Easy file upload with filetype

For file upload everyone is very familiar with, after all, file upload is one of the important ways to get webshell, theoretical things reference my other summary of the article "talking about file analysis and upload Vulnerability", here is the actual combat to supplement the theoretical content--filetype loopholes!

FileType vulnerability is mainly for the Content-type field, there are two main ways to use:
1, first upload a picture, and then change the content-type:image/jpeg to content-type:text/asp, and then the filename 00 truncation, the picture content is replaced by a word trojan.

2, directly use burp grab bag, get post upload data, will content-type:text/plain change to Content-type:image/gif.

Here to add a simple use of filetype can be controlled to carry out any file upload, previously encountered in the CTF, but thought in the actual environment should not appear, unfortunately, I met!

Experimental environment: Asp,iis7.5,windows R2

When we find an upload point, we upload an ASP of a word to the horse, corresponding to the HTTP request packet as shown below, 1:

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/9F/7E/wKioL1mdgzHwzb_oAALZUjN7k_Y682.jpg-wh_500x0-wm_ 3-wmp_4-s_2414236806.jpg "title=" Upload asp failed. jpg "alt=" wkiol1mdgzhwzb_oaalzujn7k_y682.jpg-wh_50 "/>

Figure 1 Upload failed

At this point we failed to upload, saying that the extension is illegal (should be a whitelist limit), and the HTTP request packet filetype display is *, should not be supported? At this point we use a variety of ways to upload, directory resolution (through the attempt can be arbitrarily created upload directory name), 00 truncation, left-to-right parsing, left-to-right parsing .... The results have all failed!

Originally thought there is no way, because by downloading the configuration file Web. config found, do a whitelist limit, 2, should be no way!

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/9F/7E/wKioL1mdhSeyxedvAAC5M1iC-v8383.jpg-wh_500x0-wm_ 3-wmp_4-s_108673913.jpg "title=" upload file type. jpg "alt=" wkiol1mdhseyxedvaac5m1ic-v8383.jpg-wh_50 "/>

Figure 2 Web. config

In the end I found (the Blind Cat met the Dead mouse) the filetype * directly modified to ASP, and then successfully uploaded, 3 shows.

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/9F/7E/wKioL1mdhdHg2bdgAAK_9fkb-HI671.jpg-wh_500x0-wm_ 3-wmp_4-s_2455427895.jpg "title=" Modify Filetype.jpg "alt=" Wkiol1mdhdhg2bdgaak_9fkb-hi671.jpg-wh_50 "/>

Figure 3 Modifying filetype upload success

Then we visit the directory to see if there is a real upload success, there is no killing this kind of, 4, a sentence is indeed uploaded successfully.

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/9F/7F/wKioL1mdhk7CDmIYAACTqvmBY6o647.jpg-wh_500x0-wm_ 3-wmp_4-s_4284362953.jpg "title=" Test upload chopper Ma Chenggung. jpg "alt=" wkiol1mdhk7cdmiyaactqvmby6o647.jpg-wh_50 "/>

Figure 41 Sentence can be accessed normally

Finally, use the chopper to connect and successfully get to a webshell,5 shown.

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/9F/7F/wKioL1mdh26jNj5cAAKmeitBXcs247.jpg-wh_500x0-wm_ 3-wmp_4-s_541319008.jpg "title=" Chopper connected successfully. jpg "alt=" wkiol1mdh26jnj5caakmeitbxcs247.jpg-wh_50 "/>

Figure 5 Successful acquisition of Webshell

Summarize:

This article is mainly to record some of the usual experience and skills, due to the constant limit of thinking, often to the end will think of luck!

This article is from the "eth10" blog, make sure to keep this source http://eth10.blog.51cto.com/13143704/1958799

Easy file upload with filetype