File upload vulnerability ——upload-labs（1~2）

The user uploaded a pointing script file , And through this script, you get the ability to execute server-side commands

In everyday life , We often upload various files , But if there is no restriction on the upload type or the restriction is not strict , An attacker may upload an executable file or web script （ Cause file upload vulnerability ）, Cause the website to be controlled or even fall

Harm caused by file upload vulnerability ：

• Make hackers hang black chains on your website
• Hang a malicious Trojan （ Automatically pop up advertisements , Brush Click ） Or mining
• Cause file data leakage

The premise of file upload vulnerability

1. The website upload function can be used normally
2. File types allow uploading such as ：php asp In a word, the Trojan horse can enter the interior
3. The upload path can be determined
4. Files can be accessed , Can be executed or included

Therefore, we can start from the following three points to prevent loopholes

such as ：

According to the second point, we can prohibit users from uploading php asp that will do ,

for instance , If users want to upload avatars , We can only let users upload jpg png gif jpeg The format of （ White list ） Filter at the front , Check the format of user's Avatar

We should try to check in advance , The workload of the back-end can be greatly reduced

Upload vulnerability basic process ：

1. Whether the pictures can be uploaded normally
2. Whether the uploaded content of the picture is infected （ Content substitution ）
3. Whether the uploaded domain name is the target server （ If not , Judge whether the image server parses php、asp、aspx、jsp、cfm、shtml etc. ）
4. Whether the uploaded directory supports parsing php、asp、aspx、jsp、pht、phtml etc.
5. Judge black and white list verification

With upload-labs-1 For example

To upload pictures , Found upload successful

Upload shell Find out ：

Found a white list , So from the front we know , It is very likely that there is a filter at the front end , Let's check ：

Find out checkFile() It has the effect of checking and filtering , We delete it and submit Find out ：

Then use Chinese ant sword Link Find success

Find success

At the same time, we find that just filtering at the front end is not enough , We can easily delete , So apart from the front end , The backend must also be verified

upload-labs-2（MIME verification ）

Let's take a look at its source code first ：

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    
    if (file_exists($UPLOAD_ADDR)) {
    
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
    
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
    
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
    
            $msg = ' Incorrect file type , Please upload again ！';
        }
    } else {
    
        $msg = $UPLOAD_ADDR.' Folder does not exist , Please create... By hand ！';
    }
}

Find out ：

  if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
    
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
    
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
    
            $msg = ' Incorrect file type , Please upload again ！';

At this time, we will have questions ： How does the browser get the type of file we upload

This is about MIME type （ Multipurpose Internet mail extension type ）

MIME(Multipurpose Internet Mail Extensions) Multipurpose Internet mail extension type . Is to set some kind of Extension Of file Use one kind Applications To open the way type , When the extension file is accessed , browser Will automatically use the specified application to open . Mostly used to specify some client-side customized file names , And some ways to open media files .

It's an Internet standard , Extended e-mail standards , To enable it to support ：

Not ASCII Character text ; Non text attachments （ Binary system 、 voice 、 Image, etc ）; By many parts （multiple parts） The body of the message ; Include non ASCII Character header information （Header information）.

Common types ：

MIME usage ：

Client usage ：

1. Tell the server , The type of file I uploaded
2. Tell the server , The types of documents I can accept

Server use ：

• Tell the client , The data type I respond to

So when doing this problem, we should think of a reform Put it content-type Get rid of

So we use burp suite Carry out bag grabbing and package changing

Find will content-type Change it

Change it to image/jpeg;

Click Send ,

Find success