当前位置:网站首页>File upload Labs
File upload Labs
2022-07-02 08:27:00 【Defeat of Fujiwara Qianhua】
List of articles
Preface
upload-labs It's a use php language-written , Specifically collect penetration tests and CTF Various upload vulnerabilities encountered in the shooting range . It aims to help you have a comprehensive understanding of the upload vulnerability . At present, a total of 20 Turn off , Each level contains different upload methods
One 、 What is the file upload vulnerability ?
Web In the application , File uploading is a common functional requirement , For example, users upload member avatars
If the uploaded files are not verified and filtered , Attackers can upload malicious scripts , To achieve the purpose of an attack .
Two 、 Common upload detection rules
- client JS testing
- Server file extension detection ( Black and white list )
- Server side MIME Type detection (HTTP First line content-type Field )
- Server directory path detection ( testing path Sensitive keywords in parameters )
- Server file content detection ( Check file content )
3、 ... and 、 Bypass
The target contains vulnerability type classification
How to determine the type of upload vulnerability
Four 、 The first 1 Turn off
- Upload a 1.php file , Page echo
- Even if you can't pass the above “ Echo... Soon ” To judge , You can also try grabbing , You can't catch it , Check the source code of the page and you will find
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert(" Please select the file to upload !");
return false;
}
// Define the types of files allowed to be uploaded
var allow_ext = ".jpg|.png|.gif";
// Extract the type of uploaded file
var ext_name = file.substring(file.lastIndexOf("."));
// Determine whether the type of uploaded file is allowed to be uploaded
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = " The file is not allowed to upload , Please upload " + allow_ext + " Files of type , The current file type is :" + ext_name;
alert(errMsg);
return false;
}
}
- Just disable the script , You can bypass the detection
5、 ... and 、 The first 2 Turn off
- Upload an illegal file , The echo
- Can catch packets , The description is backend authentication . Ahead of 1.php Renamed 1.png Upload successful . There are many ways of back-end verification , Without source code , Only by experience black box test .
Revised MIME type , namely conten-type, Upload successful , And successfully resolved
边栏推荐
猜你喜欢
OpenCV 6.4 中值滤波器的使用
HCIA—應用層
c语言将字符串中的空格替换成%20
![[untitled]](/img/6c/df2ebb3e39d1e47b8dd74cfdddbb06.gif)
[untitled]
Using transformer for object detection and semantic segmentation
Simple implementation scheme of transcoding and streaming (I)
Valin cable: BI application promotes enterprise digital transformation
![[dynamic planning] p4170: coloring (interval DP)](/img/52/76f8baebb19fe10db91c74fec9a697.jpg)
[dynamic planning] p4170: coloring (interval DP)
ICMP协议
sqli-labs第8关(布尔盲注)
随机推荐
2022 Heilongjiang's latest eight member (Safety Officer) simulated test question bank and answers
Valin cable: BI application promotes enterprise digital transformation
Implementation of bidirectional linked list (simple difference, connection and implementation between bidirectional linked list and unidirectional linked list)
Matlab other
Summary of one question per day: stack and queue (continuously updated)
Simple implementation scheme of transcoding and streaming (I)
The best blog to explain the basics of compilation (share)
SQL operation database syntax
力扣方法总结:双指针
Fundamentals of music theory (brief introduction)
Matlab-其它
2022 Heilongjiang latest food safety administrator simulation exam questions and answers
One of the reasons for WCF update service reference error
c语言将字符串中的空格替换成%20
On the back door of deep learning model
用数字 5,5,5,1 ,进行四则运算,每个数字当且仅当用一次,要求运算结果值为 24
Jz-061-serialized binary tree
OpenCV关于x,y坐标容易混淆的心得
STM32疑难杂症之ST-LINK Connection error INVALID ROM TABLE
Generate database documents with one click, which can be called swagger in the database industry