacklist (try one by one in the case of a black box), such as php1, php2, php3, phtml, ashx, etc.
Take the third level of the uploads-lab shooting range as an example:
The direct upload prompts that the upload failed, and the webpage kindly gave us some hints (laughs)
We change the file extension to phtml and click upload:
You can see that the upload is successful, connect and try:
uploaded successfully
Bypass using .htaccess
If the blacklist of the website is set comprehensively and all available suffixes (such as .phtml) are blocked, we can try to upload .htaccess to achieve bypass.
The role of the htaccess file is to help us achieve: folder password protection, user automatic redirection, custom error pages, change your file extension, block users with specific IP addresses, only allow users with specific IP addresses, and ban directories list, and some features like using other files as index files. Write SetHandler application/x-httpd-php in htaccess to rewrite the file into a php file. For the htaccess rules to take effect, you need to enable the rewrite module in apache, because most apaches enable this module, so the rules generally take effect.
Take the fourth level of the uploads-lab shooting range as an example:
Create a .htaccess file and write SetHandler application/x-httpd-php in it and upload it. The function of this content is to execute all files as php files, so we change the suffix of the php file to any other permission The uploaded suffix, such as png, jpg, etc., can realize the execution of the content as php code.
After the upload is successful, upload the .jpg file together:
Connection test, success:
case bypass
Some restrictions do not strictly filter the case, you can upload by changing the case, such as php can be changed to PHP, Php, pHp and other suffixes, you can bypass the upload.
Take the sixth level of the uploads-lab shooting range as an example:
The size of the writing is not strictly filtered, and the file is uploaded:
Upload succeeded:
Connection test, success:
space bypass
If some websites do not remove the first and last blanks of the uploaded files, then capture the packet during the transmission process and insert a space after the file name to upload.
Take the fifth level of the uploads-lab shooting range as an example:
Looking at the source code, I found that there are head and tail empty and go. processing, so use .. to bypass:
The fifth level uploads a one-sentence solution:
Upload the .ini file, which contains the statement auto_prepend_file=ant5.jpg to realize the introduction of ant5.php, and then just execute the readme.php mentioned in the prompt:
Upload ant5.jpg again
Test success:
The seventh level is also a space bypass:
Add spaces:
Test success:
Add points to bypass
Some websites do not filter the dot after the file suffix, you can capture packets and add dots to bypass.
Take the eighth level of the uploads-lab shooting range as an example:
Grab the bag and add points:
Test success:
Use system features to bypass
Windows suffix ignore: the file suffix in Windows. The system will automatically ignore it. So shell.php. and shell.php are considered the same by the system. So you can add . to bypass the file name after capturing the package during upload.
Windows superimposition feature: in windwos, if the file name ant.php:.jpg is uploaded, a blank file name ant.php will be produced in the directory
Then use the overlay property of php and windows environment,
The following symbols are equal when matching regular expressions:
Double quotes " are equal to dots.
greater than sign > equal to question mark?
less than symbol < equal to asterisk *
filename.< or filename.<<< or filename.>>> or filename.>>< empty filename
NTFS exchange traffic bypass
Add ::$DATA after the file name to bypass
Take the ninth level of the uploads-lab shooting range as an example:
Add data flow:
Test success:
double write bypass
Some websites will automatically delete the sensitive content in the suffix (for example, a.php will program a.). At this time, the file suffix can be double-written. For example, . php, what you end up with is a .php file.
Take the eleventh level of the uploads-lab shooting range as an example:
Test connection, success:
. .bypass
Some websites filter spaces and . so you can use .spaces to bypass.
Take the tenth level of the uploads-lab shooting range as an example:
Test success:
whitelist bypass
The above are some blacklists that are bypassed. The opposite of the blacklist is the whitelist. It is relatively safe to use the whitelist for verification, because only the specified file extensions are allowed. But if there is a controllable parameter directory, there is also a risk of being bypassed.
Directory controllable %00 truncation bypass
When the upload parameters are controllable and gpc is closed, %00 can be used to truncate the directory or file name.
Requirements: php version less than 5.3.4
First truncate the attack, capture and upload will automatically truncate the content behind %00.
Take the twelfth level of the uploads-lab shooting range as an example:
Repackage:
test:
POST%00 truncation bypass
Some websites use POST to pass parameters, so it is invalid for us to modify the path directly. We need to modify the path and use urldecode (included in the right-click menu of burpsuit) to transcode and then pass the parameters to use.
Take the thirteenth level of the uploads-lab shooting range as an example:
Capture packets and change packets:
Use urldecode on the highlighted part:
Test success:
The above is the basis of some file upload vulnerabilities, hoping to provide valuable ideas for beginners in network security.