Foreword
Relearn the principles of vulnerability to record the file upload bypass posture
Client Detection:
. 1 function checkFile () { 2 var File = document.getElementsByName ( 'upload_file') [0 ] .Value; . 3 IF (File == null || File == "" ) { . 4 Alert ( "Please select a file to upload ! " ); . 5 return to false ; . 6 } . 7 // definition allows upload file type . 8 var allow_ext =" .jpg | .png | .gif " ; . 9 // fetch type uploaded file 10 var ext_name file.substring = ( file.lastIndexOf ( "." )); . 11 // determines whether to permit uploading upload type 12 IF (allow_ext.indexOf (ext_name) == -1 ) { 13 is var errMsg An = "does not allow the file uploads, upload the" + allow_ext + "type of file, current file type is:" + ext_name; 14 Alert (errMsg An) ; 15 return to false ;
Principle: file upload also face js code contains special test file upload, a common file extensions to detect whether legitimate
Bypass: 1, js disabled in the local browser
2, upload legal file extension, and then get caught with burpsuite change package
Server detection:
MIME type detection: content-type
1 if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) { 2 $temp_file = $_FILES['upload_file']['tmp_name']; 3 $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']; 4 if (move_uploaded_file($temp_file, $img_path)) { 5 $is_upload = true; 6 } else { 7 $msg = '上传出错!'; 8 } 9 } the else { 10 $ msg = 'file type is incorrect, please re-upload! ' ; 11 }
Bypass: capture and edit content-type
Commonly used types of content-type
Blacklist detection:
1 if (file_exists(UPLOAD_PATH)) { 2 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini"); 3 $file_name = trim($_FILES['upload_file']['name']); 4 $file_name = deldot($file_name);// delete the point end of the filename . 5 $ file_ext = The strrchr ( $ file_name , '.' ); . 6 $ file_ext = strtolower ( $ file_ext ); // lowercase . 7 $ file_ext = str_ireplace ( 'the DATA :: $', '', $ file_ext ); // removing the DATA string $ :: . 8 $ file_ext = TRIM ( $ file_ext ); // ending to empty . 9 10 IF (! the in_array ( $ file_ext , $ deny_ext )) { . 11 $ temp_file = $ _FILES [ 'upload_file'] [ 'tmp_name' ]; 12 is $ img_path = upload_path '/'.. $ File_name ; 13 is IF ( move_uploaded_file ( $ temp_file , $ img_path )) { 14 $ is_upload = to true ; 15 } the else { 16 $ MSG = 'Upload error! ' ; . 17 } 18 is } the else { . 19 $ MSG =' file upload is not allowed '! ; 20 } 21 is } the else { 22 is $ MSG = upload_path. 'Folder does not exist, create it manually! ' ; 23 }
Common blacklist extension:
php|php2|php3|php4|php5|asis|htaccess
|asp|asa|cer|cdx|aspx|ashx|ascx|asax|htm
| Html | shtml | pwml | phtml | phtm | js | jspvbs | asis
|sh|reg|cgi|exe|dll|com|bat|pl|cfc|cfm|ini
Bypass: 1, suffix capitalization restrictions
2, with the apache parsing vulnerability, apache when parsing files, from right to left to determine the file name,
If the extension can not be resolved, then continue left to judge, as aa.php.rar file
3, double the suffix name to bypass some risk of detection will be replaced by an empty suffix, such as dual-write pphphp, can bypass
4, if the .htaccess not prohibit the uploading, you can upload .htaccess be bypassed, which can be parsed php file this file can be specified
White list detection:
1 if(isset($_POST['submit'])){ 2 $ext_arr = array('jpg','png','gif'); 3 $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); 4 if(in_array($file_ext,$ext_arr)){ 5 $temp_file = $_FILES['upload_file']['tmp_name']; 6 $img_path = $ _GET [ 'the save_path'] "/.". RAND (10, 99). DATE ( "YmdHis"). ".". $ File_ext ; . 7 . 8 IF ( move_uploaded_file ( $ temp_file , $ img_path )) { . 9 $ is_upload = to true ; 10 } the else { . 11 $ MSG = 'Upload error! ' ; 12 is } 13 is } the else { 14 $ MSG = "only upload .jpg | .png | .gif file type!" ; 15 } 16 }
Bypassing: 1, 00% cut, the conditions that php <5.3.4, and magic_quotes_gpc off, the above code save_path controllable,
Using the 00% cut, save_path = upload / 1.php% 00, and then splicing and legitimate extension
move_uploaded_file () function when performing file dump, while 00% considered reading to the end of the reading.
move_uploaded_file () during splicing, but also to ignore the rest of the file name / .. It can also be used to bypass.
2, if the target file contains loopholes exist that can bind to upload pictures horse, then use the file to contain
Bypassing the contents of the file:
When you upload pictures horse, server-side magic number of files detected images (header), whether as a picture, after bypassing the need to meet the upload file contains loopholes
1 function getReailFileType($filename){ 2 $file = fopen($filename, "rb"); 3 $bin = fread($file, 2); //只读2字节 4 fclose($file); 5 $strInfo = @unpack("C2chars", $bin); 6 $typeCode = intval($strInfo['chars1'].$strInfo['chars2']); 7 $fileType = ''; 8 switch($typeCode){ 9 case 255216: 10 $fileType = 'jpg'; 11 break; 12 case 13780: 13 $fileType = 'png'; 14 break; 15 case 7173: 16 $fileType = 'gif'; 17 break; 18 default: 19 $fileType = 'unknown'; 20 } 21 return $fileType; 22 }
Bypass: 1, create an image horse, cmd command, Copy 1.jpg / b + shell.php / A shell.jpg , horse-crafted image file header contains jpg files
2, directly in front shell.php adding header,
如:.jpg .jpeg .jpe:JPGGraphic File;
.gif :GIF89A
.ZIP:Zip Compressed
.doc .xls .xlt .ppt .apr:MS Comepound Document v1 or Lotus Approach APRfile
Direct upload shell.php, may detect file sensitive character, and instead of it out, the following code will? Instead of empty
1 <?php 2 $path = "./uploads"; 3 $content = file_get_contents($_FILES['myfile']['tmp_name']); 4 $content = str_replace('?', '!', $content); 5 $file = $path . '/' . $_FILES['myfile']['name']; 6 7 if (move_uploaded_file($_FILES['myfile']['tmp_name'], $file)) { 8 file_put_contents($file, $content); 9 echo 'Success!<br>'; 10 } else { 11 echo 'Error!<br>'; 12 } 13 ?>
Bypassing: Analyzing the character which is not restricted, and then to break out of the question mark may be used, such as filtration, <Script Language = 'PHP'> System ( 'LS'); </ Script>
Upload bypass the competition:
If the code-behind logic is to save the file, and then detect the file content.
1 <?php 2 fputs(fopen("shell.php","w"),"<?php eval(\$_POST['XXXSER']);?>") 3 ?>
Bypass: We can write a generation Trojan horse, and then continue with burpsuite request upload.
Written content on the Internet summary income, any questions, please correct me big brother
Reference Links: https://xz.aliyun.com/t/6047