JS verification of File Upload Vulnerability demo script00716
About the file upload vulnerability, presumably play web security students have contact, before this site also published an article to introduce the various methods of file upload vulnerability, but there is only a document but no demo code, recently to the company a customer training, according to the document in the bypass to write the corresponding code, convenient for me to study the side dishes, This article I will continue to send a few days is about how to bypass, all is popular science, very simple, I hope the small friends like.
Article about file Upload Vulnerability
Bypass File Upload Verification
Why file upload forms are the primary security threat
JS Validation Bypass Demo code
07 |
* 独自等待博客:http://www.waitalone.cn/ |
10 |
$uploaddir = ‘uploads/‘ ; |
11 |
if (isset( $_POST [ ‘submit‘ ])) { |
[ |
& nbsp; if ( file_exists ( $ Uploaddir |
" |
& nbsp; if (Move_uploaded_file ( $_files [ ' upfile ' ][ ' tmp_name ' ], $uploaddir . '/' .  $_files [ ' upfile ' ][ ' name ' |
+ |
& nbsp; echo .  Code class= "Brush variable" > $uploaddir .  $_files [ ' upfile ' ][ ' name ' |
17 |
exit ( $uploaddir . ‘文件夹不存在,请手工创建!‘ ); |
22 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
23 |
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > |
24 |
"http://www.w3.org/1999/xhtml" >
|
26 |
<meta http-equiv= "Content-Type" content= "text/html;charset=gbk" /> |
27 |
<meta http-equiv= "content-language" content= "zh-CN" /> |
28 |
<title>文件上传漏洞演示脚本--JS验证实例</title> |
29 |
<script type= "text/javascript" > |
31 |
var file = document.getElementsByName( ‘upfile‘ )[0].value; |
32 |
if (file == null || file == "" ) { |
33 |
alert( "你还没有选择任何文件,不能上传!" ); |
37 |
var allow_ext = ".jpg|.jpeg|.png|.gif|.bmp|" ; |
39 |
var ext_name = file.substring(file.lastIndexOf( "." )); |
41 |
//alert(ext_name + "|"); |
43 |
if (allow_ext.indexOf(ext_name + "|" ) == -1) { |
44 |
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name; |
53 |
<form action= "" method= "post" enctype= "multipart/form-data" name= "upload" onsubmit= "return checkFile()" > |
54 |
<input type= "hidden" name= "MAX_FILE_SIZE" value= "204800" /> |
55 |
请选择要上传的文件:<input type= "file" name= "upfile" /> |
56 |
<input type= "submit" name= "submit" value= "上传" /> |
JS Authentication Bypass Method
JS authentication is best bypassed, as if there is a statement that client-based authentication is not secure, here we have a number of workarounds.
How to tell if File upload is based on client JS authentication?
Methods are also more, such as direct view of the Web site source files, using the Capture tool to see if the client submitted a packet to the server, if there is no JS authentication, random upload a file, see return results.
As shown, the JS verification will be after you submit the upload file, directly pop up a prompt, and terminate the file submitted to the server. The bypass method is as follows:
A, we directly delete the code in the OnSubmit event about the file upload to verify the upload file of the relevant code.
B, directly change the file upload JS code to allow the upload of file extensions you want to upload the file name extension.
C. Use the local submission form, for example, to make the appropriate changes.
D, the use of burpsuite or fiddle proxy tools to submit, local files are changed to JPG, upload interception, and then change the file name extension to ASP.
The above 4 methods, everyone is free to use, can bypass the local JS authentication.