1 MIME summary

1.1 summary

1. Definition ：MIME（Multipurpose Internet Mail Extensions） Multipurpose Internet mail extension type , Is the Intel standard for describing message content types .MIME Messages can contain text 、 Images 、 Audio 、 Video and other application specific data .
2. significance ：MIME The original purpose of the design is to attach multimedia data when sending e-mail , Let the mail client process according to its type . However, when it is HTTP After the agreement is supported , It's more significant . It makes the HTTP It's not just plain text that's transmitted , And become colorful .

1.2 File format

Every MIME The type consists of two parts , The big categories of data are ahead ,video、image、application、text、audio、multipart、message etc. , Define specific categories later . common MIME type ( Universal ) The following table , Please Baidu for more types .

1.3 Detection and bypass

If the server code is through Content-Type To determine the type of file , Then there is the possibility of being bypassed , because Content-Type The value of is passed through the client , It can be modified at will .

2 Introduction to the experiment

2.1 The experiment purpose

Master bypass MIME The method of detection , Verify the existence of file upload vulnerability .

2.2 Experimental environment

1. shooting range ： be based on WAMP Environmental upload-labs shooting range , Refer to the article for the construction process 《 be based on WAMP Environmental upload-labs Vulnerability test platform construction process 》.
2. attack ： install BurpSuite Software .

2.3 Preparation before experiment

1. Prepare a file , The file may be a Trojan horse , It can also be any other file , In this experiment, we used php The probe is used as a test file , To verify whether there are file upload vulnerabilities and methods to bypass vulnerability detection .
2. The file named ：info.php, The contents of the document ：<?php phpinfo();?>.

3 Experimental process

1. open BurpSuite, Open its own browser in the proxy module .
   
2. Browser access to the target , And open the second close . Click to select file , Choose what's ready info.php, Click upload and the following error message will appear .
   
3. View the source code , Judge whether it exists JS testing . stay 52~56 That's ok , You can see the event detection in the form , But the corresponding function is not found , Should be no JS Tested .

<html>
<head>
	<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
	<link rel="icon" type="image/x-icon" href="/upload-labs/img/favicon.png" />  
	<title>upload-labs</title>
</head>
<link rel="stylesheet" type="text/css" href="/upload-labs/css/index.css">
<link rel="stylesheet" type="text/css" href="/upload-labs/css/prism.css">
<body>
	<div id="head">
		<a href="/upload-labs/"><img src="/upload-labs/img/logo.png"/></a>
		<div id="head_menu">
			<a id="handle_code" href="javascript:show_code()"> Show source </a>
			<a href="javascript:get_prompt()"> View tips </a>
			<a href="javascript:clean_upload_file()"> Empty uploaded files </a>
		</div>
	</div>
	<div id="main"><div id="menu">     
	<ul id="menulist">         
		<li><a id="Pass-01" href="/upload-labs/Pass-01/index.php">Pass-01</a></li> 
		<li><a id="Pass-02" href="/upload-labs/Pass-02/index.php">Pass-02</a></li> 
		<li><a id="Pass-03" href="/upload-labs/Pass-03/index.php">Pass-03</a></li> 
		<li><a id="Pass-04" href="/upload-labs/Pass-04/index.php">Pass-04</a></li> 
		<li><a id="Pass-05" href="/upload-labs/Pass-05/index.php">Pass-05</a></li> 
		<li><a id="Pass-06" href="/upload-labs/Pass-06/index.php">Pass-06</a></li> 
		<li><a id="Pass-07" href="/upload-labs/Pass-07/index.php">Pass-07</a></li> 
		<li><a id="Pass-08" href="/upload-labs/Pass-08/index.php">Pass-08</a></li> 
		<li><a id="Pass-09" href="/upload-labs/Pass-09/index.php">Pass-09</a></li> 
		<li><a id="Pass-10" href="/upload-labs/Pass-10/index.php">Pass-10</a></li> 
		<li><a id="Pass-11" href="/upload-labs/Pass-11/index.php">Pass-11</a></li> 
		<li><a id="Pass-12" href="/upload-labs/Pass-12/index.php">Pass-12</a></li> 
		<li><a id="Pass-13" href="/upload-labs/Pass-13/index.php">Pass-13</a></li> 
		<li><a id="Pass-14" href="/upload-labs/Pass-14/index.php">Pass-14</a></li> 
		<li><a id="Pass-15" href="/upload-labs/Pass-15/index.php">Pass-15</a></li> 
		<li><a id="Pass-16" href="/upload-labs/Pass-16/index.php">Pass-16</a></li> 
		<li><a id="Pass-17" href="/upload-labs/Pass-17/index.php">Pass-17</a></li> 
		<li><a id="Pass-18" href="/upload-labs/Pass-18/index.php">Pass-18</a></li> 
		<li><a id="Pass-19" href="/upload-labs/Pass-19/index.php">Pass-19</a></li>
		<li><a id="Pass-20" href="/upload-labs/Pass-20/index.php">Pass-20</a></li>
        <li><a id="Pass-21" href="/upload-labs/Pass-21/index.php">Pass-21</a></li>
	</ul> 
</div>

<div id="upload_panel">
    <ol>
        <li>
            <h3> Mission </h3>
            <p> Upload a <code>webshell</code> To the server .</p>
        </li>
        <li>
            <h3> Upload area </h3>
            <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
                <p> Please select the image to upload ：<p>
                <input class="input_file" type="file" name="upload_file"/>
                <input class="button" type="submit" name="submit" value=" Upload "/>
            </form>
            <div id="msg">
                 Tips ： Incorrect file type , Please upload again ！            </div>
            <div id="img">
                            </div>
        </li>
            </ol>
</div>

</div>
		<div id="footer">
			<center>Copyright&nbsp;@&nbsp;<span id="copyright_time"></span>&nbsp;by&nbsp;<a href="http://gv7.me" target="_bank">c0ny1</a></center>
		</div>
		<div class="mask"></div>
		<div class="dialog">
		    <div class="dialog-title"> carry &nbsp; in <a href="javascript:void(0)" class="close" title=" close "> close </a></div>
		    <div class="dialog-content"></div>
		</div>		
</body>
<script type="text/javascript" src="/upload-labs/js/jquery.min.js"></script>
<script type="text/javascript" src="/upload-labs/js/prism.js"></script>
<script type="text/javascript" src="/upload-labs/js/prism-line-numbers.min.js"></script>
<script type="text/javascript" src="/upload-labs/js/prism-php.min.js"></script>
<script type="text/javascript" src="/upload-labs/js/index.js"></script>
</html>

4. BurpSuite Turn on the proxy interception function , Web page selection info.php file , Click upload , You can see BurpSuite Successfully intercepted the request , This means that on the web JS Did not detect file suffix . In intercepted requests , take Content-Type It is amended as follows image/png, Click on forward, For subsequent requests, click... Without modification forward.
   
5. You can see that the request was sent successfully , The response received from the back end is as follows , Because the file is not a real picture , So the display failed .
   
6. Right click the red box in the figure above （ This is where the picture should be displayed ）, Click on “ The new tab opens ”, You can see that the file is successfully executed on the new page , And return the probe information . If it is another page statement , Will also successfully execute .
   

4 summary

1. Test ideas ： front end JS→ Server side MIME type .
2. master MIME Bypass method .