Shulou(Shulou.com)06/03 Report--

This article mainly introduces the "tutorial of php Security attack and Defense File upload vulnerabilities and Bypass techniques". In daily operation, it is believed that many people have doubts about the tutorial of php Security attack and Defense File upload vulnerabilities and Bypass techniques. The editor consulted all kinds of materials and sorted out simple and useful operation methods. Hope to answer the "php security attack and defense file upload vulnerabilities and bypass techniques and methods tutorial" will be helpful! Next, please follow the editor to study!

Preface

File upload loopholes mostly appear in places where files can be uploaded, such as user profile photos, document uploads and so on. This vulnerability is a very harmful vulnerability. Through file upload, an attacker can upload webshell and perform getshell operations to obtain system shell, which can execute arbitrary commands. It also provides a good basis for the subsequent upload of large Trojans and the promotion of privileges.

Some scenarios of file upload vulnerabilities

Next, some waf filtering scenarios of file upload vulnerabilities are described, bypassed and exploited.

Scenario 1: front-end js code whitelist judgment .jpg | .png | .gif suffix

In this scenario, the defensive posture is to judge the uploaded file suffix through the js code. Files with three suffixes other than .jpg | .png | .gif are not allowed to be uploaded to the background.

Bypass method:

Change the suffix name of the file with an one-sentence Trojan to xxx.jpg | png | gif, intercept the package and change the package through BurpSuite at the upload place, and change the file suffix to php | jsp and other scripts. After a successful upload, you can access the path of the file to getshell.

Scenario 2: the backend PHP code checks the Content-type field

In this scenario, the defense posture is to check the Content-type field of the file upload request through the js code. If it is not image/jpeg, upload to the background is not allowed.

Bypass method:

Intercept the request package uploading a sentence Trojan file, and add or modify the Content-type field to image/jpeg

Scenario 3: the code blacklist judges .asp | .aspx | .php | .jsp suffix

In this scenario, the defense posture is to judge the uploaded file suffix through the background code. If the file is .asp | .aspx | .php | .jsp, upload is not allowed.

Bypass method:

When the following configuration exists in the configuration file httpd.conf of apache:

AddType application/x-httpd-php .php .phtml .phps .php5 .pht

Description: files with suffixes such as .phtml | .phps | .php5 | .pht can be uploaded, and they will all be parsed as files with the suffix .php. So you can try to bypass files like upload xxx.php5.

About the role of the AddType command:

AddType instruction

Purpose: to establish a mapping between a given file extension and a specific content type

Syntax: AddType MIME-type extension [extension]...

The AddType directive establishes a mapping between a given file extension and a specific content type. MIME-type indicates the media type of the file that contains the extension extension.

AddType is related to the type table and describes the relationship between the extension and the file type. AddType is related to the type table and describes the relationship between the extension and the file type.

Scenario 4: code expansion blacklist judgment

In this scenario, the defense posture is to judge the uploaded file suffix through the background code. If it is .php | .php5 | .php4 | .php2 | .php1 | .html | .pht | .PHp5 | .pHp4 | .pHp3 | .pHp2 | .Html | .Htm | .pHtml | .jspa | .jspx | .jsw | .jsv | .jspf | .jSp | .jspx | .jSpa | .jSw | .jSv | .jspf | .asp | .a spx | as.a | asax | .ascx | ashx | .asmx | .as.cx | Sax.ax | Sax.ax | Scax | .ax | .sf | Wswf)

Bypass method-htaccsess:

Use the .htaccsess file to bypass

The purpose of the .htaccsess file:

The. Htaccess file is a configuration file in the Apache server that is responsible for configuring web pages in related directories. Through the htaccess file, you can achieve: Web page 301redirect, customize the error page, change the file extension, allow / block access to specific users or directories, prohibit directory listing, configure default documents and other functions do not exist on the IIS platform, the file opens by default, enables and closes the configuration in the httpd.conf file.

Conditions for the use of .htaccsess files:

The mod_rewrite module is open. AllowOverride All

Construct the .htaccess file with the following contents:

AddType application/x-httpd-php .jpg

The meaning of the code here allows the file name in the .jpg suffix file format to be parsed in php format, thus achieving an executable effect. So we can change the suffix name of the php file to be uploaded to .jpg format to bypass

Bypass method-upper and lower case bypass:

If there is no case restriction in the blacklist, you can bypass it, such as changing the .php suffix to .PhP | .PHP suffix.

Scene 5: some compound judgments

In this scenario, in addition to the basic blacklist / whitelist, the defense posture also includes restrictions on specific characters, such as fuzz or conditional code audit.

Spaces, dot bypass (windows)

When receiving a file, the restrictions of the background code do not remove the leading and trailing spaces of the file name. When splitting), you can use the naming rules of the windows system to bypass: for example, change the file suffix to xxx.php, xxx.php., xxx.php.

Under windows, xx.jpg [space] or xx.jpg. These two types of files are not allowed. If named in this way, windows will remove spaces or dots by default.

For example, if the code is deleted only once and the leading and trailing spaces are removed only once, xxx.php can be used in windows environment. . To bypass

:: $DATA bypass (windows)

:: $DATA bypass also takes advantage of the features of windows

The NTFS file system includes support for alternate data streams. This is not a well-known feature and mainly includes providing compatibility with files in the Macintosh file system. Alternate data streams allow files to contain multiple data streams. Each file has at least one data stream. In Windows, this default data stream is called: $DATA.

That is, in the php+windows environment, if the file name +:: $DATA treats the data after:: $DATA as a file stream, the suffix name is not detected, and the file name before:: $DATA is maintained.

Double write bypass

When there is a null character replacement for certain suffixes in the defensive code (for example, using the str_ireplace function to replace suffixes such as .php | .jsp with empty characters)

At this time, you can double-write the suffix, that is, change php to pphphp.

Truncation

00 truncation bypass mode needs to meet the following conditions

Magic_quotes_gpc with php version less than 5.3.4php.ini uses the move_uploaded_file function for OFF status and the parameters are controlled by the user.

At this point, the move_uploaded_file function will truncate when it encounters 0x00

You can change the suffix of the uploaded file to xx.php to bypass

0a Bypass

The bypass method of% 0a needs to meet the following conditions

Apache httpd 2.4.0 to 2.4.29FileMatch regular match .php | .php5 and other suffixes

This version of apache matches the suffix with $, and when $matches, it regularly matches a string that ends with a string or a newline character, that is, php [newline] is matched to php

You can change the suffix of the uploaded file to xx.php%0a to bypass

Pictures of horses bypassing

Window's cmd command to make picture horse

Copy 1.jpg / b + shell.php / a shell.jpg

Or use other image horse generators to generate

Secondary rendering bypass

After judging the picture format, use the image function for secondary rendering.

Bypass method:

Grab the packet to find the place that has not been changed in the second rendering, and insert a sentence into the place. The .jpg | .png | .gif file formats are different, so the way to construct the horse is also different.

Note: gif files are the simplest and can be changed directly with hexadecimal editors such as ue, but jpg and png require special construction scripts.

First upload a normal jpg image, and then save the second rendered image stored by the server.

Save the jpg image that has been rendered by the server twice, and use this script to generate payload.jpg

Then upload the payload.jpg

Conditional competition

When the upload file logic is: first, the move_uploaded_file function will temporarily save the uploaded file, and then make a judgment. If it is not in the whitelist, the unlink will be deleted, and then the rename will be renamed. There will be conditional competition at this time.

Bypass method:

Open two intruder modules with burp, one for repeated uploads and the other for repeated access. A certain record will return the execution result.

/. Bypass

When the parameters of the move_uploaded_file function are controllable, you can try /. Bypass, because the function ignores the /. At the end of the file, you can construct save_path=1.php/., so that the file_ extvalue is empty and can bypass the blacklist, while the move_uploaded_file function ignores the / at the end of the file. It is possible to save the file as .php

At this point, the study on the "php security attack and defense file upload vulnerabilities and bypass techniques and methods tutorial" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.