In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
0x00 what is file upload
In order for users to upload files to the site, it is like opening another door for malicious users of the crisis server. Even so, in today's modern Internet Web applications, it is a common requirement because it helps to improve business efficiency. The enterprise support portal provides users with effective file sharing among employees in the enterprise. Allows users to upload pictures, videos, avatars and many other types of files. The more functions provided to users, the greater the risk and chance of Web applications being exposed to *. The possibility that this feature will be exploited by malicious users to gain access to a particular website or compromise the server is very high.
Why is there a loophole in file upload in 0x01?
When uploading files, if the server scripting language does not strictly verify and filter the uploaded files, it is easy to upload arbitrary files, including upload script files.
If it is a normal PHP file, it does not do any harm to the server.
Like other programming languages, PHP can view the files in the directory, check the contents of the files, execute system commands, and so on.
When uploading files, if the server-side scripting language does not strictly verify and filter the uploaded files, it is possible to upload malicious PHP files, thus controlling the entire website, or even the server. This malicious PHP file, also known as WebShell.
Where are the file upload vulnerabilities in 0x02?
Improper server configuration
Upload vulnerability of open source editor
Local file upload restrictions are bypassed
Lax filtering or bypassing
File parsing vulnerability causes file execution
File path truncation
0x03 file upload instance (local test)
Hey, hey, hey? One
File information upload file:
Set the local agent to grab packets with Burp Suite. By comparison, we can see that the and in PHP correspond to packet neutralization, respectively.
Hey, two.
File information upload file:
In this code, we detect the type of file uploaded. Through the comparison in the first figure, we know that the type of file uploaded in the Http packet request header. Can we try to bypass .ok by modifying the content of the packet? now let's upload a PHP sentence *.
Looking at the returned page, we know that we have successfully bypassed the detection of the file type, and the kitchen knife is connected successfully.
Hey, hey, hey? Three (a hexadecimal truncated ctf)
Url: http://ctf4.shiyanbar.com/web/upload/
First of all, we make the above changes to the crawled data packets.
Through hexadecimal, we know that hexadecimal inserts a byte in the output, which is inserted in the right-click menu.
Ok, now we have successfully obtained flag.
Now let's talk about the implementation principle of this experiment:
1. Why add the modified file name after the file and after the packet? PHP judges the last one when judging the file suffix. In this way, our modified file name, PHP will determine that it is a .jpg file so that we can bypass the detection of the file name. two。 Why do we need to add truncation after changing the file name? Although we know that we are uploading a PHP file, if we do not truncate it, the file we upload will be saved in a format on the server, that is to say, it is an image file, and PHP will not parse the file. When we truncate, the server will truncate the later, this is our file will be saved on the server, and our sentence * * will be uploaded successfully.
Part Four
File information upload file:
Upload a normal picture.
Upload a sentence * * for bypass detection
Why can't we bypass it this time? After we truncate the file name, when the packet arrives at Apache, Apache will truncate the file name to find the suffix of the file when PHP judges, and then we failed to upload. (the above is just my understanding of upload failure, welcome to correct. Technical discussion is welcome. Students who can bypass the above methods are welcome to give advice. Thank you.)
Defense of 0x04 upload loophole
Check the suffix of the opposite file
Detect the file type
Detect the contents of the file
Set up the upload whitelist
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.