Xiaodi penetration & WEB vulnerability (iii-ii)

Video resources

20. File upload basis and filtering method (20-24)

What is a file upload vulnerability?

  • It refers to that the program does not make comprehensive restrictions on file upload, so that users can upload some files beyond the user's authority, which can be Trojans, shell scripts, viruses, etc.

What are the hazards of file upload vulnerabilities?

  • webshell backdoor can be uploaded through file upload vulnerability.

How to find and judge file upload vulnerabilities?

  • Black box: use the scanning tool to scan and open the website.
  • Black box: test member center, test background.
  • White box: direct source code.

What should we pay attention to file upload vulnerabilities?

  • After getting the vulnerability, we should distinguish the vulnerability types, such as editor, third-party application, general, etc.
  • Distinguish vulnerability types

Description of file upload vulnerability in practical application?

  • Upload the backdoor script to obtain website permissions.

20.1 demonstration cases

  • Instructions for obtaining the upload address of conventional files: if the uploaded files are to be executed, they shall be executed according to the corresponding code.
  • Backdoor test of file types in different formats
  • Cooperate with the file type backdoor under the parsing vulnerability to test local files: upload + parsing vulnerability = high-risk vulnerability.
  • Upload vulnerability shooting range environment construction
  • Test a CMS and CVE number file upload vulnerability test: the vulnerability test of this third-party plug-in is different from the conventional vulnerability test.

20.2 resources involved

Range source code: https://github.com/c0ny1/upload-labs/releases

21. File upload black and white list bypass

File upload common verification:
Suffix, type, file header, etc
 Suffix:Blacklist, whitelist
 file type:M work ME information
 File header:Content header information
 Methods: view the source code, capture and modify the package information

%00 truncation: you can put this in the file name to bypass detection.
get: it will be decoded automatically
Post: it will not be decoded automatically, so if you want to submit data% 00 as post, you need to url encode it to% 25% 30% 30

Filtering rules

shooting range


22. Logical array of file upload contents

Picture sentence making method:copy 1.png /b + shell.php /a webshell.jpg
 File header detection
 Image file information judgment
 Logical security=Secondary rendering: it means that the website will operate after accepting the target, that is, it will operate the file again.
Logical security-Conditional competition: some websites will upload and then verify the uploaded file (the upload process is not verified), so that the file will be temporarily saved to the server. You can access the file for occupation while the program does not operate on the file (such as renaming, shifting, etc.), resulting in conditional competition.
Directory naming-x.php/.  : This naming method is saved as a x.php file
 Script function vulnerability-CVE-2015-2348: 
Array acceptance+Directory naming

Parsing vulnerability

  • There is a logic judgment problem in this code, which can be injected through logic competition.
#Range 17 off code
$is_upload = false;
$msg = null;

    $ext_arr = array('jpg','png','gif');
    $file_name = $_FILES['upload_file']['name'];
    $temp_file = $_FILES['upload_file']['tmp_name'];
    $file_ext = substr($file_name,strrpos($file_name,".")+1);
    $upload_file = UPLOAD_PATH . '/' . $file_name;

    if(move_uploaded_file($temp_file, $upload_file)){
             $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
             rename($upload_file, $img_path);
             $is_upload = true;
            $msg = "Upload only.jpg|.png|.gif Type file!";
        $msg = 'Upload error!';
  • Bypass judgment by% 00 truncation

  • 20 off code can use array injection.

$is_upload = false;
$msg = null;
    //Check MIME
    $allow_type = array('image/jpeg','image/png','image/gif');
        $msg = "Prohibit uploading this type of file!";
        //check filenames
        $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name'];
        if (!is_array($file)) {
            $file = explode('.', strtolower($file));

        $ext = end($file);
        $allow_suffix = array('jpg','png','gif');
        if (!in_array($ext, $allow_suffix)) {
            $msg = "Prohibit uploading this suffix file!";
            $file_name = reset($file) . '.' . $file[count($file) - 1];
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $msg = "File upload succeeded!";
                $is_upload = true;
            } else {
                $msg = "File upload failed!";
    $msg = "Please select the file to upload!";

  • File upload and file inclusion will directly win the target

23. File upload parsing vulnerability editor security

23.1 middleware parsing vulnerability

Reference shared middleware vulnerability PDF
IIS6/ 7 Brief description-Local build
Apache Configure security--vuthab
Apache Newline parsing-vulhub
Nginx Parsing vulnerability-vulhub
Nginx File name logic-vulhub
Apache Low version parsing vulnerability
 Use scenario:
We can use file upload to upload an unrecognized file suffix(x.php. xxx.yyy),apache Can't identify the last yyy,Parse forward until it is identified. The file is successfully parsed by using the parsing vulnerability rules, and then the backdoor code is triggered.
  • cmd command line: copy 05.png/b + shell.txt/a 05shell.png
  • Parsing vulnerability in lower version of linux & iis7.5

23.2 editor vulnerabilities

Editor manual

  • Editor page, see this to think of editor vulnerabilities
  • Common editors
    Fckeditor exp utilization
    Ueditor exploit
1.POC(Proof ofConcept),Chinese means "proof of point". This phrase will be used in the vulnerability report POC Is a description or an example of an attack, enabling readers to confirm that the vulnerability is real.

2.EXP(Exploit),Chinese means "exploit". It means a detailed description of how to exploit vulnerabilities or a demonstration of vulnerability attack code, which can make readers fully understand the mechanism and utilization methods of vulnerabilities.

3.VUL(Vulnerability),Generally refers to vulnerabilities.

4.CVE Vulnerability number,CVE My full English name is“ Common Vulnerabilities & Exposures"Public vulnerabilities and exposures, e.g CVE-2015-0057,CVE-1999-0001 wait. CVE It is like a dictionary, giving a public name for widely recognized information security vulnerabilities or exposed weaknesses. If a vulnerability is indicated in a vulnerability report, if any CVE Name, you can quickly in any other CVE Find the corresponding patch information in the compatible database to solve the security problem.
Can be in https://The cve.mitre.org/ website searches for the introduction of the vulnerability according to the CVE number of the vulnerability.
Or in the Chinese community http://Search www.scap.org.cn/ for an introduction to the vulnerability

5.0DAY Vulnerabilities and 0 DAY attack
 In the computer field, zero day vulnerability or zero time difference vulnerability (English: Zero-dayexploit)It usually refers to security vulnerabilities that have not been patched, and Zero Day attack or zero time difference attack (English: Zero-dayattack)It refers to an attack using this vulnerability. The person who provides details of the vulnerability or exploits the program is usually the discoverer of the vulnerability. Zero Day vulnerabilities are a great threat to network security. Therefore, zero day vulnerabilities are not only the favorite of hackers, but also an important parameter to evaluate the technical level of hackers.
The zero day vulnerability and its exploitation code not only have high utilization value for criminal hackers, but also attach great importance to this information by some national spies and cyber forces, such as the U.S. National Security Agency and the U.S. cyber warfare command[1]. According to Reuters, the US government is the largest buyer of the zero day loophole black market.

23.3 practical ideas for file upload

1.Uploading files and executing files are two things
2.Vulnerability classification{Parsing vulnerabilities cms Vulnerabilities, other vulnerabilities cve Vulnerabilities, security fixes]}

If there is a website, start from the direction of file upload
 Step 1: first look at the middleware to see if there are parsing vulnerabilities/CMS/Editor vulnerability/CVE/
If yes, how to find:
		Dictionary scanning: scan the member center and the location of file upload
 Once found, how to use:

Resources involved

https://navisec.it/editor vulnerability manual
https://pan.baidu.com/share/init?surl=5gcdBuOFrN1F9xVN7Q7GSA  **enqx**

24. WAF bypass and security repair of file upload

#Upload parameter name resolution:

Identify what can be modified?
Content-Disposition:Generally modifiable
name:Form parameter value,Cannot change
filename:file name,Can change
Content-Type:file MIME,Change as appropriate

#Common bypass methods:
data overflow -Anti matching(xxx...)	:It is to write a large amount of useless data in front of the key point to interfere with the detection of the following main data
 Symbolic variation-Anti matching('	" 	; ): Some detection may be based on single quotation marks and double quotation marks to obtain data. You can modify the position of single quotation marks or double quotation marks or add or delete single and double quotation marks to interfere waf
 Data Truncation -Anti matching(%00;	Line feed): 
Duplicate data-Anti matching(Parameter multiple times)

#Payload :
Massive garbage data buffer overflow(Ccontent-Disposition,filename etc.)

#Single quotation mark, double quotation mark, semicolon

# %00. Line feed
filename="Content-Disposition : form-data;name="upload_file" ; x.php"
filename="x.jpg" ; filename="x.jpg" ; . . . ..filename="x.php";
  • ; truncation

  • Repeat parameter

  • With the help of the white list, write some of the previous data in filename, and finally write x.php. When the program determines filename, it will release if it finds the previous data. When it encounters x.php, it finds that there is no variable reception, and then gives up the detection, but finally x.php uploads it to filename

  • /Truncation

#File upload security repair scheme
 Back end validation:Suffix detection using server authentication mode:
Filtering based on blacklist and whitelist M work ME testing:
Type detection based on upload
 Content detection:File header, integrity detection

Built in function filtering:reference resources uploadlabs function
 Custom function filtering:function check_file(){ }
WAF Protective products:pagoda,Cloud shield,Safety company products, etc

Resources involved


Tags: C# html5 html

Posted on Fri, 03 Sep 2021 23:59:12 -0400 by SkippyK