当前位置:网站首页>File upload vulnerability - upload labs (1~2)
File upload vulnerability - upload labs (1~2)
2022-07-07 12:24:00 【hcjtn】
File upload vulnerability ——upload-labs(1~2)
The user uploaded a pointing script file , And through this script, you get the ability to execute server-side commands
In everyday life , We often upload various files , But if there is no restriction on the upload type or the restriction is not strict , An attacker may upload an executable file or web script ( Cause file upload vulnerability ), Cause the website to be controlled or even fall
Harm caused by file upload vulnerability :
- Make hackers hang black chains on your website
- Hang a malicious Trojan ( Automatically pop up advertisements , Brush Click ) Or mining
- Cause file data leakage
The premise of file upload vulnerability
- The website upload function can be used normally
- File types allow uploading such as :php asp In a word, the Trojan horse can enter the interior
- The upload path can be determined
- Files can be accessed , Can be executed or included
Therefore, we can start from the following three points to prevent loopholes
such as :
According to the second point, we can prohibit users from uploading php asp that will do ,
for instance , If users want to upload avatars , We can only let users upload jpg png gif jpeg The format of ( White list ) Filter at the front , Check the format of user's Avatar
We should try to check in advance , The workload of the back-end can be greatly reduced
Upload vulnerability basic process :
- Whether the pictures can be uploaded normally
- Whether the uploaded content of the picture is infected ( Content substitution )
- Whether the uploaded domain name is the target server ( If not , Judge whether the image server parses php、asp、aspx、jsp、cfm、shtml etc. )
- Whether the uploaded directory supports parsing php、asp、aspx、jsp、pht、phtml etc.
- Judge black and white list verification
With upload-labs-1 For example
To upload pictures , Found upload successful
Upload shell Find out :
Found a white list , So from the front we know , It is very likely that there is a filter at the front end , Let's check :
Find out checkFile() It has the effect of checking and filtering , We delete it and submit Find out :
Then use Chinese ant sword Link Find success
Find success
At the same time, we find that just filtering at the front end is not enough , We can easily delete , So apart from the front end , The backend must also be verified
upload-labs-2(MIME verification )
Let's take a look at its source code first :
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' Incorrect file type , Please upload again !';
}
} else {
$msg = $UPLOAD_ADDR.' Folder does not exist , Please create... By hand !';
}
}
Find out :
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' Incorrect file type , Please upload again !';
At this time, we will have questions : How does the browser get the type of file we upload
This is about MIME type ( Multipurpose Internet mail extension type )
MIME(Multipurpose Internet Mail Extensions) Multipurpose Internet mail extension type . Is to set some kind of Extension Of file Use one kind Applications To open the way type , When the extension file is accessed , browser Will automatically use the specified application to open . Mostly used to specify some client-side customized file names , And some ways to open media files .
It's an Internet standard , Extended e-mail standards , To enable it to support :
Not ASCII Character text ; Non text attachments ( Binary system 、 voice 、 Image, etc ); By many parts (multiple parts) The body of the message ; Include non ASCII Character header information (Header information).
Common types :
Upload files | multipart/from-data |
---|---|
Hypertext markup language text . | text/html |
xml file .xml | text/xml |
XHTML file .xhtml | application/xhtml+xml |
jpg Image format | image/jpeg |
RTF Text .rtf | application/rtf |
PDF file .pdf | application/pdf |
Microsoft Word file .word | application/msword |
MIME usage :
Client usage :
- Tell the server , The type of file I uploaded
- Tell the server , The types of documents I can accept
Server use :
- Tell the client , The data type I respond to
So when doing this problem, we should think of a reform Put it content-type Get rid of
So we use burp suite Carry out bag grabbing and package changing
Find will content-type Change it
Change it to image/jpeg;
Click Send ,
Find success
边栏推荐
- Introduction to three methods of anti red domain name generation
- What are the technical differences in source code anti disclosure
- <No. 8> 1816. 截断句子 (简单)
- 解决 Server returns invalid timezone. Go to ‘Advanced’ tab and set ‘serverTimezone’ property manually
- SQL injection -- Audit of PHP source code (take SQL lab 1~15 as an example) (super detailed)
- SwiftUI 教程之如何在 2 秒内实现自动滚动功能
- Unity中SmoothStep介绍和应用: 溶解特效优化
- Fleet tutorial 19 introduction to verticaldivider separator component Foundation (tutorial includes source code)
- wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
- Hi3516全系统类型烧录教程
猜你喜欢
Hi3516全系统类型烧录教程
Completion report of communication software development and Application
Camera calibration (1): basic principles of monocular camera calibration and Zhang Zhengyou calibration
Review and arrangement of HCIA
Fleet tutorial 14 basic introduction to listtile (tutorial includes source code)
Tutorial on principles and applications of database system (007) -- related concepts of database
即刻报名|飞桨黑客马拉松第三期盛夏登场,等你挑战
<No. 8> 1816. 截断句子 (简单)
Mastering the new functions of swiftui 4 weatherkit and swift charts
全球首堆“玲龙一号”反应堆厂房钢制安全壳上部筒体吊装成功
随机推荐
<No. 8> 1816. Truncate sentences (simple)
平安证券手机行开户安全吗?
Time bomb inside the software: 0-day log4shell is just the tip of the iceberg
Tutorial on the principle and application of database system (011) -- relational database
Rationaldmis2022 advanced programming macro program
Swiftui swift internal skill how to perform automatic trigonometric function calculation in swift
Fleet tutorial 15 introduction to GridView Basics (tutorial includes source code)
Visual Studio 2019 (LocalDB)\MSSQLLocalDB SQL Server 2014 数据库版本为852无法打开,此服务器支持782版及更低版本
数据库系统原理与应用教程(011)—— 关系数据库
[neural network] convolutional neural network CNN [including Matlab source code 1932]
DOM parsing XML error: content is not allowed in Prolog
111. Network security penetration test - [privilege escalation 9] - [windows 2008 R2 kernel overflow privilege escalation]
Flet教程之 18 Divider 分隔符组件 基础入门(教程含源码)
Camera calibration (2): summary of monocular camera calibration
牛客网刷题网址
ES底层原理之倒排索引
Niuke website
MATLAB實現Huffman編碼譯碼含GUI界面
What are the technical differences in source code anti disclosure
Basic introduction to the 16 tabs tab control in the fleet tutorial (the tutorial includes source code)