New driver--File upload

First, file Upload vulnerability overview

File upload vulnerability refers to the user uploading an executable script file, and through this script file to obtain the ability to execute server-side commands.

In most cases, file upload vulnerabilities generally refer to the issue of "uploading web scripts to be parsed by the server," which is often referred to as Webshell. To complete this attack, the following conditions are met:

(1) uploaded files can be interpreted and executed by the Web container. So the directory where the file is uploaded is the path that the Web container overwrites.

(2) The user is able to access this file from the Web. If a file is uploaded, but the user cannot access it through the web, or cannot make the Web container interpret the script, it is not a vulnerability.

(3) The user uploads the file if the security checks, formatting, image compression and other functions to change the content, it may also lead to unsuccessful attacks.

Ii. Webshell Upload and use

　　1. Upload Webshell directly

　　　After detection of the upload point, if the server side of the user submitted parameters or files are not filtered or improperly filtered, you can directly upload Webshell.

　　2, bypassing the client detection upload Webshell

Client detection is a method that uses the response page JS script to detect the user input, the method in the client, the obvious feature is that the user uploads the file to the server before the detection, if not meet the requirements, will prompt the corresponding error. The extension is usually modified with the Burpsuite Proxy tool.

　　3, bypass the server file extension detection upload Webshell

Server-side file extension detection is the use of server-side applications to detect the user to upload a file suffix, thereby making a way to allow or block, the method contains the blacklist and whitelist two forms, specifically as follows:

• Blacklist detection: Typically create a dedicated blacklist file that enumerates the common dangerous file suffixes.
• Whitelist detection: Typically, you define a file that allows or prevents the user from uploading the suffix of the file type, and enumerates the corresponding file suffixes.

To bypass the Blacklist detection method:
(1) File name case bypass: Suffixes such as ASP, ASPX bypass blacklist detection.
(2) Blacklist list bypass: The blacklist does not have a suffix file to attack, IIS default execution. asp,. ASA,. cer, sometimes the blacklist filter is not complete, do not filter out files such as suffixes such as ASA, CER, but these files can be executed like ASP files, You can use these suffixes to bypass the blacklist at this time.

(3) Special file name Bypass: For example, send the HTTP packet to change the file name to test.asp. or test.asp_ (the underscore is a space), these two naming methods are not allowed in the Windows system, so you need to modify the agent tool Burpsuite, After the authentication is bypassed, the following points and spaces are automatically removed by the Windows system, but note that the Unix/linux system does not have this feature.
(4) 0x00 truncation: In many languages commonly used string processing functions, 0x00 is considered to be a terminator, such as the application is only allowed to upload jpg images, then you can construct the file name 2.asp%00.jpg,.jpg bypass the application's upload file type judgment, but for the server, this file because The% 00 character truncation relationship will eventually be stored in the 2.asp path.

Bypass White list detection method
(1) 0x00 truncation: White list based check mainly uses 0x00 truncation bypass, with blacklist 0x00 truncation bypass. However, for the server, due to some functions in the background (such as CreateTextFile ()), the file will be truncated by the% 00 characters, will eventually be stored in 2.asp path.

　　4. Bypass server MIME type detection upload Webshell

Sometimes just to judge the file name suffix can not effectively prevent the upload of malicious files (such as a server only allow uploading JPG file format, do not allow uploading suffix php files, but the suffix of php to the suffix to the JPG upload to the server, in some cases can also execute upload files), Therefore, it is necessary to detect the file format, that is, server-side MIME type detection. Determine if uploading a file is legitimate by detecting the value of the HTTP packet's Content-type field.

　　 MIME typeIs the type of file in which an extension is set to open with an application, and when the extension file is accessed, the browser automatically opens with the specified application.
Common MIME Types (generic):

Hypertext Markup Language text. HTML text/html

XML document. XML Text/xml

XHTML documentation. XHTML Application/xhtml+xml

Plain text. txt Text/plain

RTF text. rtf Application/rtf

PDF document. pdf Application/pdf

　　5, bypass file content detection upload Webshell

　　File content detection is a way to determine whether a particular file is allowed to upload by detecting certain special flag bits, and later, for example, a. jpg image file, the header has a set of special binary numbers to identify the FF D8 FF E0 4 a 46 49 46 (These binary numbers are also called File Magic numbers), Then you can verify the file type by judging the file header of the uploaded file.
In fact, the detection of the magic number of files is only a detection of content, you can also file-related information, file rendering after loading detection, in the face of these detection, you can put a word Trojan into the final surface of the picture file, so that both code injection will not destroy the picture structure, the specific steps include : The code injects a picture, references the created file, and uses the client connection to a Trojan horse.

　　6. Bypass server-side directory path detection upload Webshell

　　Server-side directory path detection is a way for users to submit directory path parameters, and sometimes the detection is not rigorous enough to be able to use%00 truncation attack, the nature of the vulnerability is the same as the blacklist detection%00 truncation nature, but the vulnerability requires the server-side application to handle user-submitted directory path parameter function , and does not have universality.

　　7, the use of server vulnerability upload Webshell

　　The Web server parsing vulnerability was caused by a flaw in the design of the features of the Web server itself, and the major services have been exploded file parsing vulnerabilities, as follows:

-IIS6.0 Parsing Vulnerability 1
-IIS6.0 Parsing Vulnerability 2
-iis7.0/7.5 Parsing Vulnerability
-Apache File Parsing vulnerability
-Nginx Parsing Vulnerability

　　
(1) IIS6.0 Parsing Vulnerability 1
This hole principle is to handle file extension errors, causing all files under the/*.asp/directory to be parsed as ASP files. In addition to this feature is not only similar to the/*.asp/directory, but also includes/*.cer/,/*.asa/,/*.CDX/,/*.cer \ (this type of browser direct input is not allowed, need to use the Burpsuite tool),/*.asa \,/*.cdx \ Directory, This example takes the/*.asp/directory example.

(2) IIS6.0 Parsing Vulnerability 2
The flaw is that IIS6.0 does not correctly parse files with file names that contain semicolons (;), so files such as 2.asp;xx.jpg can be parsed into a 2.asp executable, causing the script to be executed. In addition, this feature is not just similar to 2.asp;xx.jpg, but also includes 2.cer;xx.jpg, 2.asa;xx.jpg, and 2.cdx;xx.jpg types.

(3) iis7.0/7.5 Parsing Vulnerability
iis7.0/7.5 is a parsing vulnerability to PHP parsing, as long as the URL followed by the string "/arbitrary file name." PHP will be in accordance with the PHP way to parse, in fact, this vulnerability is from the php-cgi of the loopholes, and iis7.0/7.5 itself is irrelevant, specific examples are as follows.
Server-side test.jpg code is: <? PHP echo "Hello World";?>
Input: Http://[ip]/test.jpg/noexist.php will parse test.jpg as PHP, where noexist.php is a nonexistent file (but the suffix must be. php).

(4) Apache File Parsing Vulnerability
Apache parsing of file names is parsed from the back and forth until a file type known to Apache is met. For example Phpshell.php.rar.rar, because Apache does not know the. rar file type, it will always traverse the suffix until. php, and then think that this is a PHP type of file, so that you can upload a Trojan file containing a word similar to phpshell.php.rar.rar files, Access to the file will be performed as a PHP file parsing, with this vulnerability version includes: Apache 2.2.11, Apache 2.2.17, Apache 2.2.6, Apache 2.0.59, Apache 2.2.8.

(5) Nginx Parsing Vulnerability
The vulnerability is to an arbitrary file name, followed by an Add/any filename. PHP parsing vulnerability, such as source file name Nginx.jpg, can be added as nginx.jpg/ X.php,nginx will be nginx.jpg as PHP files to parse, in fact, can say that this vulnerability and nginx itself is not very related, Nginx just as an agent to transfer the request to fastcgi server,php in the back-end processing all this, The cause of the vulnerability in fasgcgi mode, the way PHP gets environment variables, the official lack of patches, PHP is considered a new feature, in order to prevent the vulnerability of the official recommendation to modify the php.ini file Cgi.fix_pathinfo 0.

Nginx also has a vulnerability, that is, it can be added to any file name after the%00.php as a php file to resolve, the vulnerability appears in the lower version of Nginx, including Nginx 0.5.*, Nginx 0.6.*, Nginx 0.7 <= 0.7.65, Nginx 0.8 <= 0.8.37.

　　

8. Upload Webshell with SQL injection

　　The use of SQL injection vulnerability to write to the server side is more commonly used, in essence, the use of SQL injection write file function, write Webshell.

9. Upload Webshell using WebDAV

　WebDAV greatly expands the HPPT protocol's get, POST, head and other functions, using the PUT, move method can upload and modify the uploaded files to obtain Webshell, the following steps:
-Probe server information via options
-Upload files using the Put method
-Modify the upload file name by the Move method
-Execute the modified file

10. Upload Webshell using. htaccess files

The role of the. htaccess file is primarily to not have access to the master profile, but to change the configuration of a directory to use, if the server side does not have a filter suffix. htaccess file, then the attacker can construct the file to modify the configuration of the directory file, such as modify the file containing "haha" All the files of the string are parsed according to PHP files, then the attacker uploads the constructed. htaccess file, and then uploads the only word Trojan file that contains the "haha" string, which will be parsed as a PHP file, as follows:
-Create a specific. htaccess file
-Build a Word Trojan file
-Upload the above file and use the chopper to connect

Third, the design of safe file upload function

1, the File upload directory is set to not executable

In the actual application, many large-scale website uploads the application, the file uploads will put on the independent storage, does the static file processing, on the one hand facilitates the use cache acceleration, reduces the performance loss, on the other hand also eliminates the script execution the possibility.

2. Determine file type

You can use MIME type, suffix checking, and so on when determining file types. In file type checking, it is strongly recommended to whitelist the way that the blacklist has been proven to be unreliable countless times. In addition, for image processing, you can use the compression function or the Resize function to manipulate the picture while destroying the HTML code that may be included in the picture.

3. Overwrite filenames and file paths with random numbers

File upload if you want to execute code, you need to be able to access this file to the user. In some environments, users can upload, but not access. If the app uses a random number to overwrite the file name and path, the cost of the attack is greatly increased. At the same time, files such as Shell.php.rar.rar, or crossdomain.xml, will not be able to successfully implement the attack because the file name is overwritten.

4. Set the domain name of the file server separately

Due to the relationship between browser-homologous policy, a series of client-side attacks will be invalidated, such as uploading crossdoamin.xml, uploading the use of XSS containing JS and other issues will be resolved. But if you can set this up, you need to look at a specific business environment.

New driver--File upload