File upload-file name length bypass whitelist limit

?? In the actual infiltration, when we found that there is a file upload place, we will try all the way to Webshell upload, as long as you can upload Webshell, it shows that this infiltration at least successful general, follow-up on the Webshell to see the status of access to the next step of operation. For file upload vulnerability protection, mainly divided into the following two categories: White list restrictions and blacklist restrictions, for the blacklist limit, we only need to find some of the more remote executable suffix, Case-insensitive and related operating system features (such as Windows file suffix will automatically filter spaces and. etc.) to bypass; for whitelist restrictions, it is generally a combination of parsing vulnerability, Code function Vulnerability (ICOV (80-ef truncation), Related functions that cause 00 truncation) and related operating system features (such as WINDOWS10 filename length of a total of 223 including suffix, win2012 for 237,linux ubuntu0.16.04.1 filename length 252, etc.) to bypass! Below we will take the ubuntu0.16.04.1 operating system as the demonstration situation!

Simple check what is the limit

?? First we enter the PHP suffix to test and find the file suffix indicating the error, as shown in:

?? Then we enter a non-existent file suffix to test, found that still prompt is the wrong suffix, as shown, to this we can simply think this upload point is a whitelist limit upload, only allow specific suffix file upload!

Try based on the restriction type

?? Through the above we know is the whitelist limit, and through the previous information collection found webserver as Nginx, operating system for Linux (Ubuntu), through the Nginx parsing vulnerability can not upload, so we use to construct a long file name to bypass this whitelist limit upload.
?? Because many times we do not know the specific operating system, so we can only use a very long file name to test (if there is an error message that we can slowly construct, if there is no error message can only be slowly try (you can build some common system "win03 win08 win12 Ubuntu Redhat, etc. "to test the length of the file name to be tested individually).
?? First try the long character, prompt file name is too long, as shown in, and then we will be reduced by one, down to a place that just can successfully upload.

?? By the last known, the longest is 252, as shown in:

?? Finally, we replace the file name at the end of the jpg suffix with. php to upload files and upload the file successfully, as shown in:

?? Finally, we verify through the access that the file can be parsed, thus obtaining the Webshell, and through the access, the successful acquisition of Webshell, as shown in:

For additional file parsing and uploading reference here

File upload-file name length bypass whitelist limit