Preface

upload-labs It's a use php language-written , Specifically collect penetration tests and CTF Various upload vulnerabilities encountered in the shooting range . It aims to help you have a comprehensive understanding of the upload vulnerability . At present, a total of 20 Turn off , Each level contains different upload methods

One 、 What is the file upload vulnerability ？

Web In the application , File uploading is a common functional requirement , For example, users upload member avatars
If the uploaded files are not verified and filtered , Attackers can upload malicious scripts , To achieve the purpose of an attack .

Two 、 Common upload detection rules

• client JS testing
• Server file extension detection （ Black and white list ）
• Server side MIME Type detection （HTTP First line content-type Field ）
• Server directory path detection （ testing path Sensitive keywords in parameters ）
• Server file content detection （ Check file content ）

3、 ... and 、 Bypass

The target contains vulnerability type classification

How to determine the type of upload vulnerability

Four 、 The first 1 Turn off

1. Upload a 1.php file , Page echo
   
2. Even if you can't pass the above “ Echo... Soon ” To judge , You can also try grabbing , You can't catch it , Check the source code of the page and you will find

function checkFile() {
    
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
    
        alert(" Please select the file to upload !");
        return false;
    }
    // Define the types of files allowed to be uploaded 
    var allow_ext = ".jpg|.png|.gif";
    // Extract the type of uploaded file 
    var ext_name = file.substring(file.lastIndexOf("."));
    // Determine whether the type of uploaded file is allowed to be uploaded 
    if (allow_ext.indexOf(ext_name + "|") == -1) {
    
        var errMsg = " The file is not allowed to upload , Please upload " + allow_ext + " Files of type , The current file type is ：" + ext_name;
        alert(errMsg);
        return false;
    }
}

3. Just disable the script , You can bypass the detection

5、 ... and 、 The first 2 Turn off

1. Upload an illegal file , The echo
   
2. Can catch packets , The description is backend authentication . Ahead of 1.php Renamed 1.png Upload successful . There are many ways of back-end verification , Without source code , Only by experience black box test .
   
   Revised MIME type , namely conten-type, Upload successful , And successfully resolved