"Upload topic" only front-end filtering

In forums and other platforms, uploading various attachments is an essential function, and often hackers are prone to attack the place. In the upload topic, share with you some about how to crack the upload, and how to defend, through the two game way, reflect the attachment to upload the subtleties of attack and defense.

1. Overview

This article describes the front-end filtering upload attachment extension, how to use Burosuite bypass front-end filtering, upload illegal files.

2. Pre-conditions

1) burpsuite tools;

2) Apache Commons FileUpload related jar package;

3. Front-End code example

<! doctype html public  "-//w3c//dtd html 4.01 transitional//en" >
     4. Background upload processing code example 
 
package com.fileupload.servlets;import java.io.file;import java.io.ioexception;import  Java.util.list;import javax.servlet.servletexception;import javax.servlet.http.httpservlet;import  javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import  Org.apache.commons.fileupload.fileitem;import org.apache.commons.fileupload.fileuploadexception;import  org.apache.commons.fileupload.disk.DiskFileItemFactory;import  org.apache.commons.fileupload.servlet.servletfileupload;/** *  File Upload  *  @author  wangzp  * */public class UploadServlet extends HttpServlet {/**   Memory Capacity threshold  **/private final int sizethreshold = 1024 * 1024 * 2;public  void dopost (Httpservletrequest request, httpservletresponse response) throws  servletexception, ioexception {//  judge whether it is multipart/foRm-data Requests Boolean ismultipartrequest = servletfileupload.ismultipartcontent (Request);if  (! ismultipartrequest)  {response.getwriter (). Print ("Invalid request"); return;} String tmppath = this.getservletcontext (). Getrealpath ("/images");D iskfileitemfactory  Factory = new diskfileitemfactory (Sizethreshold, new file (TmpPath)); Servletfileupload fileupload = new servletfileupload (Factory); Fileupload.setfilesizemax ( 1024&NBSP;*&NBSP;1024&NBSP;*&NBSP;5); //  The maximum size of a single upload file Fileupload.setsizemax (1024 * 1024 &NBSP;*&NBSP;5);       //  The maximum request byte size fileupload.setheaderencoding (" Utf-8 ");     //  set request header encoding try {//  parse request returns Fileitem list for form field fields Each of the form fields corresponds to a Fileitem instance list<fileitem> fileitems = fileupload.parserequest (request);   (fileitem fileitem : fileitems)  {//   get form Field Name Property StRing fieldname = fileitem.getfieldname ();//  Gets the file name of the uploaded file, if it is a non-upload file field, the value is null;string  Name = fileitem.getname ();//  Gets the value of the field string value = fileitem.getstring ();//   If it is an upload field, the contenttype type is obtained, and the non-upload field returns NULL;SYSTEM.OUT.PRINTLN (Fileitem.getcontenttype ());if  ( Fileitem.isformfield ())  { // true :  non-upload field response.getwriter (). println (fieldname  +  " : "  + value);} else {  //if it is a File upload field System.out.println ("fieldname : "  + fieldname); System.out.println ("Name:"  + name); File file = new file (tmppath +  "/"  + name);if  (! File.getparentfile (). exists ())  {file.getparentfile (). mkdir (); Fileitem.write (file); }}} catch  (fileuploadexception e)  {e.printstacktrace ();  catch  (exception e)  {e.printstacktrace ();}}
5. Results analysis and how to bypass front-end filtering
When uploading a. jpg image, the file can be uploaded successfully, and when other files are selected, the front end will prompt you to upload the file type incorrectly, so how can I bypass the front-end process? If there is some understanding of the interception tool, it is very simple thing, can take the following way:
1) Modify the file extension, for example: The original file is test.png, modify it to test.png.jpg, then the front-end can be verified successfully, that is, can be successfully issued a single submission;
2) Use Burpsuite to intercept file upload requests, such as:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4C/EA/wKiom1RHYV_Aeiz1AAOk1S0IUVk810.jpg "title=" Burp.png "alt=" Wkiom1rhyv_aeiz1aaok1s0iuvk810.jpg "/> After the modification, you can submit to the server, you will find the server successfully uploaded redis.png pictures.

6. Summary
This is just a simple example, now the development of the site is not so easy to bypass, about more complex issues, will be in the subsequent articles, one by one.
As a back-end developer, you should not rely on the front-end code control, because the code exposed to the user is not safe; that is often a user experience, so in the face of this situation, the backend should also do the homework, the upload file information filtering processing, as far as possible to prevent the uploading of illegal files, If you let it upload illegal files, the other person is very likely to get Webshell, or some other malicious action. This series of articles focuses on how to use upload components and how to defend against illegal uploads. In the next article, you'll learn how to filter extensions for back-end code and the corresponding issues.

This article is from the "Java Program Ghost" blog, please be sure to keep this source http://793404905.blog.51cto.com/6179428/1566743
"Upload topic" only front-end filtering