The file upload vulnerability can be said to be one of the most used vulnerabilities in daily penetration testing, because it is the fastest and most direct to obtain server permissions. But it’s not so easy to really make use of this vulnerability. There are a lot of skills and a lot of knowledge to master. As the saying goes, knowing oneself and knowing each other can be a battle, so if you want to study how to protect against loopholes, you must understand how to use it. This article is divided into three parts: summarizing some common upload file verification methods, and various postures to bypass the verification, and finally put forward some protection suggestions for this vulnerability. (According to personal experience, welcome to add corrections~~)
- Server verification
- File header content-type field checksum (image/gif)
- File content header check (GIF89a)
- suffix name blacklist check
- suffix name whitelist check
- Custom regular check
- WAF device verification (depending on different WAF products)
Judgment method: When browsing the loading file, but the upload button has not been clicked, a dialog box pops up, such as: only the file with the .jpg/.jpeg/.png suffix name is allowed to be uploaded, and no data packet is sent at this time.
Here is the PHP code as an example to simulate the verification code of the web server.
You can see that the code judged the file type of the uploaded file, and if it is not the image type, it returns an error.
You can determine whether the contents of the file header meet the requirements by writing a regular match. Here are some common file header correspondences:
- Client bypass (catch change)
- Server bypass
- file type
- File header
- File suffix name
- The cooperation file contains vulnerabilities bypassing
- Cooperate with server parsing vulnerability to bypass
- CMS, editor vulnerability bypass
- bypassed with operating system file naming rules
- bypassed with other rules
- WAF bypass
You can use the burp to capture the package, first upload a gif type Trojan, and then change it to asp/php/jsp suffix by burp.
We can change the content-type field to image/gif by capturing the package.
Add some file information to the Trojan content, a bit like the following structure
GIF89a<?php phpinfo(); ?>
Prerequisite: Blacklist verification
Blacklist detection: There is usually a special blacklist file that contains common dangerous script files.
(1) Find the missing net of the blacklist extension - such as asa and cer
(2) There may be case bypass loopholes - such as aSp and pHp
A list of file extensions that can be parsed:
jsp jspx jspf
asp asa cer aspx
php php php3 php4
Prerequisite: The verification rule only verifies whether the file content with the file suffix named asp/php/jsp is a Trojan.
Bypass mode: (take php for example, this vulnerability mainly exists in PHP)
(1) First upload a txt suffix file whose content is a Trojan, because the relationship of the suffix name has no inspection content;
(2) Then upload a .php file with <?php Include(“uploaded txt file path”);?>
At this point, the php file will reference the contents of the txt file, bypassing the validation, and the following syntax is included:
Detailed reference: [file contains vulnerabilities (bypass posture)] (http://thief.one/2017/04/10/2/)
(1) Upload a file name that does not conform to the Windows file naming rules
Will be automatically removed by the windows system does not meet the content behind the rules symbol.
(2) suffix name in linux
Under Linux, if the upload php is not parsed, you can try uploading the file name of the pHp suffix.
(1) CMS vulnerabilities: For example, vulnerabilities such as JCMS can be bypassed for upload vulnerabilities existing in different CMSs.
(2) Editor vulnerabilities: such as FCK, ewebeditor, etc., can be bypassed for editor vulnerabilities.
These two aspects of the loopholes are separately documented and summarized here.
(1) 0x00 truncation: based on a combinatorial logic vulnerability, usually exists when constructing the path to the uploaded file
Path /upload/1.php(0x00), filename 1.jpg, combined with /upload/1.php(0x00)/1.jpg
Pseudo code demo:
In order to prevent the performance of the web server, some host WAF software will set the upper limit of the user data for verification, such as 1M. In this case, a large file can be constructed. The content of the first 1M is spam, and the content of the first Trojan is the real Trojan content, so that the WAF can verify the content of the file.
Of course, you can also put the junk data at the very beginning of the packet, so you can bypass the verification of the file name.
The garbage data can be added after the Content-Disposition parameter, and the parameter content is too long, which may cause the waf detection error.
For an earlier version of the security dog, you can add a filename
Or change the filename to the location. If we change the writing method under IIS6.0, put the filename in other places:
Some WAF rules are: If the packet is of the POST type, the packet content is verified.
In this case, you can upload a POST-type data packet, and capture the packet to change POST to GET.
For WAF, the server resolution vulnerabilities and file inclusion vulnerabilities described above can be tried to bypass.
————————————————2017.2 .6 update———————————————– —
The first is to delete the entire line of Content, the second is to delete the characters behind C. Delete the ontent-Type: image/jpeg only leave c, add .php to c, but pay attention to the amount, double quotes should follow c.php.
Content-Type: multipart/form-data; boundary=—————————4714631421141173021852555099
Try adding a space or other character that can be processed normally after the boundary:
The Boundary boundary is consistent every time a file is uploaded:
However, if the container does not have strict requirements in the process of processing, it may cause a problem. The inconsistency between the two Boundary makes waf think that the data is meaningless, but the container is not so strict:
Win2k3 + IIS6.0 + ASP
In the IIS environment, if there are multiple Content-Dispositions when uploading files, IIS will take the value of the first Content-Disposition as the receiving parameter, and if waf just takes the last one, it will be bypassed, Win2k8 + IIS7.0 + PHP
ADS is a feature of the NTFS disk format for NTFS exchange of data streams. When uploading a file, waf may cause bypass if the file name of the request body is not properly matched.
If the web program renames the filename in addition to the extension, then you can construct more points, symbols, and so on.
File names use non-alphanumeric characters, such as Chinese, which are maximally stretched. If not, combine them with other features to test:
Shell.asp; king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king king King Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang Wang.jpg
Change the file1 below to file4 so that it will not be deleted. (JCMS vulnerability)
- File extension server whitelist verification.
- File content server verification.
- Upload file renamed.
- Hide the path to the uploaded file.
The above points can protect most upload vulnerabilities, but need to be combined with the server container. If the resolution vulnerability still exists, there is no absolute security.
- There is also a article on the big cattle on the tools, url can not be found temporarily…*
[File contains vulnerabilities (bypassing posture)] (http://thief.one/2017/04/10/2/)