The principle and method Summary of File upload limit bypass

0x00 Overview

6666666

0X01 Client detection Bypass (JS detection)

• Detection principle

On the client side, the following JavaScript code is passed to detect whether a user-submitted file is legitimate:

1<script type= "Text/javascript" >2     functioncheckfile () {3         varFile = Document.getelementsbyname (' upload_file ') [0].value;4         if(File = =NULL|| File = = "") {5Alert ("Please select a file to upload!"));6             return false;7         }8         //define which file types are allowed to be uploaded9         varAllow_ext = ". Jpg|. Png|. gif;Ten         //extract the type of upload file One         varExt_name = file.substring (File.lastindexof ("."))); A         //determine if the upload file type allows uploading -         if(Allow_ext.indexof (ext_name) = =-1) { -             varErrMsg = "The file is not allowed to upload, please upload" + allow_ext + "type of file, the current file type is:" +Ext_name; the alert (errmsg); -             return false; -         } -     } +</script>

• How to determine whether the client JS detection
• Bypass method

Because the JS program used to verify the legality of the file is in our client, so for us, this verification program is controllable, can be easily bypassed, the specific way to bypass is as follows:

1. Add the types of files that are allowed to upload so that the type of meeting that you want to upload is legal

-This is a simple upload page

2, the deletion of the JS verification script call, so that it can not be uploaded to the file type detection, so as to bypass

3, using Burpsuite capture package, modify the file type to bypass

H1

6666666

H1

6666666

The principle and method Summary of File upload limit bypass