Pkav when PHP descaling Windows universal upload defects

$pkav->publish{when PHP descaling windows}
The sword heart @xsser abandoned me, but I can not abandon the dark clouds.
PHP descaling windows, like men encounter women, sooner or later will be a problem.
Thank you, brother @gainover.
Tips: This article describes a new type of file upload (a few characteristics caused by the vulnerability), and give a corresponding example.

Detailed Description:

Introduction to #1 Examples

The example used in this case is: U-mail mail system.

The local code for uploading U-mail mail system files is this:

Code Area

<?php
if (ACTION = = "Attach-upload") {
if ($_files) {
$file _name = $_files[' Filedata ' [' name '];
$file _type = $_files[' Filedata ' [' type '];
$file _size = $_files[' Filedata ' [' Size '];
$file _source = $_files[' Filedata ' [' tmp_name '];
$file _suffix = Getfilenamesuffix ($file _name);
$not _allow_ext = Array ("PHP", "Phps", "php3", "EXE", "bat");
if (In_array ($file _suffix, $not _allow_ext)) {
Dump_json ("Status" = 0, "message" + El ("Upload of the extension file not supported", ""));
}
$path _target = Getusercachepath ();
do{
$file _id = Makerandomname ();
$file _target = $path _target. $file _id. ".". $file _suffix;
} while (File_exists ($file _target));
if (Move_uploaded_file ($file _source, $file _target)) {
Dump_json ("Status" = 0, "message" + El ("Error writing file, please contact administrator!") ", "" ) ) );
}
$_session[session_id][' Attach_cache ' [] = Array ("ID" = = $file _id, "name" = + $file _name, "type" = "1", "Path" =& Gt $file _target, "size" = = $file _size);
Dump_json (Array ("Status" = "1", "filename" = = $file _name, "filesize" = $file _size, "file_id" = $file _id) );
}else{
Dump_json ("Status" = "0", "message" = = El ("Unable to find the file to upload! ", "" ) ) );
}
}

We note the following code

Code Area

$not_allow_ext = array( "php", "phps", "php3", "exe", "bat" );
if (in_array($file_suffix, $not_allow_ext )){
dump_json( array( "status" => 0, "message" => el( "不支持该扩展名文件上传", "" ) ) );
}

Obviously, using a blacklist authentication, although we can use a file suffix like this to bypass the detection of the program, such as: BYPASS.PHPX (here x stands for Space%20 or other special characters {%80-%99}), but this is not what I want to talk about today.

Today, through this example to explain a new way of file upload, and listen to my thin way.

#2 Code POC implementation

To facilitate local testing, we have simplified the above code, as follows

Code Area

<?php
U-mail Demo ...
if (Isset ($_post[' submit ')) {
$filename = $_post[' filename '];
$filename = Preg_replace ("/[^\w]/i", "", $filename);
$upfile = $_files[' file ' [' Name '];
$upfile = Str_replace ('; ', "", $upfile);
$upfile = Preg_replace ("/[^ (\w|\:|\$|\.| \<|\>)]/i "," ", $upfile);
$tempfile = $_files[' file ' [' Tmp_name '];

$ext = Trim (get_extension ($upfile)); Null

if (In_array ($ext, Array (' php ', ' php3 ', ' php5 '))) {
Die (' Warning! File type error: ');
}

if ($ext = = ' asp ' or $ext = = ' Asa ' or $ext = = ' cer ' or $ext = = ' CDX ' or $ext = = ' aspx ' or $ext = = ' htaccess ') $ext = ' file ' ;

$savefile = ' upload/'. $upfile;
$savefile = ' upload/'. $filename. ".". $ext;

if (Move_uploaded_file ($tempfile, $savefile)) {
Die (' Success upload. Path: '. $savefile);
}else{
Die (' Upload failed. ');
}
}
function Get_extension ($file) {
Return Strtolower (substr ($file, Strrpos ($file, '. ') +1));
}
?>
<body>
<form method= "POST" action= "upfile.php" enctype= "Multipart/form-data" >
<input type= "File" name= "file" value= ""/>
<input type= "hidden" name= "filename" value= "file"/>
<input type= "Submit" name= "submit" value= "Upload"/>
</form>
</body>



For the above code, although the file name detection through the blacklist, but through the currently known upload method, there is no way to successfully upload PHP files (regardless of the program bug), so it can be said that the file upload code is "safe",

However, I suddenly look back, in the place where the lights are dim, php encounters Windows, the beautiful love story is created.

#3 Story

One day, two elder brother in the group lost a URL connection, I simply looked under, about the use of system characteristics for file upload, interest immediately came, carefully studied the next, so there is this article.





These lines of English mean roughly, in the PHP+WINDOW+IIS environment:

Double quotes (">") <==> dot (".") ';

Greater than sign (">") <==> question mark ("?") ';

Less than symbol ("<") <==> asterisk ("*") ';

There is so much fun, that you can do a lot of things? But this is not the case, through a series of tests found that this feature can only be used for file upload to overwrite known files, so this feature is slightly chicken.

There are two reasons:

1) Upload the file directory generally we are not controlled;

2) at the same time, the general file upload directory cannot exist any PHP files we want, so there is no way to overwrite;

Later, after repeated thinking, finally found a perfect way to use.

Ideas are as follows:

First we use a special method to generate a PHP file, and then use this feature to overwrite the file.

But then again, how do you generate PHP files? If you can generate a PHP file directly, why do you use that feature?

Don't worry, there's always a way.

We all know that when uploading files, we tend to consider the truncation of filenames, such as%00.

Right! Some people may also use a colon (":") to truncate, such as: bypass.php:jpg

But you know what? The file produced by the colon truncation is blank, and there is no content in it, hehe speaking here understand? Although there is no content in the generated PHP file, but the PHP file is always generated, so we can combine the features described above for the perfect success of the use.

#4 Colon + attribute successfully exploited

Follow the ideas provided in # # to achieve:

Local Test Address: http://www.secmap.cn/upfile.php Environment: windows+iis7.5

1) First use a colon to generate the PHP file we will overwrite, here: bypass.php,





When you click Forward, you can see the successful creation of a blank bypass.php file





2) Overwrite the file with the system features above

From the above already know "<" is equal to "*", and "*" code any character, thus.

We can modify the uploaded file name as follows:



Code Area

------WebKitFormBoundaryaaRARrn2LBvpvcwK
Content-Disposition: form-data; name="file"; filename="bypass.<<<"
Content-Type: image/jpeg
//注意！文件名为：bypass.<<<

Click Go to successfully overwrite the bypass.php file.

Comparing the above two graphs, bypass.php was successfully written into the content.

#5 characteristic Two

First take a look at Microsoft MSDN above a paragraph of words,

Pay attention to the red circle up in English

Code Area

The default data stream has no name. That is, the fully qualified name for the default stream for a file called "sample.txt" is "sample.txt::$DATA" since "sample.txt" is the name of the file and "$DATA" is the stream type.

Don't look good yo, try it.

Similarly, we can modify the uploaded file name as follows:

Code Area

------WebKitFormBoundaryaaRARrn2LBvpvcwK
Content-Disposition: form-data; name="file"; filename=‘DataStreamTest.php::$DATA‘
Content-Type: image/jpeg
//注意！文件名为：DataStreamTest.php::$DATA

Click Go, the Miracle appears.

Visit the ...

Proof of vulnerability:

#6 Proof of vulnerability

U-mail, the specific use of methods, the same as the above method, in order to be simple and quick, you can directly grab the package modified file name:

shell.php:: $DATA can be uploaded successfully, not shown here, with Shell

Pkav when PHP descaling Windows universal upload defects