Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "uploading the file of network security vulnerability penetration testing to bypass the train of thought case analysis". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations! I hope you can read it carefully and be able to achieve something!

Case one

When a project is infiltrated, you can know that the upload point is uploaded by whitelist by randomly adding a character to the png suffix. Normally, it cannot be bypassed.

By observing the API information, it is found that the name of the API is UploadImg, and it is speculated that the API is used for image upload. According to the custom of development, there may not be temp, test, and other APIs, and then the existing upload API (file) is found through fuzz. However, there are still restrictions on uploading files via the API (file) and need to be bypassed.

As the blacklist restriction is not strict enough, after several pseudo-suffix attempts, it is found that the .cer suffix can be bypassed and parsed.

Then getshell into the intranet, the latter operation will not say much.

When many teachers see the whitelist upload, they will think that this upload point is safe enough to be bypassed, but it is not true. In the case of multiple upload interfaces, there may be no restrictions, or upload points that are not strictly restricted may not be necessary. the key is how to find these interfaces and how to bypass them when there are restrictions on such APIs. Here is another example related to interface bypass.

Case two

Upload_2018.php API whitelist upload. Under normal circumstances, changing the suffix will cause the upload to fail, as follows

When further testing, it is found that there are multiple upload interfaces. Delete _ 2018 and use the upload interface to upload files, which can lead to arbitrary file uploads.

When further transmitting shell, it is found that there is a waf (a certain cloud), which needs to be further bypassed.

By looking for the real IP of the domain name and using the real IP to upload files, you can bypass the waf restriction. In order to prevent those who are willing to do so, the IP is directly covered here, just in case.

Very often, for the sake of convenience, some developers do not have strict restrictions or no restrictions at all when deploying upload interfaces. As a result, once the restrictions are bypassed and uploaded to shell, it will lead to very serious consequences. Of course, we can find some upload interfaces such as temp and test, because most of these interfaces are used for testing in the development process, and these interfaces are almost unlimited upload file types. Similarly, we can also find some api documents to find the upload interface, which may be a surprise or a surprise.

Case three

This is a file upload type that converts images to base64. The details are as follows:

By grabbing the package, it is found that the picture is uploaded to base64. After observing the next packet, it is found that any file can be uploaded by changing the content of the upload_0 field.

Visit the HTML page and be parsed successfully. You can further upload shell to obtain permission.

In a word, after uploading shell, it was found that the command could not be executed, and then the existence of disable_functions was found by uploading PHPinfo, and a certain Sila was used to bypass the limit, getshell.

Case four

A vulnerability in nginx parsing was exploited a long time ago. This loophole should not exist now. Waf alone can column it. Let's talk about this as a thinking development:

A core system of the target was found during a public network management, and a certain upload function was found by stepping on the spot, but the upload interface is whitelist limited, and there are no other upload interfaces. As the shell of this station is more important, it must be obtained. After vulnerability mining, it is found that the target has nginx resolution vulnerabilities, combined with picture upload points to successfully obtain the intranet stronghold.

Other scenarios & Summary

Sometimes when the file is uploaded successfully, the backend does not return a path, but only echoes an id number. If there is injection in the target, we try to search the returned ID number with the-search parameter of sqlmap or SQLshell, so that we may be able to find the shell address. As mentioned earlier in the infiltration practice 23 under Swagger-UI, those who are interested can take a look. There are also those who upload files successfully but show only one file name. Not long ago, we encountered this situation in an attack and defense. Later, we used fuzz to find a complete shell path. In addition, at some time, files can be uploaded across directories, so we can use … / upload across directories, if you're lucky, maybe in a few. / then upload shell to the root directory of the domain name. If the current upload folder does not have execution permission, it is also a good idea to upload shell across directories. In addition, if the upload directory is controllable and files can be uploaded to any directory, in linux scenario, we can upload a ssh key for remote login. In extreme cases, we can consider uploading passwd and shadow files to cover system users, but only if the permissions are large enough.

If it is not possible to cross directories and the site is not injected, then we can try to find website log files, such as the log of Pan Micro E-COLOGY log. Log files like this have rules to follow. You can use burp for log burst, or you may find the shell path in the log file.

In addition, the file contains and the file is read. If you read the file, you can find the shell address by reading the log and configuration file, but the success rate is too low. As for the file inclusion, in addition to the shooting range and ctf, the actual combat has not been touched.

There is also a skill about the use of burp, which is really encountered, there is no echo path after uploading shell, but the complete shell path is found by searching for the name of shell through http history, because the files uploaded, such as pictures, are always displayed, at this time, you can first point around the web application, load some more data packets, and then search for the name of shell in http history. There may be surprises.

Sometimes uploading a blacklist is not strict, so we can use pseudo-suffixes to bypass it, and don't say anything else. This is probably the way of thinking. When you bypass the restrictions and get shell, it always gives me fun. Maybe that's why I like to infiltrate.

This is the end of the content of "File upload Bypass thinking case Analysis of Network Security vulnerability Penetration Test". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.