Shulou(Shulou.com)06/01 Report--

Many customer websites and APP will conduct penetration testing on the website before launching operation to check in advance whether the website has loopholes and security risks, so as to avoid significant economic losses caused by loopholes. When customers find our SINE security to do penetration testing service, we will conduct a comprehensive security test on the file upload function, including whether file upload can bypass the file format. Upload some script files such as php,jsp,war,aspx, etc., bypass the upload directory, upload directly to the root directory, and so on.

So what is a file upload loophole? Let's SINE security to explain to you: to put it simply, file upload is to upload some files to websites and APP. Most websites are only allowed to upload image format files and document files. The reason for doing penetration test is to check whether there is a loophole in the upload function, whether there is security validation for the uploaded data from POST in the program source code, and check the file suffix. Some customer websites do not do security validation, resulting in direct upload of webshell (also known as the back door of the website Trojan) to the site.

When there are loopholes in the file upload function, you can directly execute the website Trojan file, the webshell can operate the website code, upload, download, edit, and database operations, and execute malicious remote code to the server, which is equivalent to the administrator authority of the site, and the vulnerability is more harmful. It may lead to the disclosure of users' data and tampering with the database.

Based on our years of penetration testing experience in SINE security, the file upload vulnerabilities in customer websites are summarized as follows:

1. Upload profile picture function of members

two。 Upload document function

3. Submit feedback + screenshot upload

4. Upload pictures to add articles

5. The message function uploads pictures.

Types of upload vulnerabilities: file extension bypass vulnerabilities, and file parsing vulnerabilities, content-type bypass vulnerabilities, file name case bypass upload vulnerabilities, file header bypass vulnerabilities, JS front-end bypass upload vulnerabilities. Among so many customers in our SINE security penetration test, JS front-end bypass vulnerabilities occur most frequently, and many programmers only do security verification on JS front-end access users in the process of designing code. There is no security validation on the back end of the website, so that the suffix can be directly modified to upload the script file. Let's take an example:

First of all, the upload function is public in the foreground website, and any registered member can upload it. Here, you can customize and select the picture to upload. By capturing the packet screenshot of post, modifying the filename value in the database, and changing the extension to jsp,php, you can upload directly to the website.

The way to fix the loophole in file upload in penetration testing is to set the whitelist format of file upload, allow the upload of jpg,png,gif, etc. If the suffix is not the above three, directly return the upload failure, and then do security verification on the file code, not only in JS, but also in the back end to lock the uploaded directory address. Specify the address of the uploaded directory, do not have the permission to execute the script to the folder directory of the image, and prevent webshell files from running scripts such as JSP,PHP,ASP. If you are interested in whether there are loopholes in uploading websites, you can find professional penetration testing companies. Domestic SINE Security, Qiming Star and Green Alliance are all good security companies. Before launching the website, you must do penetration testing to test what loopholes exist in the website and repair them in advance, so as to promote the orderly development of the website platform in the later stage, and will not lead to business termination because of the loopholes.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.