Shulou(Shulou.com)05/31 Report--

Today I will introduce to you an example analysis of web file upload vulnerabilities. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

File upload function module

File upload function is a necessary function of most WEB applications. Websites allow users to upload avatars, some social websites allow users to upload photos, some service websites require users to upload electronic files of proof materials, e-commerce websites allow users to upload pictures to show products, and so on. However, if the seemingly inconspicuous file upload function does not take good security measures, there is a huge security risk.

Principle of file upload vulnerability

When a user uploads a file at the functional module of file upload, if the WEB application does not effectively verify the security of the file during the file upload process, the attacker can attack the server by uploading malicious files such as WEBshell. In this case, it is considered that there is a file upload vulnerability in the system.

File upload vulnerability-webshell

The most common method of file upload vulnerability is to upload website Trojan (webshell) files, WEBSHELL also known as web Trojan files, according to the different development language is divided into ASP Trojan, PHP Trojan, JSP Trojan, etc., this kind of Trojan makes use of the script language in the system command execution, file reading and writing and other functions, once uploaded to the server is parsed by the script engine, the attacker can achieve control of the server.

Website Trojan horse (webshell) files are divided into big horse and pony (in a word, Trojan horse), picture horse and so on.

Malaysia: the function is relatively good, and it is used with the browser; the amount of code is usually large; the concealment is relatively weak, and the amount of code is large, so features usually need to be hidden by means of encryption.

Pony: the function is simple and needs to be used with the client; the amount of code is usually small; the concealment is relatively strong, and it is easy to hide features through deformation, bypass filtering, and is usually used with cknife tools.

Picture horse: when the website is restricted to uploading image-related formats, attackers can not bypass the restrictions and try to use picture horses to achieve webshell operations.

File upload vulnerability bypasses restrictions

In a word, the Trojan is similar to uploading the Trojan file to the server through the file upload module. The parameter v in $_ POST ['v'] is our available parameter, and we pass the instructions we want to execute to the server through the parameter v, or use the cknife tool to operate the target server.

(1) the upload form of the web page is restricted and needs to be in accordance with the formats of jpg, jpeg, JPG and JPEG, so change the original format to 1.jpg format (server verification)

Open the burp suite software to intercept the package and change the file name to 1.php, so that you can run the php script, otherwise the file with the jpg suffix can be uploaded, but the function of running is useless.

Define v=phpinfo () in the hackbar plug-in; you can view a great deal of information about the current status of php

(2) this page limits the upload format (MIME). You need to change the file format to JPEG or PNG (server verification).

Use burp suite to intercept information and change content-Type to image/png

Use the hackbar tool to define the parameter v=phoinfo (); view php status information

(3) this page filters file suffixes and does not accept files of php type (server check)

Open the burp suite software intercept message, change the file name to 1.PHp, and bypass the identification of the web server.

Define v=system (ipconfig) with hackbar

(4) truncate the jpg by truncation. 1.php.jpg, compiled with ctrl+shift+u.

1.php.jpg, compiled with ctrl+shift+u

Use the hackbar tool to define the parameter v=phoinfo (); view the php status information (5) this web page is only allowed to upload pictures, and the suffix is invalid.

Upload b374k.jpg picture horse, login password is b374k

Using the browser, you can use the picture horse for webshell operation.

(6) the type of upload allowed on this web page is jpg,jpeg,png,gif,7z. You can use apach to recognize the extension from back to front when the suffix name is not recognized, and change the 1.jpg to 1.php.7z through burp, then it becomes a compressed file.

Change 1.jpg to 1.php.7z through burp through burp software grab package, and then become a compressed file.

Use the hackbar tool to define the parameter v=phoinfo (); view php status information

File upload vulnerabilities are common and harmful in web security. Site builders can increase their prevention efforts in this regard, such as strengthening the scope of the blacklist of file suffixes; randomly modifying the names of uploaded files; temporary directories and saved directories of uploaded files are not allowed to execute permissions, and so on.

The above is the full content of the example analysis of web file upload vulnerabilities, and more content related to the example analysis of web file upload vulnerabilities can be searched for previous articles or browse the following articles to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.