Change the custom upload path to a custom Upload File Name
Currently, one of the common methods to exploit the upload vulnerability is that the client can customize the filepath, that is, the path to save uploaded files.
However, when the custom filepath does not exist on the server, there are two scenarios:
1. The program automatically creates a directory that does not exist and has the permission to create a directory.
2. The program does not automatically create directories or has no permission to create directories.
In the first case, you do not need to say that, as long as the file can be automatically created, the upload will certainly be successful.
But in the second case, it is a little troublesome. If the directory does not exist and it is not automatically created or has no permission to create it, the upload will certainly fail. After all, the directories do not exist and cannot be saved.
In the second case, I have encountered some cases and successfully broke through the restrictions. Here is a Case demonstration.
First, let's take a look at the upload point. The whitelist restricts the upload of script files. Only image files can be uploaded:
Check the front-end source code of the upload module:
As you can see, although the upload is successful, the file is actually 404, that is, the Directory of f4ck. asp that does not originally exist is not automatically created.
The method is as follows:
<input type="hidden" name="filepath" value="/f4ck.asp;">
Upload successful, get address is http://www.bkjia.com/f4ck.asp;201252621193918566.gif
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
