Upload Vulnerability
Mirror Wang Yuyang
October 28, 2019
Web sites typically exist file upload (example: pictures, documents, zip archives ^, etc.) as long as there upload function, there may be uploaded crisis vulnerability. And SQL injection vulnerabilities comparison, upload vulnerability even more dangerous, because the vulnerability can upload a WebShell to the server.
Parsing Vulnerability
Use upload vulnerability, usually requires a combination of Web container (IIS, Nginx, Apache, Tomcat) parsing vulnerability to allow upload of vulnerabilities are realized
IIS Parsing Vulnerability
IIS5.x / IIS 6.0 File Parsing Vulnerability
Directory name contains
.asp
a character string (directory) files were parsed according to asp; example:index.asp/
directory all the files are parsed aspWhen there is
xx.asp
named file name, a file in any directory access, will give asp.dll parsing (asp script execution)File name contains
.asp;
characters, even when the jpg format file, IIS will be resolved in accordance with the asp fileWhen the file name
xx.asp;xx.jpg
, IIS6 will give asp.dll file parsing (asp resolved in accordance with the script);Request: IIS from left to right check
.
number, to query;
or/
number is (memory) cut off; after such execution, IIS is recognizedxx.asp
The default resolution:
.asa
.cer
.cdx
IIS6 default resolution while the front three file extension, will resolve to asp.dllRehabilitation program:
Set permissions to restrict users to create, modify folder permissions
Microsoft's patch update or modify custom detection rules IIS, preventing illegal uploading the file name suffixes
IIS7.0 / 7.5
Enabled by default Fast-CGI states, add the URL address of a server behind file
xx.php
will bexx.jpg/xx.php
parsed as PHP filesRepair method:
Modify the php.ini file, will
cgi.fi: x_pathinfo
be set to 0IIS7 parsing vulnerability is mainly due to improper configuration of PHP
Windows operating system, the file name can not begin with a space or ".", Not spaces or. "" End with. When the file a name or a space. "" Beginning or end, and will automatically remove spaces at the beginning and the end. "." With this feature, it could lead to "file parsing vulnerability."
Nginx Parsing Vulnerability
Nginx <= 0.8.37
Effect Version: 0.5 / 0.6 / <0.7.65 / <0.8.37
Under Fast-CGI on, there is the same vulnerability as IIS7: URL address later added
xx.php
willxx.jpg/xx.php
resolve to the PHP fileNull bytes:
xx.jpg%00.php
(some versions, Fast-CGI execution will be closed)Repair method:
Modify the php.ini file,
cgi.fix_pathinfo
is set to 0 [Close]Then Nginx configuration settings: when a similar
xx.jpg/xx.php
URL to access the time to return to 403;if ( $fastcgi_script_name ~ ..*/.*php) { return 403 ; }
Apache Parsing Vulnerability
Apache extension Parsing Vulnerability
Apache from right to left when parsing rules file start judgment, if the suffix unrecognized file parsing, will continue to determine the left, until it can identify the correct
xxx.php.owf.zip
Wherein.owf
and.zip
the file extension is not recognized Apache, until it is determined.php
only according to parse the file PHPRepair method:
Apache configuration, prohibit
xx.php.xxx
similar document execution<Files ~ "/.(php.|php3.)"> Order Allow,Deny Deny from all </Files>
Apache "% 0A" to bypass the upload blacklist [CVE-2017-15715]
A presence determination logic Apache uploaded custom :()
<?php if(isset($_FILES['file'])){ $name = basename($_POST['name']); $ext = pathinfo($name,PATHINFO_EXTNSION); if(in_array($ext,['php','php3','php4','php5','phtml','pht'])){ exit("bad file"); } move_uploaded_file($_FILES['file']['tmp_name'],'./'.$name); } ?>
Check the judge upload file extension, if found, would be blocked.
Using the CVE-2017-15715, upload a file that contains line breaks. Note that only
\x0A
, can not be\x0D\x0A
, so we add a function in the back with a hex 1.php\x0A
:
Access /1.php%0A
, namely class success getShell;
File upload bypass
Client-side validation
The client uses the suffix JavaScript check uploaded files
# js验证文件后缀 extArray = new Array('.gif','.jpg','.png'); // 白名单 function LimitAttach(form,file){ allowSubmit = false; if(!file) return; while(file.indexOf('\\')!=-1) file = file.slice(file.indexOf('\\')+1); ext = file.slice(file.indexOf('.')).toLowerCase(); for(var i = 0 ; i < extArray.length ; i++){ if(extArray[i] == ext){ allowSubmit = true ; break ; } } if(allowSubmit) form.submit(); else alert("bad Extension"); }
Typically the client may be bypassed by a check js Ethereal
# php接收文件(没有任何校验) <?php if(isset($_POST['submit'])){ $name = $_FILES['file']['name']; //文件名 $naem = md5(date('Y-m-d h:m:s')).strrchr($name,'.');// 文件重命名保留扩展 $size = $_FILES['file']['size']; //文件字节大小 $tmp = $_FILES['file']['tmp_name']; //临时路径 move_uploaded_file($tmp,$name); //移动文件到tmp目录下 echo '文件上传成功'.$name; } ?>
To bypass client-side validation:
Use FireBug developer tools, can be crossed in a local configuration check function can trigger the submission form; make check function can not be called bypassed.
Alternatively, you can modify the contents of the packet after checking by the client by way of capture. (Change pack process may change the data packet size, need to pay attention
Content-Length
defined length to be consistent with the actual)
Check the server
Content-type
Field validation ( the MIME type of check )- File extension detection (detection file Extension-related content) using black and white list filtering mechanism
File content detection (to detect whether the content is legitimate or malicious code)
Directory Authentication
MIME check: Content-type
Content-type
Field displays the MIME type , MIME type determination can be made simple filtration file# 校验Content-type字段MIME类型 <?php if($_FILES['file']['type'] != 'image/jpeg'){ // 判断文件的MIME格式 echo "Sorry!文件上传格式错误 Error"; exit; } ?>
MIME bypass check:
Burp use packet capture tool, the
content-type
field to the required MIME type
Extension detection
Blacklist policy:
There is a special file, record the server does not allow uploading the file name
Whitelist policy:
There is a dedicated file server records allowed to upload the file name
# 扩展名检测 <?php if(isset($_POST['submit'])){ $name = $_FILES['file']['name']; // 获取文件名 $ext = substr(strrchr($name,"."),1); //获取扩展名[strrchr()找到符号"."并返回从该位置到结尾的所有字符(字符串),substr(str,1)获得扩展名字符串] while($ext==xxx){} // 调用黑白名单进行循环对比,一旦命中则执行相关的放过/拦截操作! } ?>
Directory Authentication
Let unified directory stored in a file uploaded
# 目录验证 <?php if(isset($_POST['submit'])){ $name = $_FILES['file']['name']; //文件名 $naem = date('Y-m-d h:m:s').strrchr($name,'.');// 文件重命名保留扩展 $tmp = "./root/"; //存储路径,可以是服务器指定或者用户原则或则机制选择 move_uploaded_file($tmp,$name); //移动文件到tmp目录下 } ?>
The example code verification document server
<?php
if(isset($_POST['submit'])){
$name = $_FILES['file']['name'] ;
$type = $_FILES['file']['type'] ;
$tmp = "./image/";
}
file_array = new array('jpeg','png','jpg','gif');// 白名单
for ($i=0; $i < file_array.length; $i++) {
if (substr(strrchr($name, "."),1) == file_array[i]) {
if( $type == "image/gif" | $type == "image/jpeg" ){
move_uploaded_file($tmp, $name);
echo "图片上传成功……".$name;
exit;
}
}
}
?>
Bypass strategy
- burp packet capture change, bypassing checking mechanism, comprising recycling vulnerability getShell
Text editor, upload vulnerability
Common text editors: FCKEditor, Ewebeditor, UEditor, KindEditor , XHditor; co-called " rich text editor "
I contacted a small text editor, contributed a good reference article: https://blog.yuntest.org/jszy/stcs/91.html