File Upload Vulnerability

1.js Bypass

When the client selects the file click Upload, the client has not sent any message to the server, it detects the local file to determine whether it is a type that can be uploaded, which is called the foreground script detection extension.

Js=javascript validates the data before it is committed to the server. Because JS authentication is used for client local authentication, so if you upload an incorrect file format, its judgment will soon show that you upload the file type is not correct, then we can determine the site is used by the JS authentication

Bypass method:

Upload a file to grab a package to modify the suffix name to

2.content-type detection File Type-bypass (server side detection bypass (MIME type detection))

Bypass method:

1. Upload a correct file. Crawl packets, view Content-type

2. Upload your own files and crawl the packets. Modify Content-type:image/jpeg

3. File suffix case confusion uploading php files

Bypass method:

1. Grab the packet to modify the uppercase and lowercase letters of the upload file suffix name.

2. Multiple blends:

Source:

　　　　　　　　

Bypass method:

1. Modify the suffix named XX.PHP5 according to the source code

2. Modify Content-type to: Image/jpeg

3 Modify Content-type:multipart/form-data to Content-type:multipart/form-data

4.%00 truncation

Bypass method:

　　　　　　

1. Modify the upload file suffix named jsp that can be uploaded

2. Modify Content-type to: Image/jpeg

3. Modify the path upload to upload/1.php space and then use Hex to change the space to 00 direct truncation

5. Server Side detection Bypass (file name extension detection)

(1) Blacklist detection

1. File name Case Bypass

Bypass blacklist detection with filenames such as asp,php

2. List of lists bypass

Use lists not listed in the blacklist to attack, such as the blacklist without ASA or CER, etc.

3. special file name Bypass

For example, send the HTTP packet to change the file name to test.asp.                                                 Or TEST.ASP_ (the underscore is a space), this naming method is not allowed in the Windows system, so you need to modify in the burp, and then bypass the verification, the Windows system will be automatically removed after the Points and spaces, but be aware that the Unix/linux system does not have this feature.

4.0x00 Truncation Bypass

In the extension detection this piece of the current I have only encountered ASP program has this vulnerability, to a simple pseudo-code name= getname (HttpRequest)//If this time the file name is test.asp.jpg (ASP after 0x00) type= GetType (name)//And in the GetType () function is processed from the back to the forward scan extension, so to determine the jpg if (type = = jpg) S Avefiletopath (Uploadpath.name,name)//But here it is with 0x00 as file name truncation//Last test.asp in the path

5..htaccess file attack
With list bypass, upload a custom. htaccess, you can easily bypass the various detection 6. Resolving calls/vulnerabilities bypassing such vulnerabilities directly with uploading a code injected non-blacklisted files, and then using the parse call/vulnerability

(2) White list detection

1.0x00 Truncation Bypass

Truncation is done in the same way as Test.asp%00.jpg, which is a whitelist file, and then exploits the detection logic vulnerability of the server-side code.

2. Parsing Call/Vulnerability bypass

This type of vulnerability is directly matched with uploading a code-injected whitelist file, and then using the parse call/vulnerability

6. Server Side detection bypass (file content detection)

1. File Magic number Detection

2. File-related information detection

Bypass method:

Image file related information detection is commonly used is the getimagesize () function only need to make the file header part of the OK, it is on the basis of magic number also added some file information a bit like the structure below

gif89a (Somebinarydataforimage ...) <?phpphpinfo ();? > (...) skippingtherestofbinarydata

3. File Load Detection

7. Use of server parsing vulnerabilities

File Upload Vulnerability