Title: Record a slightly twisted upload

0x00  Preface

A task was given above. When I looked at the map system, I was confused. This kind of system is usually to adjust the API of Baidu Maps, without interaction, and it is extremely difficult to dig a hole.

After a wave of information collection, it was found that a function of the main site could jump to the WeChat official account of the unit, and there was an upload point, so this article was found.

0x01  FUZZ

With the upload point, let’s talk nonsense and see if the suffix can be passed.

First pass an image, change the suffix and try uploading

It's gone directly. Is it a whitelist? Try uploading it at will

I found that it can be uploaded, maybe waf exists?

Pass the content directly into one sentence to see if it will be intercepted

The result was not intercepted, it should be that the code did some operations on the suffix.

Next is a fuzz. After a long time, I found that the suffix name cannot be passed, so I directly reported an error in the new line method.

I took out the method I had used to safe dogs before and tried it, and overflowed the Content-Disposition: field.

It turned out to be successful.

0x02  Another question

The transmission is now uploaded, but the complete path is not returned, and I don't know where the transmission is. What's wrong with this

Scan the current directory and nothing was found

Then I scanned the first-level directory and found that there is an upload directory.

Try splicing and getshell successfully

0x03  Summary

1. There is an attachment upload at the target site's official account, so there may be any file upload vulnerability 2. Batch fuzz the suffix name through bp's intruder function, and it is found that they are intercepted. Here we test upload test.aaa, the content is this is a test, find that it can be uploaded, then guess that the target site has WAF, and the suffix name is intercepted. Then test that the uploaded content is a Trojan horse, which can be uploaded successfully, and the content is not intercepted. 3. Filling through the Content-Disposition: intercept field, it can bypass the waf and uploaded the file name, but it does not know that the upload path is such as :Content-Disposition:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5. Finally, successfully link through Ice Scorpion Source: https://xz.aliyun.com/t/10366