File Upload is a common feature of WEB applications. It is a normal business requirement and has no problems. However, if the file is not correctly processed during uploads, security problems may occur. This article analyzes the File Upload detection methods and how to bypass the corresponding detection methods in detail, and provides a security protection method for file upload attacks.
The file upload attack means that attackers can use WEB applications to filter uploaded files out of the scope defined by the application to the Web server. For example, you can upload a webpage Trojan. If the directory where the uploaded files are stored has the right to execute the script, attackers can directly obtain a WebShell.
Principles of File Upload attacks
Because the server does not properly process the files uploaded by the user, attackers can upload malicious files to a directory that can be accessed through the Web, and the files can be parsed and executed by the Web server.
An attacker must meet the following three conditions for successful file upload:
1. Any script file can be uploaded, And the uploaded file can be parsed and executed by the Web server. Specifically, the directory for storing the uploaded file must have the permission to execute the script.
2. Users can access this file through the Web. If a file cannot be accessed through the Web after being uploaded, the attack cannot be carried out successfully.
3. you need to know the storage path and file name after the file is uploaded to the server. Because many Web applications modify the file name of the uploaded file, you need to obtain the information based on other vulnerabilities. If you do not know the path and name of the uploaded file, you cannot access it even if you have uploaded the file.
Overview of mainstream File Upload Detection Methods
Mainstream File Upload detection methods include:
1. Client javascript Detection
Client-side detection usually contains javascript code that specifically detects file uploads on the upload page. It detects the file before it is uploaded. The most common is to check whether the file type and size of the uploaded file are valid.
2. Server MIME type detection
This Type of detection method checks the value in the Content-Type field of the http packet to determine whether the uploaded file is valid.
3. Server File Extension Detection
This type of detection method checks the extension of the uploaded file on the server to determine whether the file is valid.
4. server directory path Detection
This type of detection is generally determined by checking whether the path is valid.
5. Server File Content Detection
This type of detection method is the most rigorous for the above four detection methods. It checks the file content to determine whether the uploaded file is legal. There are two methods to detect the file content. A. Check the header of the uploaded file. Generally, the True Type of a file can be determined by determining the first 10 bytes. B. file loading check. Generally, an API or function is called to load files for testing. It is common to perform image rendering tests and perform strict or even secondary rendering.
How to bypass File Upload Detection
We have analyzed the mainstream File Upload detection methods above. Next we will look at how to bypass the File Upload detection methods mentioned above. This article only discusses how to bypass the first three detection methods.
1. Bypass client javascript Detection
This detection method is the least secure and the most vulnerable to attackers. Web applications should not only use this method to detect uploaded files, but can be used as an auxiliary means. Because client-side javascript detection can enhance the user friendliness of applications. Javascript detection is implemented on the client, so we can control it completely. You can disable js scripts on the browser side. For example, you can install the FireBug plug-in on FireFox to implement this function. The other method is implemented using a proxy tool. The following describes how to use Burp Suite to bypass client javascript detection. Burp Suite is not only a proxy tool, but also a powerful network penetration tool. For more information about Burp Suite, Baidu.
This site http://www.bkjia.com (Note: Because the site is a real site, for the security of the target site, so use target to replace the real domain name) file upload function only uses the client javascript detection, so it is easy to bypass. Next, let's take a look at the operation method.
First, let's take a look at how the application responds when a. asp file is uploaded normally.
A. When we access this URL (http://www.target.com/AdvHTML_Popups/upload.asp), a page for uploading files will appear
B. Select a. asp file first, and the system will prompt that this type of file cannot be uploaded. Note: At this time, we have not clicked the "parts" button, and a prompt message will appear. We can determine the validity of the uploaded file type on the client. 1:
Figure 1
The above situation proves that the. asp file cannot be successfully uploaded under normal circumstances, so let's take a look at how to bypass this kind of detection.
C. Open the Burp Suite proxy tool and configure the browser to use the proxy. 2:
Figure 2
D. First, change the new. aspfile extension name to .gif, and then click "OK. At this time, the HTTP packet submitted by the browser will be intercepted in the Burp Suite. Modify the value of the filenamefield webshell.gif to webshell. asp, and click "ell". The file is successfully uploaded to the server. 3:
Figure 3
2. Bypass server MIME type detection
The server MIME Type check checks the value in the Content-Type field of the http package to determine whether the uploaded file is valid. Visit http: // 193.168.20.235/upload.html. This is an upload page. When you select to upload a file and click "Upload", the page will jump to uploadf. php for processing. Let's take a look at the uploadf. php code, 4:
Figure 4
So how can we bypass this detection method? Next, let's take a look at the specific operation. We should use Burp Suite to complete it.
I am going to upload webshell. php to the server. This is a one-sentence Trojan. Select a file and click "Upload". At this time, Burp Suite intercepts the HTTP request sent to the server. In Burp Suite, modify the content in the HTTP packet, and then click "data packet content, then, send the data packet to the server. 5:
Figure 5
At this time, a message is displayed, indicating that the file is successfully uploaded and the file storage path is displayed, indicating that we have successfully bypassed the MIME file type detection on the server side, 6.
Figure 6
Now we can connect it with a Chinese kitchen knife and access it successfully. effect 7:
Figure 7
3. Bypass Server File Extension Detection
Now let's take a look at how to bypass the server's file extension detection. Let's take a look at these two sections of code, 8:
Figure 8
The above code is an upload form. When you select to upload a file, click the "Upload" button and it will jump to uploadfiles. asp for processing. Let's take a look at the code in the uploadfiles. asp file for detecting the file extension, 9:
Figure 9
The code above means to get the extension of the uploaded file first, and then compare it with the file type that can be uploaded. If it does not meet the definition, the message "the format of the uploaded file is incorrect!" is displayed !".
Next, let's take a look at how to bypass this detection method. First, we will directly upload a. asp Trojan, And we will prompt that the format of the uploaded file is incorrect, which is consistent with our expectation. 10:
Figure 10
Now we will change webshell.aspto webshell.asp;test.jpg. Upload again and we will find that our webshell has been successfully uploaded to the server, 11.
Figure 11
Now let's access the address http: // 192.168.1.105/bookpic/webshell.asp;test.jpg, which can be accessed normally, 12.
Figure 12
Note: iiss' loopholes are used here. When the file name is 1.asp00001.jpg, IIS will resolve the file to 1.asp. the file name is truncated, causing the script to be executed. You must have the script execution permission on the directory where the uploaded files are stored. Otherwise, the script cannot be executed successfully.
Design Secure File Upload Functions
The above describes mainstream File Upload detection and bypass detection methods. How can we design a secure file upload function? The following is a summary.
1. Set the directory for saving the uploaded files to be unexecutable.
As long as the Web server cannot parse the files in this directory, even if the attacker uploads the script file, the server itself will not be affected. This is critical.
2. Determine the file type
When determining the file Type, you can use MIME Type, suffix check, and other methods. In the file type check, we strongly recommend that you use the whitelist method. In addition, the compression or resize function can be used for image processing to destroy the malicious code that may be contained in the image while processing the image.
3. Use a random number to rewrite the file name and file path
To upload a file and execute code, you must be able to access the file. In some environments, users can upload files but cannot access them. If a random number is used to rewrite the file name and path, the attack cost will be greatly increased. In the same time, files such as webshell.asp;1.jpg cannot be successfully attacked because the file name is rewritten.