JS verification of File Upload Vulnerability demo script

JS verification of File Upload Vulnerability demo script00716

About the file upload vulnerability, presumably play web security students have contact, before this site also published an article to introduce the various methods of file upload vulnerability, but there is only a document but no demo code, recently to the company a customer training, according to the document in the bypass to write the corresponding code, convenient for me to study the side dishes, This article I will continue to send a few days is about how to bypass, all is popular science, very simple, I hope the small friends like.

Article about file Upload Vulnerability

Bypass File Upload Verification

Why file upload forms are the primary security threat

JS Validation Bypass Demo code

01

<?php

02

/**

03	* Created by 独自等待

04	* Date: 14-1-22

05	* Time: 下午7:19

06	* Name: upload1.php

07	* 独自等待博客：http://www.waitalone.cn/

08

*/

09	//文件上传漏洞演示脚本之js验证

10	$uploaddir= ‘uploads/‘;

11	if(isset($_POST[‘submit‘])) {

[	& nbsp;   if   ( file_exists ( $ Uploaddir

"	& nbsp;       if   (Move_uploaded_file ( $_files [ ' upfile ' ][ ' tmp_name ' ],  $uploaddir  .  '/'  .  $_files [ ' upfile ' ][ ' name '

+	& nbsp;           echo    .  Code class= "Brush variable" > $uploaddir  .  $_files [ ' upfile ' ][ ' name '

15

}

16

} else{

17	exit($uploaddir. ‘文件夹不存在,请手工创建！‘);

18

}

19	//print_r($_FILES);

20

}

21

?>

22	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

23	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

24	"http://www.w3.org/1999/xhtml">

25

26	<meta http-equiv="Content-Type"content="text/html;charset=gbk"/>

27	<meta http-equiv="content-language"content="zh-CN"/>

28	<title>文件上传漏洞演示脚本--JS验证实例</title>

29	<script type="text/javascript">

30	functioncheckFile() {

31	varfile = document.getElementsByName(‘upfile‘)[0].value;

32	if(file == null || file == "") {

33	alert("你还没有选择任何文件，不能上传!");

34	returnfalse;

35

}

36	//定义允许上传的文件类型

37	varallow_ext = ".jpg|.jpeg|.png|.gif|.bmp|";

38	//提取上传文件的类型

39	varext_name = file.substring(file.lastIndexOf("."));

40	//alert(ext_name);

41	//alert(ext_name + "|");

42	//判断上传文件类型是否允许上传

43	if(allow_ext.indexOf(ext_name + "|") == -1) {

44	varerrMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为："+ ext_name;

45	alert(errMsg);

46	returnfalse;

47

}

48

}

49

</script>

50

<body>

51

52

53	<form action=""method="post" enctype="multipart/form-data" name="upload"onsubmit="return checkFile()">

54	<input type="hidden"name="MAX_FILE_SIZE"value="204800"/>

55	请选择要上传的文件：<input type="file"name="upfile"/>

56	<input type="submit"name="submit"value="上传"/>

57

</form>

58

</body>

59

JS Authentication Bypass Method

JS authentication is best bypassed, as if there is a statement that client-based authentication is not secure, here we have a number of workarounds.

How to tell if File upload is based on client JS authentication?

Methods are also more, such as direct view of the Web site source files, using the Capture tool to see if the client submitted a packet to the server, if there is no JS authentication, random upload a file, see return results.

As shown, the JS verification will be after you submit the upload file, directly pop up a prompt, and terminate the file submitted to the server. The bypass method is as follows:

A, we directly delete the code in the OnSubmit event about the file upload to verify the upload file of the relevant code.

B, directly change the file upload JS code to allow the upload of file extensions you want to upload the file name extension.

C. Use the local submission form, for example, to make the appropriate changes.

D, the use of burpsuite or fiddle proxy tools to submit, local files are changed to JPG, upload interception, and then change the file name extension to ASP.

The above 4 methods, everyone is free to use, can bypass the local JS authentication.