Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Example Analysis of File Upload vulnerabilities

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Share

Shulou(Shulou.com)06/01 Report--

The content of this article mainly focuses on the example analysis of File Upload vulnerabilities. The content of the article is clear and well-organized. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

Front

Words

As testers, we often hear the word "security test", but few people actually do it. From the perspective of our duty to "ensure quality", it is not too much to say that it is a kind of "dereliction of duty". So what is the security test and how to conduct the security test? I hope this article can play a role in attracting jade.

What is the loophole in file upload?

There are all kinds of loopholes in an unverified system. By the same token, there should be a variety of vulnerability monitoring methods. Today we talk about one of the most common: the detection of file upload vulnerabilities.

In today's web applications, supporting file uploads is a common requirement because it helps to improve business efficiency. But it also brings a lot of risks. If there is a vulnerability in the interface for file upload, an attacker can use this vulnerability to upload an executable file to the server and execute it, then gain a specific permission, or perform a behavior that endangers the server.

The files uploaded here can be Trojans, viruses, malicious scripts or WebShell.

Why is there a file upload vulnerability?

The File Upload (file upload) vulnerability is due to lack of control or processing defects in the part of user file upload by programmers, which allows users to upload executable dynamic script files to the server beyond their own permissions. For example, if you use a windows server and use asp as a server-side dynamic website environment, then the upload function of the website does not allow users to upload files of asp type, otherwise the user uploads a webshell and the files on the server can be changed by him at will. Therefore, the harm caused by file upload vulnerabilities is often devastating. Apache, Tomcat, Nginx and so on have exposed file upload vulnerabilities.

Example

1. Prepare the open source tool: DVWA

2. Prepare the PHP script file FI_GET_INI.php, which contains one line of script.

3. Prepare the jpeg file. Desert.jpeg originally comes with pictures for windows. Execute the CMD command copy Desert.jpeg+FI_GET_INI.php Desert.jpeg, which will be appended to the end of the image Desert.jpeg.

4. The following is the actual scenario experiment, which opens the target machine page:

5. The fi _ GET_INI.php was uploaded successfully, which means that the system did not check the file type and accepted the PHP script file upload:

6. Upload the Desert.jpeg successfully. Open the server to receive the Desert.jpeg in the uploaded file directory using a text editor. It is found in the image file that the system does not check the file content and accepts the upload of the file containing malicious scripts:

7. The files uploaded in steps 5 and 6 can be easily executed on the server with the file containing vulnerabilities (File Inclusion).

8. Main preventive measures for File Upload loopholes:

(1) limit the types of uploaded files (for the PHP files uploaded in step 5),

(2) limit the size of uploaded files,

(3) hide the file path (in the screenshot above, you can easily get the location of the uploaded file on the server side to facilitate file inclusion attacks),

(4) check whether the uploaded file contains malicious information (such as checking whether the image file is encoded properly at the beginning and end, so as to avoid the image file uploaded in step 6 contains malicious scripts).

Thank you for your reading. I believe you have some understanding of the "sample Analysis of File Upload vulnerabilities". Go ahead and practice it. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Internet Technology

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report