brief introduction
File upload vulnerability , Words are what they mean , It may appear in all function nodes that allow uploading files ;
It means that the programmer does not strictly verify and filter the uploaded files , The resulting users can upload executable dynamic script files to the server over their own permissions . The files uploaded here can be Trojans , Viruses , A malicious script or WebShell etc. . This kind of attack is the most direct and effective ,“ Upload files ” There's nothing wrong with it , The problem is that after the file is uploaded , What to do with the server 、 Explanatory documents . If the processing logic of the server is not secure enough , Will lead to serious consequences .
Range recommendation
•upload-labs
•upload-labs-writeup
Loophole damage
1. Allow uploading script language files and parsing ==> getshell
2. Allow upload html ==> xss、csrf、 Landing hijacking ...
3. Allow uploading compressed packages ==> Compressed package DOS、 Unzip the file getshell
4. Allow upload pdf ==> pdf xss
5. Allow upload swf ==> swf xss
6. Allow upload excel、docx ==> xxe
7....
https://twitter.com/Eyhuss1/s...
asp, aspx, php : webshell, rce
svg: stored xss, ssrf, xxe
gif: stored xss, ssrf
csv: csv injection
xml: xxe
avi: lfi,ssrf
html, js: html injection, xss, open redirect
png: pixel flood attack, dos
zip: rce via lfi, dos
pdf: ssrf, blind xxe, Stored XSS
Mining judgment
The main process is to upload normal picture packets , Then judge what the back-end filtering rules are , And then analyze the bypass of these rules
1. Black and white list
2. Whether the content is judged
3. Whether to render twice
4. Whether there are parsing vulnerabilities
Figure since :https://github.com/c0ny1/uplo...
Bypass method
Figure since :https://github.com/c0ny1/uplo...
Resolvable suffix
Language Resolvable suffix
asp/aspx asp,aspx,asa,asax,ascx,ashx,asmx,cer,aSp,aSpx,aSa,aSax,aScx,aShx,aSmx,cEr
php php,php5,php4,php3,php2,pHp,pHp5,pHp4,pHp3,pHp2,html,htm,phtml,pht,Html,Htm,pHtml
jsp jsp,jspa,jspx,jsw,jsv,jspf,jtml,jSp,jSpx,jSpa,jSw,jSv,jSpf,jHtml
Content-Type
See the following for common types :
file type Content-type
Hypertext markup language text .html,.html text/html
Plain text .txt text/plain
RTF Text .txt text/plain
GIF graphics .gif image/gif
JPEG graphics .jpeg,.jpg image/jpeg
au Sound files .au audio/basic
MIDI Music files .mid,.midi audio/midi,audio/x-midi
RealAudio Music files .ra, .ram audio/x-pn-realaudio
MPEG file .mpg,.mpeg video/mpeg
AVI file .avi video/x-msvideo
GZIP file .gz application/x-gzip
TAR file .tar application/x-tar
•fuzz dict download
The file header
File magic numbers are a series of numbers used to uniquely identify file types ( Hexadecimal ), This is what we often call the file header , When the white list limits the magic number of files , We need to create a header for our documents that can pass the detection :
.jpg Value = FF D8 FF E0
.gif Value = 47 49 46 38 ==> GIF89a
.png Value = 89 50 4E 47
.html Value = 68 74 6D 6C 3E 10
.xml Value = 3C 3F 78 6D 6C
Picture horse
If the suffix can be jsp、php etc. , But the content must be pictures , Then you can use pictures to do getshell
Or it will parse the image into relevant code
•Windows
copy 1.jpg/b+1.php/a 2.jpg
•*nix( I failed. )
cat file1.txt >> file2.jpg
cat file1.txt file2.jpg >> file3.jsp
Conditional competition
If the file uploading process of the website is : The server gets the file –> Save and upload temporary files –> Rename move temporary file Such steps , You can upload and access files constantly , Thus, when the server has not renamed and moved the temporary file , We used the time difference to open the file , Successful execution of malicious code .
The specific methods : Concurrent contracting , Such as Burp、fuff etc.
Second rendering
1. Tools for secondary rendering may exist RCE Etc , Such as ImageMagick
2. Find the part whose content has not changed after the second rendering through hexadecimal , Then insert the code in it
Double upload
And the title , Construct two uploads at the same time , Maybe the server will only verify the first upload , The second upload is saved directly
Repair suggestions
1. Suffix white list , Only upload is allowed jpg、jpeg、png、gif
2. Content integrity detection
3.WAF
Upload files FUZZ
•upload-fuzz-dic-builder
• Construct high-quality upload vulnerability fuzz Dictionaries
