File Upload + Bypass method + basic usage of chopper

On the principle of not added, can Google, I posted hundreds of years ago I understand: principle: Upload a script (jsp,asp,php), and then get the shell of the machine (Wow, feel very rough)

Several common poses for file upload vulnerabilities:

1.js Front-end verification
2.mime
3. Suffix name
4. Change the letter case (the same as the first one, is to put PHP several sizes to try and may be phtml)
5.00 truncation
6. Upload a picture containing a sentence

The simplest: Upload a php file directly to see if it's correct

1.js front-end verification:

Generally is to write a JavaScript script on the Web page, verify the extension of the upload file suffix, there are white list form also have blacklist form.
How to determine: When you browse to load a file, but not yet click the Upload button, the dialog box pops up, such as: only allow upload. jpg/.jpeg/.png suffix file, and no packets are sent at this time.

Workaround:
1): Grab the package, modify the file suffix name, such as: Pass up is a JPG format, and then change to PHP to see if it can be transmitted up if not to change the suffix and then grab the packet to PHP
2): Direct f9,html inside will filename= "xxser.jpg" modified to Filename= "1.php"
Notice here the second kind, change the length, if the previous content-length =200 here will be modified to 196

2.MIME Authentication:
The MIME type is used to set the opening of an extension file that, when it is accessed with the extension file,
The browser will automatically open with the specified application.

1) content-type field check:

MIME Image/gif for GIF images
CSS Text/css
JPG image/jpg

For example: Upload a PHP, grab the packet, see PHP MIME type application/php,

And in upload.php to determine whether the file type is image/jpeg, there is no way to verify

Workaround: Change the Content-type to Image/jpeg in the package, by verifying

2) file Header check

You can write a regular match by yourself to determine whether the file header content meets the requirements, here are a few common file header correspondence:
(1). JPEG;. JPE;. JPG, "Jpggraphic File"
(2). gif, "GIF 89A"
(3). zip, "Zip compressed"
(4). doc;. XLS;. XLT;. ppt;. Apr, "MS Compound Document v1 or Lotus approach Aprfile"

Solution: The Trojan content on the basis of some additional file information, a bit like the following structure
gif89a<?php phpinfo ();?>

3. Suffix name (00 truncation) This is a narrative truncation in file upload and include the use of: http://www.2cto.com/article/201502/377462.html
The client transmits to the service side on the server side: The cache uploads the file, then verifies it, if it meets the requirements, uploads it to the directory, and deletes the cache file directly if it does not conform.

Method: Grab the packet, change the uploaded 1.jpg to 2.php (space) 1.jpg and then click Hex to enter the hexadecimal editor,
Change the name of the empty lattice hex 20 to 00 (here is the word to find the change), click "Go"
Found successfully uploaded 2.php 2.php after the character has been truncated (can be found in raw)


6. Upload a picture containing a sentence

Upload a picture containing a sentence, the chopper, right-click Add shell, Address bar input upload address

About Chinese kitchen knives usage :
Upload successfully here (the general PHP is to pass their own written words Trojan), in the URL bar to get the URL bar, open the chopper,
Right-click Add, encode format select UTF-8, script type PHP, then connect, the shell gets it, and then start to get things done.
or flag got it.

File Upload + Bypass method + basic usage of chopper