Several types of uploads

 
Javascript checks the file extension
 
This vulnerability exists in the Jieqi novel system. First, register a user name and manage the space. Note that when uploading a file at the Avatar upload, you only need to make a js upload judgment locally. For this vulnerability, it is easy to break through. You can use Firefox to modify the js file type and submit the file successfully. Now you like to use the burp tool to modify the file type.
Attackers can bypass Server Detection file extensions.
For some uploads, you only need to change the file name to uppercase or lowercase, or change the asp-type file extension to asa or cer. This is not detected on the server, but can be directly executed on the server. By default, files such as asa and cer can be executed in iis. Sometimes, they can be bypassed by % 00.% 00 indicates that they are null. files such as aa will be truncated after being uploaded. asp. jpg. after truncation, it becomes aa. asp.
 
In fact, if you can upload a. htacess file, you can change it as needed. When you encounter the nginx Parsing Vulnerability IIS7.5, you can use a sentence to try it. When IIS6.0 parses the asp Vulnerability, check whether a folder ending with asp can be created, such as aa. asp. Any file names under this file will be processed with asp. 90 Security Team! I, A l1 c0 a * R/B
When you often touch the upload. GIF file, it is converted to jpg after it is successful. If there is one sentence in the file, it cannot be executed successfully. The server may check the content in the file. After secondary rendering, all codes that do not conform to the image format are processed or malicious code is detected.
 
There are also mime types detected by the server, but I have never met them. I hope you can support them to supplement them.
 
From http://www.92hack.net/post-62.html