1 summary

1.1 Purpose

For security , The server also needs to detect the contents of the file .

1.2 test method

1. For picture files ,PHP There's a function in getimagesize(), This function itself detects the size of the picture , However, before detection, it will also determine whether the target file is an image , therefore , You can use this function to detect whether the file content outputs the picture type .
2. Because the header content of the same type of file is the same , The server also often judges according to the header content of the file .

2 How to make a picture horse

Purpose ： When you ask the server to detect the contents of the file , Judge the file as .

2.1 Method 1 ： Direct editing

Create a new file and name it info.gif, The contents of the document are as follows . The file is in the function getimagesize() When testing , Will be identified as gif picture , However, the file cannot execute the code directly on the server side , Other vulnerabilities are needed to execute .

GIF89a
<?php
phpinfo();
?>

2.2 Method 2 ： Merge files

1. Prepare a picture , For example, the file name here is fighting_hawk.png.
   
2. Prepare one php In a word, Trojan files , The file name here is info.php, The content is <?php phpinfo(); ?>.
3. Merge files . stay windows Under the system , function cmd, Enter the command copy fighting_hawk.png/b+info.php/a muma.jpg. It should be noted that you need to cd Go to the path where the two files are located and execute the command .
   
4. Open the generated file in Notepad , You can see that it contains php Code statements .
   

2.3 Method 3 ： Using the hex editor

1. What we need to know is , The file headers of various pictures are the same , For example, all jpg The header of the file is consistent ; The header file is different between pictures in different formats .
2. function getimagesize() Unrecognized file generated by file illusion .
3. Common image file types are as follows ：

4. New file , Name it 16.png, The contents of the document are as follows , Need to be in 16 Convert the first line to... In the binary editor ASCII code .

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
<?php phpinfo(); ?>

3 Introduction to the experiment

3.1 The experiment purpose

Master methods to bypass content detection , Verify the existence of file upload vulnerability .

3.2 Experimental environment

1. shooting range ： be based on WAMP Environmental upload-labs shooting range , Refer to the article for the construction process 《 be based on WAMP Environmental upload-labs Vulnerability test platform construction process 》.
2. attack ： install BurpSuite Software .

3.3 Preparation before experiment

1. Prepare a picture of the horse , The file may be a Trojan horse , It can also be any other file , In this experiment, we used php The probe is used as a test file , To verify whether there are file upload vulnerabilities and methods to bypass vulnerability detection .
2. Use the file generated by the above method 1 to test , The file named ：info.gif.

4 Experimental process

1. Test sequence ： front end JS→MIME type → file extension → The contents of the document . Because the content of the file needs to be modified , The related workload is large .
2. Select the prepared picture horse to upload .
   
3. You can see that the file is uploaded successfully , Because the specific content of the document is not a picture , Therefore, the picture content cannot be displayed here .
   
4. The files that need to be studied later contain vulnerabilities 、 Server parsing vulnerability, etc , To make the file execute successfully . Now go directly to the server to find and type the uploaded picture horse , Open... In Notepad , You can see that the malicious code inside has not been deleted , Description file uploaded successfully .
   
5. Conclusion ： Although the server cannot run the code in the file （ To execute, you need to cooperate with the server to resolve the vulnerability 、 The file contains vulnerabilities and other vulnerabilities to achieve , For example, save the file as php Format files and so on ）, However, this should still be recorded in the penetration test report , There is an arbitrary file upload vulnerability .

5 summary

1. Understand the content of the file header and how the server checks the content and type of the file ;
2. Master the making method of picture horse ;
3. Master the method of bypassing server-side content detection .