WebShell upload interception Bypass

WebShell upload interception Bypass

WebShell upload interception and Bypass

Test environment: Windows2003 + IIS6 + ASP.

Dongle version:
 

Asp file upload interception:
 

A typical upload package is as follows (main part ):
 

Content-Type: multipart/form-data; boundary = ---- WebKitFormBoundaryWyGa1hk6vT9BZGRr // Header

 

------WebKitFormBoundaryWyGa1hk6vT9BZGRrContent-Disposition: form-data; name="FileUploadPath"C:\Inetpub\wwwroot------WebKitFormBoundaryWyGa1hk6vT9BZGRrContent-Disposition: form-data; name="FileUploadName"; filename="test.asp"Content-Type: application/octet-stream<%response.write( bypass="" safedog="">------WebKitFormBoundaryWyGa1hk6vT9BZGRr--

<% Response. write (bypass = "" safedog = "">

------ WebKitFormBoundaryWyGa1hk6vT9BZGRr starts from the POST data to the end ------ WebKitFormBoundaryWyGa1hk6vT9BZGRr --



It is assumed that the dongle resolves parameters in an upload package by matching multipart/form-data; boundary = ---- WebKitFormBoundaryWyGa1hk6vT9BZGRr, so what is the possible difference between dongle and Web Server?



Try the following request:
 

The WebKitFormBoundaryWyGa1hk6vT9BZGRr in the header can be uploaded by adding any character.
 

Similarly, the WebKitFormBoundary... in the header remains unchanged, and the WebKitFormBoundary... in the POST parameter can be changed (minus the last character or adding a few characters.
 

 

 

 

 

 

 

 

Solution:

The Web Server has good fault tolerance and can handle a large number of abnormal requests. When detecting data packets, you cannot parse the packets in the normal format. You should also consider the abnormal formats.