File upload vulnerability introduction

File uploading is a common function of modern Internet ,

Allow users to upload pictures last time 、 video 、 And other types of documents , The more functions provided to users ,Web The greater the risk of attack .

When uploading files , If the uploaded files are not strictly verified and filtered , It's easy to upload files , Upload script file （ Include asp,aspx,php,jsp etc. ）

Malicious upload behavior may cause the website and even the entire server to be controlled . Malicious script files are called WebShell,WebShell It has powerful functions , For example, check the server directory 、 Files in server 、 Execute system commands, etc .

JS Detection bypass （ Front end detection ）

Detection principle

call Js Of selectFile() function , Detect file suffix

Bypass method ：

1. Delete local browser js Method （ Ban js）

2. Modify file suffix

File suffix bypass

Detection principle

By function pathinfo() Get file suffix , Convert suffix to lowercase (strtolower) And judge whether it is php

Bypass method

Some middleware Allow parsing other file suffixes , If in httpd.conf In profile , Configure the following code , Can be resolved php、php3、phtml file . So upload a suffix named php3、phtml Is ok .

Bypass method 2

combination Apache File parsing mechanism , Parse the file suffix from back to front , If the suffix is not recognized, continue to judge until you encounter a resolvable suffix , for example 123.php.360,Apache The parsing mechanism will parse it into php Document and execute

ps： Upload is not allowed php file , Just upload php.360（ laugh ）

File types bypass ( White list bypass )

MIME Bypass ：

Detection principle

utilize $_FILES['files'] ['type'] Determine whether the picture format is image/gif,image/jpeg,image/pjpeg, If not, upload is not allowed

Bypass method

$_FILES['files'] ['type'] This value is extracted from the request packet Content-Type In order to get , therefore burp Packet capturing and modifying this tag value can bypass

The upload file is php when ,Content-Type The value is application/octer-stream, The upload file is jpg Format file when Content-Type The value is image/jpeg.

File magic number detection bypasses ：

Detection principle

utilize getimagesize() function , If you can't get the picture information （ Indicates that the file is not a picture ） You cannot upload this file

Bypass method

Add the corresponding header value of the picture at the beginning of the script file （ Such as add GIF89a）

 89 50 4E 47 0D 0A 1A 0A （PNG Head ）, Note that hexadecimal to ascii

File truncation bypasses  

Detection principle ：

because 00 Represents the Terminator , PHP Will be able to 00 The following characters are deleted

Cut off condition ：PHP Version less than 5.3.4.magic_quotes_gpc（ Magic quotes ） be in off state

Application ：

The uploaded file has been renamed , Unable to find the file you uploaded

Bypass method ：

GET Add... To the method %00 truncation

POST Method passed in %00 And decoding

ps： Truncation bypass can control the upload path of files

File content bypass

Detection principle ：

Some website file detection logic allows uploading arbitrary files first , Then check whether the contents of the file contain executable scripts , Delete if included . Use here sleep() Function to simulate the time required to determine whether there is a script

<?php

fputs(fopen('./shell.php','w'),'<?php phpinfo();?>')

?>

Bypass method ：

Take advantage of the time difference between successfully uploading to the deleted file , Upload a .php file , Access this before deleting php File makes it run to generate a new php file , New files will not be deleted .