Break through anti-tampering and continue uploading

Author: nuanfan
The author of the original article did not post the image, so the reposted article does not contain the image.
Technical Points: Break Through iGuard and fckeditor upload skills

1. Preface
Following the prevalence of SQL injection, many websites suffer from malicious tampering on their home pages. people urgently need a solution to prevent webpage tampering. Many companies have successively released hardware and software, for example, for the IGuard tamper-proofing system mentioned in this Article, the tamper-proofing principle is generally based on three types: plug-in polling technology, core embedded technology, and event triggering technology. The plug-in polling technology uses a Web page detection program to read the web page to be monitored in polling mode, and compares it with the real web page to judge the integrity of the web page content, alert and real-time recovery for tampered web pages. The core embedded technology is to embed the tamper detection module in the Web server software. It performs integrity check when every webpage goes out, blocks access to the tampered webpage in real time, and sends alerts and recovers. The event trigger technology uses the file system interface of the operating system to check the validity of webpage files when they are modified, and generates alarms and recovers illegal operations. For some technical evaluations, you can obtain some information from the following table.
Figure/comparison of three technologies

Plug-in Round Robin event triggering technology core embedded technology
It may not be possible to access the tampered web page
Low server load
None in bandwidth usage
Detection Time: minute-level, second-level, real-time
It is impossible to bypass the detection mechanism.
Continuous tampering prevention cannot
Cannot protect all webpages
Dynamic web scripts are not supported
Applicable to All limited operating systems
Detection during upload cannot be restricted
Intermittent protection cannot be enabled
As can be seen from the table, the core embedded technology is the best anti-tampering solution. Today, as attack techniques emerge, whether the optimal system configuration is related to the global protection of the WEB application layer is a critical issue.
2. Tampering prevention
Obtain
Http://www.test.com.cn/admin/fckeditor/editor/filemanager/connectors/test.html
It can be seen that this is the fckeditor upload page. By clicking different file types, fckeditor supports uploading multiple file types. Therefore, some administrators may configure different files based on their needs, you can select different file types for ctor and click "Get Folders and Files" to view the folder. If a folder exists, for example, if a blank page or error message is returned, the upload configuration of such files is not enabled.

Tests show that the website administrator has configured asp.net and can create and column directories in resource Type "Media". This idea has been mentioned on the Internet, the general idea is to create an asp folder and then send an image Trojan to asp. I just didn't announce how to create a folder like x. asp. In fckeditor, "." is converted. If you enter "x. asp", the "x_asp" folder is actually created.

You can submit a statement like this.
Http://www.test.com.cn/admin/FckEditor/editor/filemanager/connectors/aspx/connector.aspx? Command = CreateFolder & Type = Media & CurrentFolder = c. cdx & NewFolderName = z & uuid = 1244789975684
Create a "c. cdx" folder and the uuid parameter is required when submitting the folder. The principle is the same as that of the aps folder. The image file in this folder is parsed by IIS as an asp file. On the Default Editor default test page, the Administrator has disabled the upload function and can only create directories. Therefore, find a place to upload in the background. Its URL:
Http://www.testcom.cn/admin/adminimg.aspx? Simage = images2 & bimage = images & path = % 2 fadmin % 2 fUploadFile % 2 fmedia % 2fz. cdx & returnpath = admin/pic & wsize = 270 & hsize = 190
Use the returnpath parameter to direct the directory to "/admin/pic" and direct it to the created z. cdx folder admin % 2 fUploadFile % 2 fmedia % 2fz. cdx
Http://www.testcom.cn/imgresize/imgresize.aspx? Simage = images2 & bimage = images & path = % 2 fadmin % 2 fUploadFile % 2 fmedia % 2fz. cdx & returnpath = admin % 2 fUploadFile % 2 fmedia % 2fz. cdx & wsize = 270 & hsize = 190
You can directly upload files or image Trojans in the background. However, iGuard cannot be executed on the server.

3. Upload breakthrough
Breaking through iGuard actually uses the principle of image Trojan. First, you can upload a file with a typical diy. asp file. The command is as follows:
C:> copy/B pictures + picture Trojan pictures and Trojans

It mainly deceives iGuard and tells it, "This is not loneliness, this is an image"
Upload execution

Of course, there is another method, which can reduce the process of creating special folders. The principle is the same as that of Nday, which was a recent explosion. In fact, it has been around for a long time. Microsoft IIS 5.x/ 6.0 0 file name resolution vulnerability. Vulnerability Description: Microsoft IIS automatically parses the vulnerability in asp format when the file name is x.asp;x.jpg. When the file name is x.php0000x.jpg, Microsoft IIS will automatically parse it in php format ." Upload an image trojan in this format, and iGuard will also release it. It can be considered that the iGuard is too simple to detect files, and the IIS defects are also the main cause.