File Upload
0X00 Overview
File upload vulnerability is user to upload an executable script file, and the ability to get the server executable commands through the script file. The file upload function itself is no problem, the problem is that after a successful upload, the server how to deal, how to execute script parses the file. If the server processing logic is not enough security, it will lead to the uploaded file is parsed to perform web container, resulting in serious consequences.
File upload can upload pictures, upload photo albums, upload attachments, add news photos, add background images, etc.
File Vulnerability Category:
Layer of code: developers lack of safety awareness, or in a file upload verification is not rigorous caused
Application Layer: Web container vulnerability, misconfiguration, etc.
0X01 common file upload Bypass Vulnerability
1. distal bypass
Client validation JS: prompt only allowed to upload .jpg / .png / .jpeg file extension when uploading files.
Workaround: 1 by modifying the script file, add text type upload file extension
2. Remove JS verify the calling script, let it not be verified to upload files
3. Modify the uploaded file type extension be bypassed, for example: webshell.php changed webshell.jpg, when you click Upload, burp capture modified so that the server can properly resolve
2. The server-side bypass
The authentication server MIME: MIME content type of the message is described in Internet standards, i.e., the Content-type
Workaround: Modify the Content-type content, such as: Upload Content-type: text / php -> Content - type: image / jpg
3. Verify suffix blacklist
Server program based on a list of file extensions to determine whether to allow the current file uploaded to the server.
Workaround: 1 to bypass the file name case
2. A list of the list to bypass
3. The provisions of the built-in system by bypassing the special file name
4.0X00 truncated bypass, bypassing example, by some php GetType function () function determines the suffix from the back
5..htaccess file attack
Extends server-side file detection: If the server detects only upload files to upload pictures, upload a picture can be carried out by the Trojan to bypass, copy / b 1.gif + 2.txt = 2.php etc.
3. with parsing vulnerability to bypass
Apache Parsing Vulnerability
Parses the file rule from right to left to start parsing judgment, if the suffix unrecognized file parsing, continue left to resolve. For example: webshell.php.jpg, apache default does not resolve jpg, until resolved to continue parsing php file extension to the left.
IIS Parsing Vulnerability
IIS5.x-6.x version of the server, only parse .asp file extension
IIS6.0 (parse directory) as long as the file name contains .asp suffix, it will resolve to asp files, including files in the directory .asp
(File parsing) server default puzzled; content behind the numbers
IIS7.0 / 7.5 is a similar nginx php parsing vulnerabilities when parsing, add "/ any file name .php" behind any url, parses manner in accordance with php.
Nginx Parsing Vulnerability
1. (any file name) / (any file name) .php, resolved in accordance with php Vulnerabilities
2. (any file name)% 00.php, parsing attacks
file download
Many sites have a download function, due to the download function module for the downloaded file types, directories do not limit or restrict incorrectly, you may cause while a malicious user to view or download sensitive files, etc.
An attacker can obtain the source code download Web database configuration files off the library, tampering with the database, the database directly mention the right. Download Password, web and other sensitive file configuration file, you can obtain further information on the database and so on.
Rehabilitation program: for user input parameters strictly judge
File contains
File containing the function:
require()
require_once()
include()
include_once()
File contains the parameters of a function is loaded without filtration or strict definition, a user may be controlled, it includes other malicious files, resulting in unexpected code execution
0X00 local file contains: the file contained in the local server
0X01 remote file include: file contained occur in third-party servers
Rehabilitation program: the parameters of user-uploaded strict check