Shulou(Shulou.com)06/01 Report--

  In practice, when we find a place where files are uploaded, we will try all possible ways to upload webshell, as long as we can upload webshell, it means that this *** is at least half successful, and then we will see the webshell permissions obtained for the next operation. For file upload vulnerability protection, it is mainly divided into the following two categories: whitelist restrictions and blacklist restrictions. For blacklist restrictions, we only need to find some remote executable suffixes, case-mixed writing and related operating system features (such as windows file name suffixes will automatically filter spaces and. For whitelist restrictions, it is generally a combination of parsing vulnerabilities, code function vulnerabilities (icov (80-EF truncation), related functions that cause 00 truncation) and related operating system features (such as windows10 file name length of 223 including suffixes, win2012 of 237, linux ubuntu0.16.04.1 file name length of 252, etc.) to bypass! Below we will use ubuntu 0.16.04.1 operating system as a demo!

What are the limitations of a simple check

  First we enter the php suffix to test, and found the wrong file suffix, as shown in the following figure:

  Then we enter a file suffix that does not exist to test, and found that it is still the wrong suffix, as shown in the following figure, we can simply think that this upload point is a whitelist restriction upload, only allow specific suffix file upload!

Try according to restriction type

  Through the above we know that it is a whitelist restriction, and through the early information collection found that the webserver is Nginx, the operating system is linux (ubuntu), through the Nginx parsing vulnerability can not be uploaded, so we use the construction of long file names to bypass this whitelist restriction upload.

  Since many times we do not know the specific operating system, so we can only use a very long file name for testing (if there is an error message prompt we can slowly construct, if there is no error message can only slowly try (you can build some common systems [win03 win08 win12 ubuntu redhat, etc.] to test the length of the file name to test one by one).

  First try to overlong characters, prompt file name is too long, as shown in the following figure, and then we reduce one by one, reduced to a place that just can be successfully uploaded.

  Finally, we know that the maximum length is 252, as shown in the following figure:

  Finally, we change the file name end before the jpg suffix to.php to upload the file. The file uploads successfully, as shown in the following figure:

  Finally, we can verify whether the file can be parsed normally by accessing it, so as to obtain the webshell. Through the access, we can see that the webshell is successfully obtained, as shown in the following figure:

For other file analysis and upload reference here

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.