Vulnerability Introduction
File upload vulnerability can be said to be very harmful, because this vulnerability can be directly Getshell. The reason for the vulnerability is simply that because of a developer or website operator's mistakes, the user uploads files can be interpreted by the server as a script (executable file) execution. But to successfully exploit this vulnerability requires at least three conditions to be met:
A. Valid upload point
B. Upload files can be parsed and executed
C. The uploaded file can be accessed to low
Because I was built in the WAMP environment, so I try to upload a php word trojan.
Can see our words successfully uploaded, we try to connect with a kitchen knife
Successful connection, it appears that the background did not do any filtering. Let's look at the source code:
<?php
if (isset ($_post[' Upload ')) {
//Where is we going to is writing to?
$target _path = dvwa_web_page_to_root. "Hackable/uploads/";
$target _path = basename ($_files[' uploaded ' [' name ']);
Can we move the file to the upload folder?
if (!move_uploaded_file ($_files[' uploaded ' [' Tmp_name '], $target _path)) {
//No
$html. = ' <pre>your Image is not uploaded.</pre> ';
}
else {
//yes!
$html. = "<pre>{$target _path} succesfully uploaded!</pre>";
}
? >
I did not do any filtering, the file path is dvwa_web_page_to_root. "hackable/uploads/" plus the file name. Medium
Let's try uploading the script directly:
When prompted, you can see only images that are allowed to upload jpeg or PNG. To get around this limit, let's start by thinking about where the developers are restricting our uploading of PHP files:
1. Front end: Use JS to judge
2. Back end:
A. Judging the filename suffix
B. Judging MIME types
C. Judging the contents of a document
Now we have a little bit of groping, first of all to see whether it is the front-end JS judgment, because I am using Chrome browser, so I set a disable JS, so that the page JS is not in effect, but I upload the file is not successful, this means that it is not JS limit my operation.
Note: Chrome disables the JS method:
Set-–> advanced ——-> Privacy settings and Security-–> content Settings-Disable JS
If the background is to use the file name to judge, we really do not have a good way to let the server directly parse our script, because now my PHP version is 5.4, so the previously rumored file name of the 00 phase is not available (for example: The file name is 1.php%00.jpg, Can bypass the background of the file suffix check, but the server resolution is resolved to 1.php, because%00 truncation of the following characters, but this method I use the other 5.3.29 version of PHP is not reproduced, you may need a lower version of PHP, you can try, welcome to communicate with me. Let's try to get around and see if the MIME type is in the background, this time we need to grab the magic Burpsuite, grab the packet result:
Let's change this MIME type manually:
Successful bypass:
Chopper Connection:
Now let's look at the source code:
<?php if (isset ($_post[' Upload ')) {//Where is we going to is writing to? $target _path = Dvwa_web_page_to_root.
"Hackable/uploads/";
$target _path = basename ($_files[' uploaded ' [' name ']);
File information $uploaded _name = $_files[' uploaded ' [' Name '];
$uploaded _type = $_files[' uploaded ' [' type '];
$uploaded _size = $_files[' uploaded ' [' Size '];
Is it an image? if ($uploaded _type = = "Image/jpeg" | | $uploaded _type = = "Image/png") && ($uploaded _size < 100000)
) {//Can we move the file to the upload folder? if (!move_uploaded_file ($_files[' uploaded ' [' Tmp_name '], $target _path)) {//No $html. = ' &
Lt;pre>your image is not uploaded.</pre> ';
} else {//yes!
$html. = "<pre>{$target _path} succesfully uploaded!</pre>"; }} else {//Invalid file $html. = ' <p Re>your image is not uploaded.
We can only accept JPEG or PNG images.</pre> ';
}}?>
The red box is the key to the circle, first get the file type, save and then $uploaded_type inside, and then determine whether the variable matches the condition, this variable is actually stored MIME type high
Similarly, the third question, we also a little to test it. Upload the script directly first
As expected, cannot be uploaded. Come on, try the medium method, grab the MIME type, or burst the same error, stating that this is not the MIME type of the judgment, or not just the MIME type, I guess the contents of the file may be judged. may have to be content is also a picture, the general background to determine whether a file is not a picture is a file to determine the first few data, as if this thing is called BOM head, the specific point of the reader to Baidu a bit, I here to say the use of methods, Windows comes with a tool to merge files. We open the command line and type the following command:
Copy file 1.jpg/b+ file 2.php/a new file. jpg
This will generate a new file based on the two specified files. Let's look at the contents of the resulting file:
Can see a sentence is added to the end of our file, now, I have just generated the image suffix to PHP, so that you can bypass the back end of the file header check, and now we try to upload
Or was intercepted, it seems that there is really more than the content of the document to judge. It seems that with the suffix name of the verification, now also to change the suffix name to jpg or PNG, so that a change can be uploaded, but we do not visit the time to be parsed into PHP ah, plus said before the%00 truncation can not be used, I really did not think of any good use of methods. Other people's approach is to implement Getshell with file inclusions. I have also tried it for a moment:
How to say that PHP is still executed, but my kitchen knife connection is not successful, very strange, want to know the small partners to share
Next look at the source code, what the backend did:
<?php if (isset ($_post[' Upload ')) {//Where is we going to is writing to? $target _path = Dvwa_web_page_to_root.
"Hackable/uploads/";
$target _path = basename ($_files[' uploaded ' [' name ']);
File information $uploaded _name = $_files[' uploaded ' [' Name '];
$uploaded _ext = substr ($uploaded _name, Strrpos ($uploaded _name, '. ') + 1);
$uploaded _size = $_files[' uploaded ' [' Size '];
$uploaded _tmp = $_files[' uploaded ' [' Tmp_name '];
Is it an image? if (Strtolower ($uploaded _ext) = = "JPG" | | strtolower ($uploaded _ext) = = "JPEG" | | strtolower ($uploaded _ext) = = "png ") && ($uploaded _size < 100000) && getimagesize ($uploaded _tmp)) {//Can
We move the file to the upload folder? if (!move_uploaded_file ($uploaded _tmp, $target _path)) {//No $html. = ' <pre>your image W
as not uploaded.</pre> ';
} else { yes!
$html. = "<pre>{$target _path} succesfully uploaded!</pre>"; }} else {//Invalid file $html. = ' <pre>your image is not uploaded.
We can only accept JPEG or PNG images.</pre> ';
}}?>
The
is sure of the filename suffix and the contents of the file, but which function is judged by the contents of the file. It seems that there is no way to see, actually getimagesize () This function is judged.
Subsequent additions may be made progress a little bit every day