Table of contents
2. File upload detection method
3.2 File header detection bypass
3.3 File content detection bypass
3.4 Blacklist detection bypass
3.4.1 There is no filtering bypass for the .htaccess suffix
3.5 Whitelist detection bypass
3.5.2 Containing Vulnerabilities
3.6 Parsing vulnerability bypass
3.6.1 Apache Parsing Vulnerabilities
3.6.2 IIS Parsing Vulnerabilities
3.6.3 Nginx Parsing Vulnerabilities
foreword
This is my own combination with the shooting range. I basically summarized all the situations I encountered when uploading files. I also summarized various bypass methods. I hope I can help you. I really put my heart into summarizing it. It took me an afternoon. time.
1. File upload principle
There are some websites that provide uploading services. For example, the setting of the avatar is to upload pictures, or upload documents, upload compressed files, and so on. Generally, websites hope to upload image format or text format. If the detection method is not comprehensive, it will cause the attacker to directly upload malicious script code and execute the script code, or can cooperate with other vulnerabilities to upload code files, causing server was taken down. Let's talk about the detection and bypass of file uploads.
2. File upload detection method
File upload detection is divided into front-end detection and back-end detection. The bypass of the front-end detection is very easy to bypass. The front-end detection means that there is a detection code on the webpage. There will be a detection before you click to upload. We only need to change the Trojan file to a normal picture name, and then capture the package and change it. Just come back. We need to specify that it is the bypass of the backend detection
3. Backend detection bypass
There are many methods for backend detection, including file type detection, file content detection, whitelist detection, and blacklist detection. Let’s look at them one by one.
3.1 Type detection bypass
There is a field called content-type in the request packet, which will send the file type record to the server, and the server will judge whether the upload is a picture or a document based on it. Here we take a look at the second level of upload_labs in the shooting range. First we uploaded our code file, it will prompt that the file type is incorrect, upload it again. At this time, we can see Content-Type: application/octet-stream in the request package, which indicates that what you uploaded is a script file.
If we set the field as Content-Type: image/jpeg, we can see that the upload is successful. Right-click the image to copy the image address to see that the code is successfully executed. Modifying the field value by capturing packets can easily bypass type detection.
3.2 File header detection bypass
The server will simply match the file header to see if you upload the required file. We can bypass it by appending a legal file header before the uploaded file, such as the thirteenth level of upload_labs
3.3 File content detection bypass
The server no longer performs simple file header matching detection for uploaded files, but detects whether the file is an image by calling functions such as getimagesize/imagecreatefromgif/imagecreatefrompng. That's it.
3.4 Blacklist detection bypass
Blacklist detection means that I have a list, as long as the suffix is in this list, it cannot be uploaded. If the list of blacklists is not very comprehensive or the filtering is not strict, it will lead to bypass. For example, we can bypass dots, spaces, capitalization or other suffixes. Sometimes the code only does one filtering, and there are no multiple filterings. It can be bypassed by overlapping names. The tenth level of upload_labs is to bypass overlapping suffix names
( The third level of upload_labs 1.php1 and other suffixes are bypassed, the fifth level of upload_labs is bypassed by case, the sixth level of upload_labs is bypassed by spaces, the seventh level of upload_labs is bypassed (similar), the eighth level of upload_labs is in the file suffix name Add:: $$DATA to bypass but must be Windows must be php., upload_labs ninth level a.php. , you can try it yourself)
3.4.1 There is no filtering bypass for the .htaccess suffix
Talk about this suffix separately in the blacklist detection. You can see that the .htaccess suffix is not a dangerous script file suffix. You need to pay attention to what you need to pay attention to when using this method. It is aimed at apache and the mod_rewrite module is enabled. AllowOverride All. The reason is that we usually use Apache's rewrite module to rewrite the URL, and the rewrite rules will be written in the .htaccess file. When AllowOverride is set to None, .htaccess files are completely ignored. When this directive is set to All, all directives with the scope of ".htaccess" are allowed to appear in the .htaccess file. If you are interested, you can Baidu it yourself. See the fourth level of upload_labs for specific cases
The first step is to upload the .htaccess file. The content of the file is
AddType application/x-httpd-php .png 
The second step is to upload the 1.png file, the file content is
<?php
Phpinfo()
?>
The third step is to access the image address, and the php code is parsed.
In addition to the above methods, there are other methods,
1. If the .htaccess file is uploaded, and the content of the file is
AddHandler php5-script phpThe name of the uploaded Trojan horse file is 1.php.png. Access the image address, and the code inside will be successfully parsed
2. If the .htaccess file is uploaded, and the content of the file is
<FilesMatch “ajest”>
SetHandler application/x-httpd-php
<FilesMatch>The name of the uploaded Trojan file is ajest.png. Access the image address, and the code inside will be successfully parsed
3.5 Whitelist detection bypass
3.5.1 Truncation
Whitelist detection is more difficult than blacklist detection, because she allows you to upload file name suffixes, and you cannot upload if they do not meet the requirements. At this time, we need other methods to bypass. Bypass by truncating with 00.
When we upload a picture in upload_labs level 11, the picture name will be renamed, and the file upload path can be seen in the request package. It can be truncated by 00 so that when the picture is uploaded, it will be kept according to the file name we set
3.5.2 Containing Vulnerabilities
We upload the script file and hope it can be parsed eventually, but because the file upload adopts the whitelist verification, we can only upload the image format, although we can make an image Trojan upload, but the code will not be executed and will only be treated as an image , at this time, if there is a code containing a vulnerability, it will be parsed
I create a new file int.php in my local website directory, the content is as follows:
<?php
$path=$_GET['file'];
include $path;
?>#int.phpThen create a new 1.php file with the following content: In order to simulate file upload, change 1.php to 1.png, which is equivalent to uploading a picture Trojan horse
<?php phpinfo();?>
Visit the following address:
http://127.0.0.1/haha/int.php?file=1.png
3.6 Parsing vulnerability bypass
Parsing vulnerabilities such as apache parsing leaks, IIs parsing vulnerabilities, nginx parsing vulnerabilities
3.6.1 Apache Parsing Vulnerabilities
The apache parsing vulnerability is caused by the operation and maintenance personnel adding a handler to enable Apache to parse PHP when configuring the server, which is equivalent to adding a rule, that is, my suffix name match is not a regular match, but an arbitrary position match .
Regular matching is that the last suffix of a file is php/php1..., and the file is handed over to the PHP processor (php_module) for processing. After processing, the result is returned to Apache, and then Apache sends it to the browser.
Any location match is, for example: 22.php.png.mp3. This file will be considered an MP3 file in most operating systems. But this may not be the case in Apache. It will recognize from right to left. If it encounters a suffix that is not recognized, it will say that it does not know something, and continue to recognize the next suffix. When it encounters php, it will execute the above steps. If you encounter a recognized suffix, you will not recognize it later. So the upload four levels can also use 1.php.xx.yy.zz to pass
3.6.2 IIS Parsing Vulnerabilities
IIS5.x/6.0 parsing vulnerability
There are two parsing vulnerabilities in this version, namely directory parsing and file parsing. Most of them are windows server 2003, the website is relatively old, and the development statement is generally asp; this parsing vulnerability can only parse asp files, not aspx files
1. Directory analysis
If the directory name ends with the string " .asp , .asa , .cer , .cdx ", all files in this directory will be parsed according to asp. For example: " test.asp/1.jpg " will analyze the asp code.
2. File analysis
As long as the file name contains " .asp; , .asa; , .cer; , .cdx; it will be parsed according to asp first. For example: " 1.asp;.jpg "
IIS7.0/IIS7.5 parsing vulnerability
For any file name, as long as the string "/any file name.php" is added after the URL, it will be parsed in the way of php. For example,
I uploaded a picture Trojan horse 22.png and directly accessed the url as www.haha.com/upload /22.png The picture can be viewed but the code cannot be parsed. At this time, we only need to add www.haha.com/upload/22.png/33.php after the url to execute the code.
3.6.3 Nginx Parsing Vulnerabilities
nginx version 0.8.41~1.4.3, 1.5 <= 1.5.7 number CVE-2013-4547. The principle of this vulnerability is that illegal characters , spaces and cutoff characters (\0) will cause confusion in the finite state machine when Nginx parses URIs. The harm is to allow attackers to bypass the suffix name restriction through a non-encoded space
Upload a file named "test.jpg "The last character is a space, the file content is
<?php phpinfo() ?>This is why we will report an error when we access this file, because the browser automatically encodes spaces as %20, and the file "test.jpg%20" does not exist in the server. Add AAphp after the file name by capturing the packet, change the space after jpg to 20 (ASCII code of the space symbol) in hex, change the first A to 00 (cutoff character \0), and change the second A to 2e (the ASCII code of "."), the purpose of this is to prevent the browser from encoding spaces and cutoff characters. After the change, the file name we send is "test.jpg \0.php" so that Nginx thinks that the file extension is php and parses it.
3.7 Conditional race bypass
Secondary rendering, for example, a website requires you to upload a picture, and after uploading, it will perform secondary operations on the picture, such as cropping the size and so on. Then there may be a logical loophole in this, which can use conditional competition to upload Trojan files
The seventeenth level of upload_labs is when the file has been uploaded to the server, it is verified before the server performs the second operation, so that we can continue to send packets, continuously access the address before the second operation of the picture, and use conditional competition, because in the process of opening The file cannot be renamed or deleted again. The specific operation is as follows
The first step is to create a file 2.php. The content of the file is as follows. When the code is executed, a shell.php file will be created in the directory. The content of the file is <?php @eval($_POST["test"])?> . In this way, we can clearly see whether the code of the 2.php file is successfully executed after a while.
<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST["test"])?>');?>The second step is to upload 2.php to capture its request package and put it in the intruder module to upload 2.php continuously. Set the number after the user_agent field, so that it has no effect on the content of the request packet, and can also send packets repeatedly
The third step is to set the payloads, just follow the settings below.
The fourth step is to click to start the attack, and you can see that the attack has started
Start to refresh the 2.phpde address page continuously. My website is built locally. After refreshing for a while, you can see that shell.php is successfully generated, and then you can use Ant Sword to connect.
3.7waf detection bypass
Content_Disposition: generally can be changed
Name: Form value, cannot be changed
Filename: file name, can be changed
Content-Type: Change as appropriate.
1. Data overflow : use a lot of garbage data, which may bypass the security dog
For example, you can write a lot of useless data in front of filename,
2. Symbol variation , you can switch single and double quotes, single and double quotes are not paired, semicolons, etc.
3. Data truncation - anti-match (; %00 newline/)
4. Multiple Content-Disposition
In the IIS environment, if there are multiple Content-Dispositions when uploading a file, IIS will take the value in the first Content-Disposition as the receiving parameter, and if waf only takes the last one, it will be bypassed, Win2k8 + IIS7.0 + PHP
5. Enter at the file name
6. Delete the Content-Type field in the entity
The first is to delete the entire row of Content. The second way is to delete ontent-Type: image/jpeg and leave only c, just add . The third one deletes the spaces in the Content-Disposition field
7. For multiple filename fields , waf may only check the filename field once.
8. Change post to get Some WAF rules are: if the data packet is of POST type, verify the content of the data packet.
In this case, you can upload a POST-type data packet, capture the packet and change POST to GET.