To be honest , About this upload-labs, I delayed for a long time , I don't understand what it is , What kind of files should I upload , I've been holding on , Special persistence … Read a lot of online solutions , Most uploaded files are php suffix , Thus, you can also press php Suffix go , But from the current understanding , There should be more than one way to upload files , However, they are not talented or knowledgeable … Can't ！
The document in question , Just a file , Looking at other solutions , In a word, Trojan horse or something , You can get the following figure ！

I have also tried to use it for questions , As a result, computer interception is too responsible , It doesn't let me upload , Also delete my file （ This is more than a month , Open software , Computers can't go online ; A few times , Open the web site , Website is not secure ; Overall investigation and killing , Warn me about the software I launched recently ） Antivirus software … I'd better not move , Scared , Scared , Or don't try on the edge of danger , Gave up .

The title of the paper is “ Pretend to be a virus ”, Thus, several problems are involved ：

Trojan horse , Viruses , What is a worm ？

The attack of Trojan virus needs to run the client program in the user's machine , Once it happens , You can set the back door , Regularly send the user's privacy to the address specified by the Trojan horse program , Generally, a port that can enter the user's computer is built at the same time , And can arbitrarily control this computer , Delete the file 、 Copy 、 Illegal operations such as changing passwords .
Trojans ”（Trojan） It belongs to a subcategory of computer viruses , In addition to Trojans, there are “ Back door virus ”、“ worm-type virus ” wait . The security software will detect the virus class and display the corresponding virus type （ Here's the picture ）, Generally, there are “Trojan” is “ Trojans ” 了 .

Viruses ： What we usually call a virus , It refers to infectious virus , It is the code that the programmer inserts into the computer program to destroy the computer function or data , Can affect the use of computers , A set of computer instructions or program code that can be copied by itself . It is contagious 、 Concealment 、 Infectivity 、 Latency 、 Excitability 、 Expressive or destructive . The life cycle of general viruses ： Development period → Infection period → Incubation period → Attack period → Discovery period → Digestion period → The period of extinction . There are many similarities with biological viruses , For example, self reproduction 、 Biological virus characteristics such as mutual infection and activation and regeneration, etc .

worm-type virus : What is essentially different from trojan virus is , Worm virus is a kind of malicious program that can take advantage of system vulnerabilities to spread itself through the network , It doesn't need to be attached to other programs , It's independent . When it comes to scale 、 When the transmission speed is too fast, the network resources will be consumed greatly, which will lead to a large area of network congestion or even paralysis , This is much more terrible than trojan virus .

Trojan horse , The difference between viruses ( You may find an error in your file naming )：

1、 The virus can infect , And Trojans don't infect ;
2、 After the virus invades the computer, you will feel , And Trojans don't , The main reason is to facilitate its follow-up “ Work ”;
3、 The virus is mainly caused by “ damage ” Is famous for its , The Trojan horse is mainly used to steal user information .

The file named with Chinese characters is in Burpsuite Influence

Maybe because my English version , It may also be the setting of the program itself , Chinese characters （ Then I found that Chinese input method ） The named files are displayed as □, For operators unfamiliar with the software , Will cause unnecessary trouble , It's just not easy to find , Other software, and so on ！

Pass-01

First of all, will PHP File upload directly , See if there is any hint （ What is the interception method ？ front end js verification ）

client JavaScript test （ It is usually the extended name of the detection file ）
Judgment method ： Browse to load file , But before clicking the upload button, a dialog box will pop up , The content is as follows ： Only upload is allowed .jpg / .jpeg / .png Suffix file , At this time, no packet is sent .
The way around ：
1. utilize BurpSuite Such agent tools to capture packets .
2. modify webshell The suffix type is allowed to upload .
3. Grab the package to intercept and change its suffix to the suffix that the corresponding server can resolve .

There is another way to fix this function , Looked at half a day , Function not found , Now I can't even find the website ！

front end js Intercepted , take php Modify the file suffix to a legal format （.gif ）, Upload files . In the use of burpsuite Grab the bag

Revise it to .php suffix . Click the button below the pencil figure （ My English is useless …）

You can check from here , Whether the upload is successful ！

Pass-02

Try to upload the file ！ Failed to upload !

Back end MIME verification
The server MIME testing ： I.e. detection Content-Type The content of (Content-Type The entity header is used to indicate the MIME type media type , In the response ,Content-Type The header tells the client what type of content is actually returned .)
Bypass method ： Change the type to the type that allows uploading .

No prompting , Click to view the source code in the interface , Looking for ideas . This level is only right content-type Judge , stay burp suite in , modify content-type Is the allowed type .

You can upload successfully ！

There are tutorials on the Internet , The first .php File suffix changed to .jpg, Then when the packet capture is changed, the suffix is changed back together , Um. … It seems unnecessary .
Try to find , Click capture , Uploading files , Although the file display cannot be uploaded , But there are still files in the code display of the packet capture display .

Pass-03

Try uploading php file , It is found that the file suffix blacklist is set in this level .

Based on blacklist detection ： The security of the blacklist is much lower than that of the whitelist , Naturally, there are more attacks than the white list . Usually by a special blacklist, It contains common dangerous script files .
The way around ：1. File case lets bypass （Php ,PhP pHp, etc. ）
2. Black and white lists bypass （php,php2,php3,php5,phtml,asp,aspx,ascx,ashx,cer,asa,jsp,
jspx）cdx,\x00hh\x46php
3. Special file names bypass
1） Change the file name in the data package to test.php or test.asp_( Underscores are spaces ) Because of this naming format in
windows It is not allowed in the system , So after bypassing the upload windows The system will automatically remove . Dots and spaces .Linux and
Unix There is no such feature in .
2）::$DATA(php stay windows If the file name +"::DATA" Will be able to ::DATA The subsequent data is treated as a file stream
The reason is , The suffix will not be detected , And keep it "::DATA" Previous file name , The purpose is not to check the suffix )
4.0x00 Cut and bypass （5.2 C Language will \0 As the end of the string ）
5. .htaccess File attack （ Combined with blacklist attack ）
6. The resolution bypasses

Case around

This piece of … Moved Online , To be more rigorous , Just change it ; If it doesn't work, just next .

Be careful ： Both methods will change the file name .

Double writing bypasses

Different from the last one , This file , The suffix does not change , Only change the file name .