Shulou(Shulou.com)06/01 Report--

How to upload vulnerability Security for web Server [199cloud-Ina]

Web applications usually have the ability to upload files, such as posting pictures on BBS, Zip packages on personal websites, and resumes in DOC format on job sites. As long as the Web application allows file upload, there may be a file upload vulnerability.

1. Resolution loophole

When exploiting upload vulnerabilities, attackers usually cooperate with parsing vulnerabilities of Web containers (IIS, Nginx, Apache, Tomc, etc.).

IIS parsing vulnerability: when creating a folder in the format of * .asa and * .asp, any file under its directory will be parsed by IIS as an asp file. When the file is opened by the browser, the content will be directly exposed in the browser. If uploaded, the dangerous script will run to achieve the purpose of attack.

Such as: http://127.0.0.1/parsing.asp/test.txt

Apache parsing vulnerability

PHP CGI parsing vulnerability

two。 Bypass upload loopholes

Programmers can be divided into the following two categories when preventing upload vulnerabilities:

Client detection: the client uses JavaScript detection to verify the file when it is not uploaded

Therefore, there are two ways to bypass client detection to achieve an attack:

(1) use FireBug: find the Form form in the html source code, delete the onsubmit event, and the JavaScript upload verification will be invalid.

(2) Man-in-the-middle attack: the use of Burb Suite is verified by JavaScript in accordance with the normal process, and then tampered with the HTTP layer in transmission. (you can bypass client verification by using Burb Suite to intercept uploaded data and modify the file extension during upload.)

Note: any client authentication is not secure. Client-side authentication is to prevent user input errors and reduce server overhead, while server-side authentication can really defend against attackers.

Server-side detection: server-side scripts generally detect the MIME type of the file, check whether the file extension is legal, and even some programmers detect whether malicious code is embedded in the file.

There are mainly the following, but there is also the possibility of loopholes:

(1) Verification of whitelist and blacklist

When uploading files, most programmers detect file extensions, and there are usually two ways to verify file extensions: whitelist and blacklist.

Blacklist filtering: it is an unsafe filtering method. The blacklist defines a series of file extensions that are not allowed to be uploaded. After receiving the file, the server compares it with the blacklist extension. If the file extension matches the extension in the blacklist, the file is considered illegal. Examples are as follows:

$BlackList = array ('asp',' php', 'jsp',' php5', 'asa',' aspx'); / / blacklist / / however, it is not well defended: .cer files are not on the blacklist, so they can be verified, so they cannot defend against upload vulnerabilities.

Whitelist filtering: contrary to blacklists, whitelists have a better defense mechanism than blacklists by defining a series of extensions that allow uploads. Examples are as follows:

$WhiteList = array ('rar',' jpg', 'png',' bmp', 'gif',' doc'); / / whitelist / / however, it is not well defended: / / for example, when the Web container is IIS 6.0, the attacker uploads the Trojan file to pentest.asp;1.jpg, and the file is in jpg format, so it can pass the verification smoothly, while IIS 6.0will put pentest.asp 1.jpg is executed as an asp script, and eventually an attacker can bypass whitelist detection and execute Trojans. / / the whitelist mechanism is only the first step in defending against upload vulnerabilities.

(2) MIME verification

The MIME type is used to set how a file with an extension is opened, and when a file with that extension is accessed, the browser automatically opens it using the specified application. For example, GIF picture MIME is image/gif,css file MIME type is text/css.

/ / developers often verify the file MIME type. The PHP code is as follows: if ($_ FILES ['file'] [' type'] = = 'image/jpg') {/ / determine whether it is in jpg format / /.}

Therefore, if you upload a PHP file and use Burp Suite interception to check the MIME type, you can find that the MIME type of the PHP file is application/php, and the above code will determine whether the file type is image/jpg. Obviously, it cannot be verified here.

However, when intercepting, you can change the content-Type in the HTTP request to the image/jpg type, so that it can be verified by the program to achieve the purpose of the attack.

(3) Catalog verification

When uploading files, programmers usually allow users to put files in the specified directory, but some Web developers usually do an action to make the code more "robust". If the specified directory exists, the file is written to the directory, and if it does not exist, the directory is established first, and then the file is written.

Attack: through the use of tools to change the common folder name to .asp format directory, called malformed folder, and then submit a sentence picture Trojan file, that is, after the upload is successful, the web Trojan will be parsed, thus causing the next attack.

(4) truncate upload attack

Also use tools to intercept changes.

Truncated upload attacks are the most common in ASP programs, and such attacks also exist in PHP and JSP.

3. Text editor upload vulnerability

Common text editors include CKEditor, Ewebeditor, UEditor, KindEditor, XHeditor and so on. The functions of this kind of editors are very similar, such as picture upload, video upload, remote download and other functions, this kind of text editor is also called sub-text editor.

Using such editors reduces program development time, but increases a lot of security risks. For example, 100000 websites use CKEditor editors, and if CKEditor reveals a GetShell vulnerability, 100000 websites will be affected. The main vulnerabilities are as follows:

(1) exposure of sensitive information.

(2) wrong blacklist strategy: there are missing extensions in the blacklist.

(3) use Burp Suite to intercept modifications so that any file can be uploaded.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.