Outline
This vulnerability DVBBS6.0 era is hacker who use the most rampant, using the upload vulnerability can be obtained directly WEBSHELL, high hazard rating, upload vulnerability invasion is common vulnerabilities.
Causes of vulnerability to change the code of that data submitted no visitors to test or filter lax, you can submit a modified test data directly bypassing the extension name.
Upload method
1, direct upload Webshell
2, bypassing the client detects upload webshell
3, bypassing the server detects the file extension upload webshell
4, bypassing the server MIME type detection upload webshell
5, bypassing the file content detection upload webshell
6, bypassing the service end directory path detection upload webshell
7, bypassing server vulnerability upload webshell
8, using the .htaccess file upload webshell
Upload Tool
(1) Burpsuite
(2) knives, ice scorpion, ant sword
(3) sentence Trojan horse pictures
Client Detection
Suffix usually write a js script, check the uploaded file on a web page, there are also blacklist whitelist form form.
Way to judge: in the browser to load the file, click the Upload button yet when they pop-up dialog box, for example: only allowed to upload files .jpg / .jpeg / .png extension, but this time did not send packets.
Workaround: You can use burp capture, first upload a jpg type of Trojan horse, then burp change it to asp / php / jsp suffix name.
You can use Firefox browser plug-in that comes with javascript turned off.
Server detection
MIME type detection bypass:
When users upload files to the server, the server-side program will get the MIME type of the uploaded file, and then get to use this type to the type and desired MIME type to match, if the match is not on the instructions for uploading files is not legitimate.
image / jpeg, image / png, image / gif server by detecting this MIME type, can be directly changed by bypass burp.
Detect File Header:
Different files have different file header, such as:
<?php phpinfo(); ?>
JPEG (JPG) file header: FFD8FF
PNG (PNG) file header: 89504E47
GIF (GIF) file header: 47,494,638
PHP function getimagesize use to verify the file header
file header to bypass mode:
bypass this test is only allowed before the need to add malicious script header identifies the uploaded file can be a
Trojan basics plus some file information, a bit like the following structure
GIF89a
To bypass file extension
List of Detection: There is a special blacklist file, which will include common risk script file.
Workaround:
(1) find a blacklist slip through extensions - such asa cer and the like
(2) there may be case-bypass vulnerability - such as aSp and pHp like
.htaccess parsing vulnerability
1, the first upload a .htaccess file reads as follows:
SetHandler the Application / the X-httpd-php-
2, you can upload a file to upload, directly executed as a php file directly.
With the operating system file naming conventions
1, upload 1.php (or picture horse), Ethereal changed 1.php.
2, upload 1.php (or picture horse), the DATA packet capture changed to $ :: 1.php
3, upload 1.php ( or picture the horse), Ethereal changed 1.php: 1.jpg
4, upload 1.php (or picture horse), the DATA packet capture changed ... $ :: 1.php
5, upload 1.php (or picture horse ), Ethereal changed 1.php [space]
00 cut to bypass upload
1, 00% cut to bypass whitelist
2,% 00 shortcut keys ctrl + shift + u complete
3, PHP version lower than 5.3.29, and closed at GPC is a breakthrough
found in the php.ini file
magic_quotes_gpc = On
the On replaced Off
Upload pictures horse
Horse tutorial create image
copy 1.jpg / b + 2.php / a 1.jpg
parameter / b specifies in binary format copy, merge files; an image class / class file sound.
Parameters / a specified copy in ASCII format, merge files. Txt and other documents for the class file.
Apache Parsing Vulnerability
Apache Httpd support a file with multiple suffixes, different suffixes implement a different order, that is when we file uploaded as long as the extension contains php, the file can be parsed into php file, Apache httpd use this feature, you can bypass the whitelist to upload files.
IIS Parsing Vulnerability
- Directory resolve
to * .asp named folder in the file will be executed as an ASP file.- File parsing
* .asp; .jpg file name like this deformity ";" the latter directly ignored, that is to say as * .asp file execution.
Nginx Parsing Vulnerability
Nginx Currently there are two vulnerabilities, one is for any file name, add / arbitrary .php file name parsing vulnerabilities in the back, such as the original file name is test.jpg, can be resolved to add test.jpg / x.php attack.
There is also a low version of Nginx can add% 00.php parse any file name behind the attack.
This article has ended, due to the limited level, in many places is certainly some shortcomings, if any flaws or mistakes, please correct me, certainly improved. Article writing is not easy, everyone's comments and thumbs is my greatest motivation, thank you support!
