Shulou(Shulou.com)06/01 Report--

0x00 what is file upload

In order for users to upload files to the site, it is like opening another door for malicious users of the crisis server. Even so, in today's modern Internet Web applications, it is a common requirement because it helps to improve business efficiency. The enterprise support portal provides users with effective file sharing among employees in the enterprise. Allows users to upload pictures, videos, avatars and many other types of files. The more functions provided to users, the greater the risk and chance of Web applications being exposed to *. The possibility that this feature will be exploited by malicious users to gain access to a particular website or compromise the server is very high.

Why is there a loophole in file upload in 0x01?

When uploading files, if the server scripting language does not strictly verify and filter the uploaded files, it is easy to upload arbitrary files, including upload script files.

If it is a normal PHP file, it does not do any harm to the server.

Like other programming languages, PHP can view the files in the directory, check the contents of the files, execute system commands, and so on.

When uploading files, if the server-side scripting language does not strictly verify and filter the uploaded files, it is possible to upload malicious PHP files, thus controlling the entire website, or even the server. This malicious PHP file, also known as WebShell.

Where are the file upload vulnerabilities in 0x02?

Improper server configuration

Upload vulnerability of open source editor

Local file upload restrictions are bypassed

Lax filtering or bypassing

File parsing vulnerability causes file execution

File path truncation

0x03 file upload instance (local test)

Hey, hey, hey? One

File information upload file:

Set the local agent to grab packets with Burp Suite. By comparison, we can see that the and in PHP correspond to packet neutralization, respectively.

Hey, two.

File information upload file:

In this code, we detect the type of file uploaded. Through the comparison in the first figure, we know that the type of file uploaded in the Http packet request header. Can we try to bypass .ok by modifying the content of the packet? now let's upload a PHP sentence *.

Looking at the returned page, we know that we have successfully bypassed the detection of the file type, and the kitchen knife is connected successfully.

Hey, hey, hey? Three (a hexadecimal truncated ctf)

Url: http://ctf4.shiyanbar.com/web/upload/

First of all, we make the above changes to the crawled data packets.

Through hexadecimal, we know that hexadecimal inserts a byte in the output, which is inserted in the right-click menu.

Ok, now we have successfully obtained flag.

Now let's talk about the implementation principle of this experiment:

1. Why add the modified file name after the file and after the packet? PHP judges the last one when judging the file suffix. In this way, our modified file name, PHP will determine that it is a .jpg file so that we can bypass the detection of the file name. two。 Why do we need to add truncation after changing the file name? Although we know that we are uploading a PHP file, if we do not truncate it, the file we upload will be saved in a format on the server, that is to say, it is an image file, and PHP will not parse the file. When we truncate, the server will truncate the later, this is our file will be saved on the server, and our sentence * * will be uploaded successfully.

Part Four

File information upload file:

Upload a normal picture.

Upload a sentence * * for bypass detection

Why can't we bypass it this time? After we truncate the file name, when the packet arrives at Apache, Apache will truncate the file name to find the suffix of the file when PHP judges, and then we failed to upload. (the above is just my understanding of upload failure, welcome to correct. Technical discussion is welcome. Students who can bypass the above methods are welcome to give advice. Thank you.)

Defense of 0x04 upload loophole

Check the suffix of the opposite file

Detect the file type

Detect the contents of the file

Set up the upload whitelist

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.