File upload vulnerability (File Upload)

Others 2019-08-31 20:20:39 views: null

Brief introduction

File Upload, namely file upload vulnerability, usually due to the type of user to upload files, the content is not strict filtering, inspection, so that the attacker can get webshell access to the server by uploading Trojans, viruses, malicious scripts, etc., and thus attack control server, so the file upload vulnerability harm is often devastating. Simply put, is that users either directly or through a variety of ways to bypass the webshell uploaded to the server and then use execution. For example, if your php server environment, users upload a php Trojans word and get webshell connected by a kitchen knife, it is possible to tamper with your server files and even execute the command.

File upload verification method

The client javascript check (usually only check suffix)

When a client clicks to select files to upload when the client has not sent any messages to the server, the js script on the front of the file extension carried out to determine whether the type of detection can be uploaded

Check the server

  • Content-type header field validation backend filtered through a black and white list detection MIME type of a file upload
  • Contents of the file header checksum

Different files have different file header, file header is to describe some of the important attributes of a file, it tells the open and process the file attributes these procedures. Some upload interfaces will detect file header information uploaded by you in order to determine whether it is really a positive file types, such as jpg format picture header is JFIF, gif head is GIF89a, png head is% PNG.

  • Check the file size

Some interfaces, such as whether to upload getimagesize () function to detect you upload pictures by size is a function of the normal picture size, to prevent the Trojans to upload a word.

  • Extension blacklist check
  • Extension whitelist check
  • Custom regular check

WAF equipment calibration

(Depends on different products WAF)

Bypass posture

1) checking the client

a) First uploaded file name extension to expand in line with standard detection script, when you upload through burpsuite packet capture, packet will expand the name to the original file is also to achieve the purpose of bypassing

b) directly in the local JS disabled browsers

2) content-type header field validation

Use firebug and other burpsurite or tamper with the Content-Type http header content is about Content-Type: application / php changed to allow other types of web applications, such as Content-Type: image / jpg, Content-Type: image / png, Content -Type: text / plain.

Common MIME type:

text / plain (plain text) 

text / HTML (HTML document) 

text / JavaScript (JS Code) 

the Application / XHTML + xml (XHTML document) 

Image / GIF (GIF image) 

Image / jpeg (JPEG images) 

Image / PNG (PNG Image ) 

Video / mpeg (MPEG movie) 

the Application / OCTET-Stream (binary data) 

the Application / pdf (PDF file) 

the Application / (programming language) code for that language 

application / msword (Microsoft Word document) 

the Message / rfc822 (RFC 822 form ) 

multipart / Alternative (HTML e-mail in HTML and plain text, the same content using different forms of representation) 

the Application / the X--the WWW-form-urlencoded (a form POST method to submit) 

multipart / form-the Data (along with file uploads when POST submission form)

 

 

3) the contents of the file header checksum

a) the head of the script with the corresponding uploaded file header byte (php engine will <? previous content as html text, no explanation is skipped, the code behind will still be able to be implemented)

Attached to a variety of formats file contents header table

 

c) find a line with submissions Filter types of files and script files are merged to create an image Trojans, after the new file upload, combined with the file that contains the vulnerability getshell

4) Check File Size

       Uploading data in constantly filled garbage data or create an image Trojans were bypassed.

5) check blacklist file extension

       Look for the missing file types to bypass

6) Other Workaround

       00 Truncated

Suffix capitalization bypass

       Conditions of competition

       Parsing Vulnerability

Summary: To bypass the upload flexible use, not rigid, it can be combined with a variety of methods to achieve the effect uploaded

experiment

Experimental environment: phpstudy2016

Drone: DVWA file upload HIGH security level

 

 

Source

 

Found, this level was filtered using a white list, only the suffix jpg, jpeg file upload or png format, and the file size is less than 100,000 bytes.

In the cmd command to generate images with copy Trojans

 

Find a word Trojan Insert Picture tail

 

Upload successful

 

Visible file is located in C: \ phpstudy \ WWW \ DVWA \ under \ hackable uploads directory

Try to connect with a kitchen knife

Find an error, because the Trojans are treated as pictures and not be parsed as php parsed

Then you can use File Inclusion Vulnerabilities

 

 

 

DVWA use the File Inclusion vulnerability to the picture resolves to php

Url structure

http://169.254.16.216/DVWA/vulnerabilities/fi/?page=file:///C:\phpstudy\WWW\DVWA/hackable/uploads/shell.jpg added to the chopper parameters qlu

 

 

 

Connection errors are found, because DVWA need to login

Right-click on the shell can just added, select visit the website, the chopper landed DVWA own browser security level is set to high and below.

 

 

Then you can connect successfully.

Protect

1. File upload directory is set to non-executable
file that can not be resolved as long as the web container directory, even if the attacker to upload a script file, the server itself is not affected, so it is crucial.

2. Analyzing the file type
in the file type is determined, may be used MIME Type, incorporated suffix inspection. In the file type checking, it is strongly recommended whitelisting, blacklisting approach has many times proven to be unreliable. Further, for the image processing, compression function may be used or resize function, HTML code is processed at the same time destroy the picture images may be included.

3. Use a random number to overwrite the file name and file path
file upload If you want to execute the code, the user is required to be able to access this file. In some environments, users can upload, but can not access. If you apply the random number rewrite the file name and path, it will greatly increase the cost of the attack. Again is like shell.php.rar.rar and crossdomain.xml this document, we will be unable to attack because renamed.

4. Set a separate file server's domain name
because of the browser's same-origin policy, a series of client-side attacks will fail, such as uploading crossdomain.xml, upload contains the Java XSS exploit script and other issues will be resolved.

Guess you like

Origin www.cnblogs.com/r3t7rn/p/11440132.html
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com