文件上传漏洞

1 前言

Shooting Range Environment: https://github.com/c0ny1/upload-labs

Environment construction:

1

2

docker pull c0ny1/upload-labs

docker run -d -p 80:80 upload-labs

To determine the type of upload vulnerability:

The file upload vulnerability mainly exists in the following aspects:

The parsable suffix means that the language has multiple parsable suffixes, such as the parsable suffix of the php language is php, php2, php3, etc.

Case mix, if the system is not filtered tightly, it may be bypassed by the upper and lower case.

Middleware, each middleware basically resolves vulnerabilities. For example, iis can execute xxx.asp;jpg as asp.

System features, especially Windows' suffix plus dots, spaces, and :$DATA can bypass the target system.

Language vulnerabilities. The three popular scripting languages basically have 00 truncation vulnerabilities.

Double suffix, this has nothing to do with the system and middleware, and occasionally exists in code logic.

1.1 可解析的后缀

Many languages have multiple suffixes that can be parsed. When the target site adopts a blacklist, it is often incomplete.

语言可解析后缀asp/aspx

asp, aspx, asa, asax, ascx, ashx, asmx, cer

php

php, php5, php4, php3, php2, phtml, pht

jsp

jsp, jspa, jspx, jsw, jsv, jspf, jhtml

1.2 中间件漏洞

1.2.1 IIS

There are three resolution vulnerabilities in IIS:

IIS 6.0 file parsing xx.asp;jpg

IIS 6.0 Directory Analysis xx.asp/1.jpg

IIS 7.5 Deformity Analysis xxx.jpg/x.php

1.2.2 Apahce

There are two apache-related parsing vulnerabilities:

%0a (CVE-2017-15715)

Unknown suffix test.php.xxx

1.2.3 nginx

There are three nginx resolution vulnerabilities:

Access the link plus /xxx.php, that is, test.jpg/xxx.php

Deformal analysis vulnerability test.jpg%00xxx.php

CVE-2013-4547 test.jpg (non-encoded space)\0x.php

1.2.4 tomcat

There are three types of tomcat used for uploading bypass, some of which are limited to the Windows operating system.

xxx.jsp/

xxx.jsp%20

xxx.jsp:$DATA

1.3 系统特性

After searching the information, it is found that at the system level, the following features can be exploited by uploaded vulnerabilities.

File names under Windows are case-sensitive, and file names under Linux are case-sensitive.

ADS streaming feature under Windows causes uploading file xxx.php:$DATA=xxx.php

In Windows, characters such as . spaces,0x81-0xff are added at the end of the file name, and the final generated files are ignored by Windows.

2 WriteUP

2.1 PASS - 01

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

script type='text/javascript'

function checkFile() {

var file=document.getElementsByName('upload_file')[0].value;

if (file==null || file=='') {

alert('Please select the file to upload!');

return false;

}

//Define the file type allowed to upload

var allow_ext='.jpg|.png|.gif';

//Extract the uploaded file type

var ext_name=file.substring(file.lastIndexOf('.'));

//Judge whether uploading file type is allowed

if (allow_ext.indexOf(ext_name)==-1) {

var errMsg='This file is not allowed to be uploaded, please upload ' + allow_ext + ' type file, the current file type is: ' + ext_name;

alert(errMsg);

return false;

}

}

/script

Disable JS in the front-end and upload Webshell directly

2.2 PASS - 02

Bypass MIME detection and modify Content-Type through BurpSuite

2.3 PASS - 03

1

2

3

4

5

6

7

$deny_ext=array('.asp','.aspx','.php','.jsp');

$file_name=trim($_FILES['upload_file']['name']);

$file_name=deldot($file_name);//Delete the point at the end of the file name

$file_ext=strchr($file_name, '.');

$file_ext=strtolower($file_ext); //Convert to lowercase

$file_ext=str_ireplace(':$DATA', '', $file_ext);//Remove string :$DATA

$file_ext=trim($file_ext); //Close and empty

The backend filters .php and bypasses detection by using suffixes such as .php3, php5, php7, phtml, pht, etc.

2.4 PASS - 04

Rewrite file parsing rules bypass. Upload a file named .htaccess, the content is as follows

1

2

3

FiileMatch '04.jpg'

SetHandler application/x-httpd-php

/FiileMatch

Upload another 03.jpg and access 03.jpg, that is, parse it as a PHP file.

2.5 PASS - 05

is still a blacklist, with .htaccess added, but the suffix is not case-uniform, so it can be bypassed by case.

2.6 PASS - 06

Take advantage of the file name feature of Windows system. The file name is added with dots and spaces at the end, and written as 06.php[space].

The last file name saved on the Windows system after uploading will be removed, and the saved file name is actually 06.php

2.7 PASS - 07

The principle is the same as Pass-06. Add points after the file name and change it to 07.php.

2.8 PASS - 08

Windows file flow feature bypass, the file name is changed to 08.php:$DATA. The file name saved after the upload is successful is actually 08.php

php In the window environment, if the file name + :$DATA is processed as a file stream if the data after :$DATA is processed as a file stream. The suffix name will not be detected, and the file name before :$DATA is maintained

2.9 PASS - 09

The principle is the same as Pass-06. After uploading the file name, add dot + space + dot, and change it to 09.php.

2.10 PASS - 10

Double-write file name bypass, change the file name to 10.pphphp

2.11 PASS - 11

Upload path name %00 Truncate bypass. The uploaded file name is written as 11.jpg, save_path is changed to ./upload/11.php%00, and the last saved file is 11.php

2.12 PASS - 12

The principle is the same as Pass-11, and the upload path is0x00 bypassed. Is the save_path passed in this time through post or truncated using 00, but this time it needs to be modified in the binary system, because post will not automatically decode %00 like get

Use the Hex function of Burpsuite to change save_path to the form ./upload/12.php[binary 00]

2.13 PASS - 13

Bypass the file header inspection, add the file header GIF89a of the GIF picture, and bypass the GIF picture inspection.

2.14 PASS - 14

Here you can use getimagesize to get the file type, or you can directly use the picture horse to bypass it

2.15 PASS - 15

Here we use the php_exif module to determine the file type, or you can directly use the picture horse to bypass it

2.16 PASS - 16

Principle: Upload a normally displayed image to the server. Looking for the data block part that is still the same when the image is rendered and compared with the original image part.

Insert the Webshell code into this section and upload it. The specific implementation requires writing Python programs yourself. It is basically impossible to construct an image webshell that can bypass rendering functions by human attempts.

refer to:

https://xz.aliyun.com/t/2657#toc-12

https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

2.17 PASS - 17

Use conditional competition to delete files bypass.

Access the Webshell when the script is running

2.18 PASS - 18

Using upload rename competition + Apache resolution vulnerability, successfully bypassed.

Uploading a file with the name 18.php.7Z and submitting the packet quickly repeatedly will prompt that the file has been uploaded but has not been renamed.

2.19 PASS - 19

This level examines CVE-2015-2348 move_uploaded_file() 00 truncation, the principle is the same as Pass-11, and the uploaded file name is bypassed by0x00. Change to 19.php[binary 00].1.jpg

2.20 PASS - 20

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

$file=empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];

if (!is_array($file)) {

$file=exploit('.', strtolower($file));

}

$ext=end($file);

$allow_suffix=array('jpg','png','gif');

if (!in_array($ext, $allow_suffix)) {

$msg='Usage of uploading this suffix file!';

}else{

$file_name=reset($file) . '.' . $file[count($file) - 1];

$temp_file=$_FILES['upload_file']['tmp_name'];

$img_path=UPLOAD_PATH . '/' .$file_name;

if (move_uploaded_file($temp_file, $img_path)) {

$msg='The file upload was successful! ';

$is_upload=true;

} else {

$msg='File upload failed! ';

}

First, the end function takes the last value in the post parameter array, $file_name=reset($file) . '.' . $file[count($file) - 1]. We can post a parameter named [0] and [2], and then $file[count($file) - 1] is empty, and $file_name is finally reset($file), that is, $file[0], so we can bypass the judgment