Red team Chapter 8: blind guess the difficult utilization process of the package to upload vulnerabilities

Part1 Preface

Hello everyone , Last issue shared a IIS Short file name guessing is used to get permission in practice , This issue will share a special case of uploading vulnerability . Many times, there is a loophole , As long as there is a glimmer of hope , Don't want to give up easily . Before testing a website , Scanning directories and scanning sensitive files are often used , Sometimes the back-end page of the upload function is scanned , At this time, I don't know how the inclusion is constructed , I don't know what parameters need to be submitted for uploading vulnerabilities , So we need to guess the inclusion blindly . I have succeeded in similar cases several times , Next, let's talk about the specific method and detailed process .

Part2 Technology research process

• Scan directory

First , The target website is a blank page , For this kind of website , Only right URL Directory scanning , The last level of directory scanning is similar to the following URL Address （ The following is a screenshot of the virtual machine environment ）：

http://www.xxx.com/Temp/servlet/UploadFile, Open the page as follows ：

done Javaweb My friends can see at a glance that this is Java Common tips for the site , adopt URL The routing address of UploadFile guess , This may be a back-end page with upload function . Because there is no front-end user interaction page , You can't get the specific parameters that need to be submitted . Next, let's talk about how to use this function page .

• Build a local environment

First, take a local website as an example , The page we usually see that may have upload vulnerabilities is a front-end page as shown below ：

Check the browser source code , It can be learned that , Really handle the data uploaded by users URL It's actually the following address ：

Open the browser directly , The page is as follows , Many of them are blank pages ：

Upload a file , Use burpsuite Grab the bag , Get the following packet , Find out filepath and FileName It is a common parameter submitted by users to the back-end page of the upload function for processing . among ,filepath yes Web The address where the application saves the uploaded file ,FileName It's the name of the file .

Then I thought , Can you blindly guess the package of the upload function ？ Upload function POST The commonly used parameters of the inclusion body are those . If you guessed right , You can upload it directly webshell 了 .

• Blind guess inclusion process

So using burpsuite Try it by hand filename、FileName、fileName、name、Name、FilePath、filePath Isoparametric name , Constantly construct upload packages , Constantly transform and construct , When the following inclusions are constructed , Tips “ File upload succeeded ”, This also shows that this is an upload page with unauthorized access . This case was many years ago , I don't remember the specific parameters at that time , It is roughly similar to the following screenshot .

When the inclusion as shown in the above figure is constructed , This page prompts “ File upload succeeded ！”. The one of the above inclusions name Fields should be useless , But it does not affect the normal use of the upload function .

• seek Webshell route

Then comes the difficulty ,Web Although the application prompts “ File upload succeeded ”, But the path of file upload is not given , So this one webshell Where did it go ？ Next, I have to guess the directory and file address .

Suppose the following sensitive directories are scanned （ The following screenshot of the virtual machine environment , The project map will not be released ）,/images/、/files/ It's very important .

So open the website to visit /images/test123.txt,/files/test123.txt wait , All findings prompt 404, The page doesn't exist , That's the trouble .Webshell Where on earth did it go ？

• According to the thinking of R & D personnel

Later, my thinking changed , Since it is Java Site , And there is another one in the directory /temp/ Catalog , Programmers are expected to rename file names with time stamps for testing .

So open IDE, Found an article Java Time stamped articles , Write a few lines of code , A timestamp is generated ：

As shown in the figure below , A timestamp is generated locally ：

Because the local operation time is certainly not exactly the same as the time of the server file landing , There must be a difference , So we need to take the current timestamp as the benchmark , Take a certain time difference before and after , Generate a dictionary with tens of thousands of lines , use burpsuite Let's enumerate ：

The result is not so simple , It was found that 404 Response code , No response code found 200 The record of , That is to say, no webshell The address of . The reason may be the wrong timestamp , It may also be that the directory where the uploaded files are stored is not found , It may also be that the server does not have a file named after this timestamp at all . Later, I reorganized my thinking , My local husband has become a timestamp dictionary , And then use burpsuite Send and upload data packets , Reuse burpsuite Enumerate timestamp file names , There is probably a few seconds or even 10 Second intervals , Don't underestimate this time interval , Make a dictionary covering this time interval , It also needs millions of lines 、 Thousands of lines of dictionaries .

In order to speed up scanning , Also to reduce the pressure on the server , I will GET The request is converted to HEAD request , Then after the explosion of millions of lines of dictionaries , Successfully found webshell Address , Final getshell success .

• New ideas for finding accurate timestamps

Follow up Magic_Zero Reminder , He gave a better idea , You can check the returned by the server first Date Time of response header , Then make it into a timestamp dictionary address , This is more accurate . This idea really did not expect , Thank you for offering .

Part3 summary

1. To understand a technical problem, we should understand its essence .

2. According to the programmer 、 The thinking of R & D personnel goes to the station , Yield twice the result with half the effort .

3. Scan the directory in large quantities 、 When scanning files , Remember to GET The request is replaced by HEAD request , Some websites may not support HEAD request , It needs to be judged manually in advance .