Upload Vulnerability

Mirror Wang Yuyang

October 28, 2019

Web sites typically exist file upload (example: pictures, documents, zip archives ^, etc.) as long as there upload function, there may be uploaded crisis vulnerability. And SQL injection vulnerabilities comparison, upload vulnerability even more dangerous, because the vulnerability can upload a WebShell to the server.

Parsing Vulnerability

Use upload vulnerability, usually requires a combination of Web container (IIS, Nginx, Apache, Tomcat) parsing vulnerability to allow upload of vulnerabilities are realized

IIS Parsing Vulnerability

IIS5.x / IIS 6.0 File Parsing Vulnerability

Directory name contains .aspa character string (directory) files were parsed according to asp; example: index.asp/directory all the files are parsed asp

When there is xx.aspnamed file name, a file in any directory access, will give asp.dll parsing (asp script execution)
File name contains .asp;characters, even when the jpg format file, IIS will be resolved in accordance with the asp file

When the file name xx.asp;xx.jpg, IIS6 will give asp.dll file parsing (asp resolved in accordance with the script);

Request: IIS from left to right check .number, to query ;or /number is (memory) cut off; after such execution, IIS is recognizedxx.asp
The default resolution: .asa .cer .cdxIIS6 default resolution while the front three file extension, will resolve to asp.dll
Rehabilitation program:

Set permissions to restrict users to create, modify folder permissions

Microsoft's patch update or modify custom detection rules IIS, preventing illegal uploading the file name suffixes

IIS7.0 / 7.5

Enabled by default Fast-CGI states, add the URL address of a server behind file xx.phpwill be xx.jpg/xx.phpparsed as PHP files
Repair method:

Modify the php.ini file, will cgi.fi: x_pathinfobe set to 0

IIS7 parsing vulnerability is mainly due to improper configuration of PHP

Windows operating system, the file name can not begin with a space or ".", Not spaces or. "" End with. When the file a name or a space. "" Beginning or end, and will automatically remove spaces at the beginning and the end. "." With this feature, it could lead to "file parsing vulnerability."

Nginx Parsing Vulnerability

Nginx <= 0.8.37

Effect Version: 0.5 / 0.6 / <0.7.65 / <0.8.37

Under Fast-CGI on, there is the same vulnerability as IIS7: URL address later added xx.phpwill xx.jpg/xx.phpresolve to the PHP file

Null bytes: xx.jpg%00.php(some versions, Fast-CGI execution will be closed)
Repair method:
Modify the php.ini file, cgi.fix_pathinfois set to 0 [Close]

Then Nginx configuration settings: when a similar xx.jpg/xx.phpURL to access the time to return to 403;
```
if ( $fastcgi_script_name ~ ..*/.*php) {
    return 403 ;
}
```

Apache Parsing Vulnerability

Apache extension Parsing Vulnerability

Apache from right to left when parsing rules file start judgment, if the suffix unrecognized file parsing, will continue to determine the left, until it can identify the correct

xxx.php.owf.zipWherein .owfand .zipthe file extension is not recognized Apache, until it is determined .phponly according to parse the file PHP

Repair method:

Apache configuration, prohibit xx.php.xxxsimilar document execution
<Files ~ "/.(php.|php3.)">
    Order Allow,Deny
    Deny from all
</Files>

Apache "% 0A" to bypass the upload blacklist [CVE-2017-15715]

A presence determination logic Apache uploaded custom :()

<?php
    if(isset($_FILES['file'])){
        $name = basename($_POST['name']);
        $ext = pathinfo($name,PATHINFO_EXTNSION);
        if(in_array($ext,['php','php3','php4','php5','phtml','pht'])){
            exit("bad file");
        }
        move_uploaded_file($_FILES['file']['tmp_name'],'./'.$name);
    }
?>

Check the judge upload file extension, if found, would be blocked.

Using the CVE-2017-15715, upload a file that contains line breaks. Note that only \x0A, can not be \x0D\x0A, so we add a function in the back with a hex 1.php \x0A:

Access /1.php%0A, namely class success getShell;

File upload bypass

Client-side validation

The client uses the suffix JavaScript check uploaded files

# js验证文件后缀
extArray = new Array('.gif','.jpg','.png'); // 白名单
function LimitAttach(form,file){
    allowSubmit = false;
    if(!file)
        return;
    while(file.indexOf('\\')!=-1)
    file = file.slice(file.indexOf('\\')+1);
    ext = file.slice(file.indexOf('.')).toLowerCase();
    for(var i = 0 ; i < extArray.length ; i++){
        if(extArray[i] == ext){
            allowSubmit = true ; 
            break ;
        }
    }
    if(allowSubmit)
        form.submit();
    else
        alert("bad Extension");
}

Typically the client may be bypassed by a check js Ethereal

# php接收文件（没有任何校验）
<?php
  if(isset($_POST['submit'])){
        $name = $_FILES['file']['name']; //文件名
        $naem = md5(date('Y-m-d h:m:s')).strrchr($name,'.');// 文件重命名保留扩展
        $size = $_FILES['file']['size']; //文件字节大小
        $tmp = $_FILES['file']['tmp_name']; //临时路径
        move_uploaded_file($tmp,$name); //移动文件到tmp目录下
        echo '文件上传成功'.$name;
    }
?>

To bypass client-side validation:

Use FireBug developer tools, can be crossed in a local configuration check function can trigger the submission form; make check function can not be called bypassed.

Alternatively, you can modify the contents of the packet after checking by the client by way of capture. (Change pack process may change the data packet size, need to pay attention Content-Lengthdefined length to be consistent with the actual)

Check the server

Content-typeField validation ( the MIME type of check )
File extension detection (detection file Extension-related content) using black and white list filtering mechanism
File content detection (to detect whether the content is legitimate or malicious code)
Directory Authentication

MIME check: Content-type

Content-typeField displays the MIME type , MIME type determination can be made simple filtration file

# 校验Content-type字段MIME类型
<?php
    if($_FILES['file']['type'] != 'image/jpeg'){  // 判断文件的MIME格式
        echo "Sorry！文件上传格式错误 Error";
        exit;

    }
?>

MIME bypass check:

Burp use packet capture tool, the content-typefield to the required MIME type

Extension detection

Blacklist policy:

There is a special file, record the server does not allow uploading the file name

Whitelist policy:

There is a dedicated file server records allowed to upload the file name

# 扩展名检测
<?php
    if(isset($_POST['submit'])){
        $name = $_FILES['file']['name']; // 获取文件名
        $ext = substr(strrchr($name,"."),1); //获取扩展名[strrchr()找到符号"."并返回从该位置到结尾的所有字符（字符串）,substr(str,1)获得扩展名字符串]
        while($ext==xxx){}
        // 调用黑白名单进行循环对比，一旦命中则执行相关的放过/拦截操作！
    }
?>

Directory Authentication

Let unified directory stored in a file uploaded

# 目录验证
<?php
    if(isset($_POST['submit'])){
        $name = $_FILES['file']['name']; //文件名
        $naem = date('Y-m-d h:m:s').strrchr($name,'.');// 文件重命名保留扩展
        $tmp = "./root/"; //存储路径，可以是服务器指定或者用户原则或则机制选择
        move_uploaded_file($tmp,$name); //移动文件到tmp目录下
    }
?>

The example code verification document server

<?php
    if(isset($_POST['submit'])){
        $name = $_FILES['file']['name'] ;
        $type = $_FILES['file']['type'] ;
        $tmp = "./image/";
    }
    
    file_array = new array('jpeg','png','jpg','gif');// 白名单
    for ($i=0; $i < file_array.length; $i++) {
        if (substr(strrchr($name, "."),1) == file_array[i]) {
            if( $type == "image/gif" | $type == "image/jpeg" ){

                move_uploaded_file($tmp, $name);
                echo "图片上传成功……".$name;
                exit;
            }
        }
    }
?>

Bypass strategy

burp packet capture change, bypassing checking mechanism, comprising recycling vulnerability getShell

Text editor, upload vulnerability

Common text editors: FCKEditor, Ewebeditor, UEditor, KindEditor , XHditor; co-called " rich text editor "

I contacted a small text editor, contributed a good reference article: https://blog.yuntest.org/jszy/stcs/91.html

File upload Parsing Vulnerability