WEB security [4]: File Upload Vulnerability

WEB security [4]: File Upload Vulnerability
I have never touched on the vulnerabilities I learned before. The file upload vulnerability allows you to use the WEB to upload certain files. Generally, the file upload vulnerability means that the user uploads an executable script file and obtains the ability to execute commands on the server. File Upload is one of the most common functional requirements on the Internet. The key is whether the process of processing and interpreting files on the server after file upload is secure. The general situations include:
-1. The WEB script language of the uploaded file. The WEB container on the server interprets and executes the script uploaded by the user, resulting in code execution;
-2. Upload the file FLASH policy file crossdomain. xml to control Flash behavior in this domain;
-3. Uploading files is a virus or Trojan file. Attackers can trick users or administrators into downloading and executing files;
-4. Uploading a file is a phishing image or an image containing a script. Some browsers execute the file as a script to commit phishing or fraud;
To sum up, the file carrier for file upload can either be executable on the server side or affect the behavior on the server side. The following conditions must be met for its role:
-1. the uploaded file is executable or can affect server behavior. Therefore, the Directory of the file must be within the path covered by the WEB container;
-2. You can access this file from the WEB, so that the WEB Container can interpret and execute this file;
-3. the uploaded file must undergo security check and will not be formatted, compressed, or changed;

I. FCKEditor File Upload Vulnerability
Let's look at a simple example. FCKEditor is a very popular Rich Text Editor with many vulnerabilities in its file upload function, one vulnerability in PHP is in the file upload type check. After the file is uploaded, it is saved in/UserFiles/all. The file check code is as follows:

 
 

  
  
$ Config ['allowdextension'] ['file'] = array (); // the type of data that can be uploaded.
 
  
  
$ Config ['denedextension'] ['file'] =

  
  
Array ('php', 'php3 ', 'php5', 'phtml', 'asp ', 'aspx', 'ascx', 'jsp ', 'cfm ', 'cfc', 'pl ', 'pl', 'bat ', 'exe', 'dll ', 'reg', 'cgi '); // indicates the upload prohibited type.
 
 

We can see that this code checks the file type, but unfortunately uses the blacklist. Therefore, if we use a type name such as 'php2 'and 'inc', we can pass the check, this vulnerability causes file upload.

Ii. File Upload Check Bypass
Common File Upload checks target file types. Attackers can manually modify the POST package and add % 00 bytes to truncation certain functions to determine the file name. Such as xxx. php [\ 0]. JPG: For a server that only allows the upload of JPG files, this file can bypass the File Upload check. However, for server explanations, the function will be truncated by [\ 0], resulting in xxx. php code. In addition to modifying the file name to bypass the type check, you can also modify the file header to forge the file header and cheat the File Upload check.

3. How to upload files securely
In view of the characteristics of the file upload vulnerability and the three conditions that must be met, we can block any one of the conditions to achieve the purpose of organizing File Upload Attacks:
-1. the most effective method is to directly set the File Upload directory to unexecutable. For Linux, revoke the 'X' permission of its Directory; in reality, upload applications of many large websites are stored in independent storage for static file processing. One is convenient to use cache acceleration to reduce energy consumption, and the other is to eliminate the possibility of script execution;
-2. file Type check: it is strongly recommended that you use the whitelist method in combination with MIME Type and suffix check. In addition, you can use the compression function or the resize function to process images, attackers can simultaneously process images and destroy the HTML code they contain;
-3. Use a random number to rewrite the file name and file path so that you cannot easily access your uploaded files;
-4. Set the domain name of the file server separately;