Upload verification Bypass Full resolution

Source: Internet
Author: User
Tags javascript extension

Directory

0X01 Client Authentication Bypass (JavaScript extension detection)
0x02 server-side authentication bypass (HTTP request packet detection)

    • -Content-type (Mime type) detection

0X03 server-side authentication bypass (extension detection)

    • -blacklist detection
    • -White list detection
    • -. htaccess file attack

0x04 server-side validation bypass (file integrity detection)

    • -File Header detection
    • -Image size and related information detection
    • -File Load Detection

0x05 detection Bypass analysis in various situations
0x06 An analysis of the image code injection after the simple answer

Objective
In today's increasingly secure system, the vulnerability of SQL injection has been difficult to appear at high security sites, such as some good. NET or JAVA frameworks are basically parameterized pass-through user input, directly blocking the injection attack. In the non-PHP web security of the most powerful attacks there are two main, the first is SQL injection, the second is the upload bypass vulnerability. (There are also remote file inclusions or code injection vulnerabilities in PHP)

Generally as long as can register ordinary users, often can find upload avatar or accessories such places, these places is a good breakthrough, as long as there is a way to bypass upload verification, and find a word trojan Web path basically can get this site.

This paper is not perfect, but in the classification framework is still relatively comprehensive, because personal experience is limited, so can cover the situation is not comprehensive, there are many places have not had the opportunity to practice and map out, I hope we have similar experience of the proposed, so that I can improve this paper, but also let everyone's communication to generate greater value.

0X01 Client Authentication Bypass (JavaScript extension detection)

Open the HTTP reverse proxy tool burp
Just click Upload a 2012.asa



And then I don't have a Upload.
And there's nothing in burp that pops up a warning box and knows it's a client-side verification JavaScript.
You just have to disable it or change the proxy through burp.


Here, I use burp for proxy modification. Change the file name extension to JPG first

Then Upload
Now the file name is 2012.jpg

Change jpg to ASP in Burp


and continue uploading.
Finally, you can see the ASP successfully uploaded


0x02 server-side authentication bypass (HTTP request packet detection)

Content-type (mime-type) detection

If the upload.php code on the server is as follows

1<?PHP2 if($_files[' UserFile '] [' type ']! = "Image/gif") {//Detection Content-type3 Echo"Sorry, we only allow uploading GIF images";4 Exit;5 }6 $uploaddir= ' uploads/';7 $uploadfile=$uploaddir.basename($_files[' UserFile '] [' Name ']);8 if(Move_uploaded_file($_files[' UserFile '] [' Tmp_name '],$uploadfile)) {9 Echo"File is valid, and was successfully uploaded.\n";Ten}Else { One Echo"File Uploading failed.\n"; A } -?>

Then we can modify the Content-type of the request package post/upload.php http/1.1

Te:deflate,gzip;q=0.3connection:te, closehost:localhostuser-agent:libwww-perl/5.803content-type:multipart/ Form-data; Boundary=xyzzy Content-length:155--xyzzycontent-disposition:form-data; Name= "UserFile"; Filename= "shell.php" Content-type:image/gif (formerly Content-type:text/plain)
 
    --xyzzy--
http/1.1, Okdate:thu, 14:02:11 GMT Server:apachex-powered-by:php/4.4.4-pl6-gentoocontent-length:59conne Ction:closecontent-type:text/html
File is valid, and was successfully uploaded.

Content-type, like this server-side detection HTTP packet, can use this similar approach to bypass detection

0X03 server-side authentication bypass (extension detection)
blacklist detection

Blacklist security is not yet a whitelist of security high, at least attack it in a way more than the white list
Typically there is a dedicated blacklist file that contains common dangerous script files such as FCKeditor 2.4.3 or previous versions of the Blacklist

1. Find the blacklist extension of the slip-up-for example, the above is missing the ASA and CER, etc.

2. There may be case bypass vulnerabilities -such as ASp and pHp

3. Special filename constructs -such as sending the HTTP packet to change the file name to help.asp. Or HELP.ASP_ (the underscore is a space), this naming method is not allowed in the Windows system, so you need to modify in the burp, and then bypass the validation, the Windows system will automatically remove the following points and spaces.

4. IIS or Nginx filename Parsing Vulnerability -such as help.asp;. JPG or http://www.xx.com/help.jpg/2.php
Notice here online so-called Nginx filename Parsing vulnerability is actually PHP-FPM file name Parsing vulnerability See http://www.cnbeta.com/articles/111752.htm

5.0x00 truncation bypasses -  This is caused by a combinatorial logic vulnerability
to a simple pseudo-code
Name = getname (HTTP request)//If the file name obtained at this time is help.asp. jpg (ASP followed by 0x00)
Type = GetType (name)//And in the GetType () function is processed from the back to the forward scan extension, so it is judged as a jpg if (type = = jpg)
SaveFile Topath (uploadpath.name, name)///But here it is with 0x00 as the file name truncated
//Last help.asp into the path

6. Double Extension resolution bypass attack (1) -  parsing logic based on Web services for example, there is a description in Apache manual
"Files can has more than one ex Tension, and the order of the extensions is normally irrelevant. for  example, if the file welcome.html.fr maps onto content type text/html and language French then the  FILE&NB Sp welcome.fr.html  will  map  onto exactly  the  same  information.  If more  than One extension is given which maps onto the same type of meta-information and then the one to the right will  be  us ed,  except for languages  and content  encodings.  For example, if  .gif  maps to the mime- Type image/gif and. HTML maps to the Mime-type text/html, then the file welcome.gif.html would be a associated with the mime- Type text/html. "

If you upload a file named help.asp.123
First extension 123 is not in extension blacklist, then extension 123 is not in Apache resolvable extension
List, this time it will search forward to the next resolvable extension, or search for. PHP, and will be executed in PHP at the end.
7. Dual Extension resolution bypass attack (2) -Web service-based parsing if you have such a line configuration in Apache Conf
AddHandler php5-script. php
As long as the file name contains the. php
Even if the file name is test2.php.jpg, it will be executed in PHP.

8. Hazard resolution Bypass Attack -Web service-based parsing if you have such a line configuration in Apache Conf
AddType application/x-httpd-php. jpg
Even if the extension is JPG, it can be executed in PHP mode


White list detection

The whitelist is relatively safer than the blacklist, but it's not necessarily safe.

1. Special File name Construction (same as blacklist attack 3rd)
2. IIS or Nginx file name Parsing Vulnerability (same as blacklist attack 4th)
3.0x00 truncation bypass (same as blacklist attack 5th)

. htaccess file attacks

Whether it's a blacklist or a white list, it's a direct attack. htaccess file in PHP manual mentions the following passage
Move_uploaded_file section, there is a warning which states
' If the destination file already exists, it'll be overwritten. ' If PHP security is not configured properly
You can use the Move_uploaded_file function to write your own. htaccess file overwrite the service
So you can define the list arbitrarily.
0x04 server-side validation bypass (file integrity detection)

File Header Detection

The most important is to set the magic number of the picture file at the beginning of the file content

To bypass the JPG file to detect the value to be written at the beginning of the file

To bypass the GIF file to detect the value to be written at the beginning of the file

To bypass PNG file detection, write the following value at the beginning of the file

Then add your own words to the end of the file, the Trojan.

Image size and related information detection

The getimagesize () function is commonly used
Only need to put the first part of the file to forge OK, is the magic number on the basis of the addition of some file information
A little bit like the structure below
gif89a (... some binary data ...) <?php phpinfo ();?> (... skipping the rest of binary data ...)
File load Detection

This is the most perverted detection, generally called the API or function to carry out the file load test common is the image rendering test, and then the abnormal point of even two times rendering (mentioned later) attacks on it generally two ways, one is the rendering test bypass, and the other is to attack the file loader itself

Render Test Bypass
First use GIMP to inject code into a picture
Using Winhex to see the data can analyze the principle of this kind of tool is not to destroy the file itself in the rendering of a blank area to fill the code is generally the annotation area of the picture
For rendering testing, you can basically bypass


However, if you encounter the abnormal two times the rendering is basically impossible to bypass, it is estimated that the file loader can only attack.
For example, before uploading a file, the file's data is as follows

and upload this jpg, but download it back to the local area and find the strange place.

The image was rendered two times after uploading.
The new JPG image contains this content.
Creator:gd-jpeg v1.0 (using IJG JPEG v62)
It seems to be called GD PHP's GD library
Test the GIF file as well
The original file content is (although the file name is 2.jpg, the actual file format is gif ha)

Download back after upload the comparison can be found that the file has been re-rendered a sentence code is missing


Then there is the error trigger to see what the API or function is used for two times rendering

Upload file data incomplete GIF file after triggering an error, know that the background is imagecreatefromgif () this function


Upload file Data incomplete PNG file after triggering an error, know that the background is imagecreatefrompng () this function


Two renderings in general it's almost impossible to bypass personal experience. It is equivalent to the part of the image data is captured, and then re-rendered with their own API or function in the process of non-image data part of the directly separated from the

If you want to attack the file loader, the common is overflow attack, upload their own malicious files, the service on the file loader load test, is triggered attack execution shellcode such as Access/mdb overflow
We can refer to the following http://lcx.cc/?FoxNews=1542.html
0x05 detection Bypass analysis in various situations

A Client Side authentication bypass (JavaScript extension detection)
Bypass client-side validation with the Reverse proxy tool (BURP, etc.) or by disabling JS

B server-side authentication bypass (HTTP request packet detection)
-Content-type (Mime type) detection with Reverse proxy tool (BURP, etc.) for Content-type forgery

C server-side authentication bypass (extension detection)
-blacklist detection

    • looking for a blacklist extension -for example, it misses the possibility of casing bypass vulnerabilities such as ASA and CER-such as aSp and pHp
    • Special file name constructs -such as sending the HTTP packet to change the file name to help.asp. Or HELP.ASP_ (the underscore is a space)
    • IIS or Nginx filename Parsing Vulnerability -such as help.asp;. JPG or http://www.xx.com/help.jpg/2.php
    • 0x00 Truncation Bypass -This is a two-extension resolution bypass attack based on a combinatorial Logic Vulnerability (1)-parsing logic based on Web services
    • Dual Extension resolution bypass attack (2) -parsing mode based on Web services Hazard resolution bypass attack-Web service-based parsing

-White list detection

    • Special file name constructs (Same as blacklist attack 3rd)
    • IIS or Nginx file name Parsing Vulnerability (Same as blacklist attack 4th)
    • 0x00 truncation Bypass (Same as blacklist attack 5th)

-. htaccess file attack
If PHP security is not configured properly, use your own. htaccess to overwrite the original file on the service

D server-side authentication bypass (file integrity detection)

    • -The file header detects the magic number at the beginning of the file to disguise the file
    • -Image resolution Detection
    • To disguise image size data at file start
    • -File load detection tool for code injection bypass for file blank data area or annotation area (image can only bypass rendering test, not bypass two render) use malicious files to attack the loader itself

E. Relationship and combination situation

First, the client-side authentication and service-side verification are independent, so the main difficulty is to bypass the server side of the combination of authentication file integrity detection already contains the file header detection and image size and related information detection, but does not include file extension detection it is loaded as a detection method, For example, the image rendering function to render a picture file extension detection and file header detection are peer, independent so if the file extension + file header detection can be bypassed at the same time
0x06 An analysis of the image code injection after the simple answer

I tested the environment for apache+php in my own native environment. I found a sentence in the image that can't be resolved.

Maybe a lot of people have met this kind of situation is not really clear when the code injected into the picture and so on, how to access to connect to the last sentence here to explain the principle
In fact, even if the image is injected into the code, you also need to call the corresponding parser to parse for the code to be resolved to perform the same as you change an exe extension to JPG, open on the desktop, the image Viewer will error, said unable to open the file
And you under Cmdshell, regardless of this exe extension is what, even a JPG, can also do because as long as the call to the correct file loader or parser, it is the file header magic number to determine the file format, rather than the file extension, so if we simply inject the image code after the upload access, At this time, it is not
Parse the inside of the sentence code
We can refer to the following: http://www.2cto.com/Article/201106/93084.html

It is common to analyze our images in conjunction with localfileinclude vulnerabilities.
(Remotefileinclude and remotecodeexecution here are a little bit big to use ha)

For example, a station has such a URL
www.2cto.com/view.php?page=contact.php

We replace contact.php for. /
Www.2cto.com/view.php?page=. /

Get an error
Warning:include (.. /) [function.include]: failed to open stream:no such file or directory in
/home/sirgod/public_html/2cto.com/view.php on line 1337

That means there's a LFI vulnerability, and this time find our picture file path
Use a word of the client to connect www.2cto.com/view.php?page=. /upload/help.jpg
You can successfully get the shell.
There are like Nginx (PHP-FPM) parsing vulnerability, you can also directly parse the code in the picture so you need to understand which environment in order to interpret the code in the image
This can be combined with upload bypass finally get Webshell:)

Upload verification Bypass Full resolution

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.