Later, I did not read a good book, did not earn money, like people who did not together, and finally give myself the shortcomings of life, self-confidence, suspicion, fear, self-closing. . . .
First, the file parsing vulnerabilities
1, IIS6.0 directory resolve
long as there is a xx.asp (xx.asa) folder, all files which will be resolved to the asp file
2, followed by a semicolon IIS6.0 does not resolve
a.asp ; jpg, this file will be parsed into asp files, in addition to * .cer, * asa also become asp file will be parsed.
. 3, apache parsing vulnerability, apache suffix is resolved from right to left until the parsing suffixes may be identified
if there is a file a.php.abc.aab.acd, apache ultimately be resolved to a.php
4, IIS7.0, IIS7.5, Nginx < 8.03 malformed parsing vulnerability
in the default Fast-CGI open position, the hacker uploaded a name for cracer.jpg, content <? Php fputs (fopen ( ' shell.php', ' w '),' <? php eval ($ _ POST [aiyou])?> ');?> files, then access cracer.jpg / .php, it will generate a word Trojan shell.php in this catalog
vulnerability range: nginx 0.7.65 or less (0.5 ., 0.6 (0.8 *)., 0.7 *) full version 0.8.37 of the following series and 8 series are affected.
http://ap.test.com/1.jpg/1.php
http://ap.test.com/1.php%00.jpg
5、.htaccess文件解析
如果在Apache中.htaccess可被执行,且可被上传,在.htaccess中写入:<FilesMatch “mst.jpg”> SetHandler application/x-httpd-php,然后再上传mst.jpg的木马, 这样mst.jpg就可解析为php文件
二、上传本地验证绕过
服务器命名规则
第一种:上传文件名和服务器命名一致
第二种:上传文件名和服务器命名不一致(随机)
1、客户端 Javascript检测(通常为检测文件扩展名)
首先判断js本地验证,在用burp抓包,提交的时候,burp没有抓到包,就已经弹出了弹框,说明本地验证
绕过方法:
删除监测函数
使用burp抓包改名
使用firebug直接删除本地验证的js代码
添加js验证的白名单,如将php的格式添加进去
2服务端MIME类型检测(检测 Content-Type内容)
直接使用bup抓包,得到post上传数据后,将 Content-Type内容改成image/png就可以成功绕过。
3.服务端目录路径检测(检测跟path参数相关的内容)
允许上传,但是上传到一个没有权限的文件夹,先抓包,发送到repeater,将路径修改为上级目录
Third, the upload server Authentication Bypass
1, bypassing the file name case
with as AsP, pHp like the file name to bypass blacklist detection
2, bypassing the list of the list
were challenged with a list of blacklist does not have, such as blacklist there is no such asa or cer (ASP: asa, cer, 1.asp; .jpg, 1.asp / 1.jpg PHP: PHP3, PHP4, PHP5, PHP7)
. 3, bypassing the special file name
http packet transmission such as after the change in the file name test.asp. or test.asp_ (underlined spaces), this naming is not allowed in the windows system, so need to be modified in such burp, and then around the verification, will be the system automatically remove the back windows and spaces, but beware Uni / Linux system does not have this feature.
4,0 × 00 cut to bypass
the file name changed to 1.php% 00.jpg, then 00% coding
submit button 5, the form
and some did not upload page submit button, you can view the source code, and then add a
Prohibit illegal peril
welcome public attention number: web security tool library
