File upload detection and bypass are divided into
Client detection and bypass and server detection and bypass (more important)
1. Client detection and bypass
Client: also known as the client (front-end), corresponding to the server, since the client’s defense against file upload vulnerabilities is implemented through JS, client-side detection and bypass can also be called JS/front-end detection and bypass Pass
1. Detection principle:
2. Bypass method
Principle (premise): Since the back-end PHP code does not perform any detection on the file, the Webshell can be uploaded as long as the front-end JS inspection is bypassed
(1), delete the browser event
1. Enter the address: http://ip/upfile/1/upload.html
2. Prepare the file (script file) to be uploaded on the operating machine, such as creating a new info.php file
3. Click the "Select File" button to select the file to upload
4. Click the "submit" button, the file upload fails
5. According to the prompt, you need to upload the "jpg" picture file, click "OK" to return to the upload page, right-click with the mouse, and click "View Elements"
6. Navigate to the location of the file field, you can see that the form calls the selectFile() function
7. Back to the selectFile() function, double-click to expand the function code
8. It can be analyzed from the code that the form calls the selectFile() function of the JS code, first obtains the file name of the uploaded file, then converts the file name to lowercase, and then uses the substr function to intercept the file suffix (including .) for judgment. So just don't call the JS code, delete the browser event, that is, Onsubmit=" "
9. Click the "submit" button to upload the file again, and the script file is successfully uploaded
Uploading... Reupload Cancel
10. Visit http://ip/upfile/1/upload/info.php, the uploaded script file is parsed successfully
Then you can upload the script of a one-sentence Trojan horse, which can be used in conjunction with Chinese kitchen knife, ant sword, etc.
(2) Use Burpsuite to capture packets and change the file extension
1. Login address: http://ip/upfile/1/upload.html
2. 2. Prepare the file (script file) to be uploaded on the operating machine, such as creating a new info.php file
3. Click the "Select File" button to select the file to upload
4. Click the "submit" button, the file upload fails
The previous four steps are the same as above, no screenshot
5. According to the prompt, you need to upload the "jpg" picture file, open the "Burp" folder on the desktop, double-click "BURP.cmd" to start the Burp Suite capture tool
6. Switch to the "Options" of the "Proxy" proxy module to view the proxy of Bp
7. Switch to the browser, select the proxy in the Firefox plug-in (configure the proxy of the browser), which is consistent with the proxy of Bp
8. The client can only upload jpg files, change the suffix of the script file info.php to info.jpg, and then select the file
9. Click the "submit" button to upload the file again, and Bp successfully captures the data packet
10. Change the suffix name in the data packet to php to bypass the detection of the client
11. Click "Forward" to forward the data packet, switch to the browser, and the script file is uploaded successfully
12. Turn off the browser proxy
13. Visit http://ip/upfile/1/upload/info.php, the uploaded script file is parsed successfully
(3) Construct the upload form
1. Login address: http://ip/upfile/1/upload.html
2. Prepare the file (script file) to be uploaded on the operating machine, such as creating a new info.php file with the same content as above
3. Click the "Select File" button to select the file to upload
4. Click the "submit" button, the file upload fails
The steps are still the same as above,
5. Right click and click "View Page Source Code"
6. It can be seen that the form calls the selectFile() function of the JS code for filtering restrictions, and the form is submitted to the upload.php page, so a forged form without any filtering restrictions is also submitted to http://ip/upfile/1 Just /upload.php, create a new 1.html file
That is to remove the part of the selecFile() function, and then change the upload location (the underlined location in the figure below)
7. Double-click the 1.html file
8. Click "Browse" and select the script file info.php to upload
9. Click the "submit" button to upload the file again, and the script file is successfully uploaded
10. Visit http://ip/upfile/1/upload/info.php, the uploaded script file is parsed successfully
This article is written here first!
Server-side detection and bypassing the next article!