Xiaodi penetration & WEB vulnerability (iii-ii)

20.1 demonstration cases

• Instructions for obtaining the upload address of conventional files: if the uploaded files are to be executed, they shall be executed according to the corresponding code.
• Backdoor test of file types in different formats
• Cooperate with the file type backdoor under the parsing vulnerability to test local files: upload + parsing vulnerability = high-risk vulnerability.
• Upload vulnerability shooting range environment construction
• Test a CMS and CVE number file upload vulnerability test: the vulnerability test of this third-party plug-in is different from the conventional vulnerability test.

20.2 resources involved

Range source code: https://github.com/c0ny1/upload-labs/releases

File upload common verification: Suffix, type, file header, etc Suffix:Blacklist, whitelist file type:M work ME information File header:Content header information Methods: view the source code, capture and modify the package information

%00 truncation: you can put this in the file name to bypass detection.
get: it will be decoded automatically
Post: it will not be decoded automatically, so if you want to submit data% 00 as post, you need to url encode it to% 25% 30% 30

Filtering rules

shooting range

uploadlabz

Picture sentence making method:copy 1.png /b + shell.php /a webshell.jpg File header detection Image file information judgment Logical security=Secondary rendering: it means that the website will operate after accepting the target, that is, it will operate the file again. Logical security-Conditional competition: some websites will upload and then verify the uploaded file (the upload process is not verified), so that the file will be temporarily saved to the server. You can access the file for occupation while the program does not operate on the file (such as renaming, shifting, etc.), resulting in conditional competition. Directory naming-x.php/. : This naming method is saved as a x.php file Script function vulnerability-CVE-2015-2348: Array acceptance+Directory naming

Parsing vulnerability

• There is a logic judgment problem in this code, which can be injected through logic competition.

#Range 17 off code $is_upload = false; $msg = null; if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_name = $_FILES['upload_file']['name']; $temp_file = $_FILES['upload_file']['tmp_name']; $file_ext = substr($file_name,strrpos($file_name,".")+1); $upload_file = UPLOAD_PATH . '/' . $file_name; if(move_uploaded_file($temp_file, $upload_file)){ if(in_array($file_ext,$ext_arr)){ $img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext; rename($upload_file, $img_path); $is_upload = true; }else{ $msg = "Upload only.jpg|.png|.gif Type file!"; unlink($upload_file); } }else{ $msg = 'Upload error!'; } } }

• Bypass judgment by% 00 truncation
  

• 20 off code can use array injection.

$is_upload = false; $msg = null; if(!empty($_FILES['upload_file'])){ //Check MIME $allow_type = array('image/jpeg','image/png','image/gif'); if(!in_array($_FILES['upload_file']['type'],$allow_type)){ $msg = "Prohibit uploading this type of file!"; }else{ //check filenames $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name']; if (!is_array($file)) { $file = explode('.', strtolower($file)); } $ext = end($file); $allow_suffix = array('jpg','png','gif'); if (!in_array($ext, $allow_suffix)) { $msg = "Prohibit uploading this suffix file!"; }else{ $file_name = reset($file) . '.' . $file[count($file) - 1]; $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' .$file_name; if (move_uploaded_file($temp_file, $img_path)) { $msg = "File upload succeeded!"; $is_upload = true; } else { $msg = "File upload failed!"; } } } }else{ $msg = "Please select the file to upload!"; }

• File upload and file inclusion will directly win the target

23.1 middleware parsing vulnerability

Reference shared middleware vulnerability PDF IIS6/ 7 Brief description-Local build Apache Configure security--vuthab Apache Newline parsing-vulhub Nginx Parsing vulnerability-vulhub Nginx File name logic-vulhub

Apache Low version parsing vulnerability Use scenario: We can use file upload to upload an unrecognized file suffix(x.php. xxx.yyy)，apache Can't identify the last yyy，Parse forward until it is identified. The file is successfully parsed by using the parsing vulnerability rules, and then the backdoor code is triggered.

• cmd command line: copy 05.png/b + shell.txt/a 05shell.png
  
• Parsing vulnerability in lower version of linux & iis7.5
  

23.2 editor vulnerabilities

Editor manual

• Editor page, see this to think of editor vulnerabilities
  
• Common editors
  Fckeditor exp utilization
  Ueditor exploit

extend 1.POC(Proof ofConcept)，Chinese means "proof of point". This phrase will be used in the vulnerability report POC Is a description or an example of an attack, enabling readers to confirm that the vulnerability is real. 2.EXP(Exploit)，Chinese means "exploit". It means a detailed description of how to exploit vulnerabilities or a demonstration of vulnerability attack code, which can make readers fully understand the mechanism and utilization methods of vulnerabilities. 3.VUL(Vulnerability)，Generally refers to vulnerabilities. 4.CVE Vulnerability number,CVE My full English name is“ Common Vulnerabilities & Exposures"Public vulnerabilities and exposures, e.g CVE-2015-0057,CVE-1999-0001 wait. CVE It is like a dictionary, giving a public name for widely recognized information security vulnerabilities or exposed weaknesses. If a vulnerability is indicated in a vulnerability report, if any CVE Name, you can quickly in any other CVE Find the corresponding patch information in the compatible database to solve the security problem. Can be in https://The cve.mitre.org/ website searches for the introduction of the vulnerability according to the CVE number of the vulnerability. Or in the Chinese community http://Search www.scap.org.cn/ for an introduction to the vulnerability 5.0DAY Vulnerabilities and 0 DAY attack In the computer field, zero day vulnerability or zero time difference vulnerability (English: Zero-dayexploit)It usually refers to security vulnerabilities that have not been patched, and Zero Day attack or zero time difference attack (English: Zero-dayattack)It refers to an attack using this vulnerability. The person who provides details of the vulnerability or exploits the program is usually the discoverer of the vulnerability. Zero Day vulnerabilities are a great threat to network security. Therefore, zero day vulnerabilities are not only the favorite of hackers, but also an important parameter to evaluate the technical level of hackers. The zero day vulnerability and its exploitation code not only have high utilization value for criminal hackers, but also attach great importance to this information by some national spies and cyber forces, such as the U.S. National Security Agency and the U.S. cyber warfare command[1]. According to Reuters, the US government is the largest buyer of the zero day loophole black market.

23.3 practical ideas for file upload

1.Uploading files and executing files are two things 2.Vulnerability classification Idea: If there is a website, start from the direction of file upload Step 1: first look at the middleware to see if there are parsing vulnerabilities/CMS/Editor vulnerability/CVE/ If yes, how to find: Dictionary scanning: scan the member center and the location of file upload Once found, how to use: verification/bypass

Resources involved

https://navisec.it/editor vulnerability manual https:/www.jb51.net/softs/75619.html https://pan.baidu.com/share/init?surl=5gcdBuOFrN1F9xVN7Q7GSA **enqx**

#Upload parameter name resolution: Identify what can be modified? Content-Disposition:Generally modifiable name:Form parameter value,Cannot change filename:file name,Can change Content-Type:file MIME，Change as appropriate

#Common bypass methods: data overflow -Anti matching(xxx...) :It is to write a large amount of useless data in front of the key point to interfere with the detection of the following main data Symbolic variation-Anti matching(' " ; ): Some detection may be based on single quotation marks and double quotation marks to obtain data. You can modify the position of single quotation marks or double quotation marks or add or delete single and double quotation marks to interfere waf Data Truncation -Anti matching(%00; Line feed): Duplicate data-Anti matching(Parameter multiple times) #Payload : Massive garbage data buffer overflow(Ccontent-Disposition,filename etc.) #Single quotation mark, double quotation mark, semicolon filename=x.php filename="x.php filename='x.php filename="a.jpg;.php"; # %00. Line feed filename="a.php%00.jpg" filename="Content-Disposition : form-data;name="upload_file" ; x.php" filename="x.jpg" ; filename="x.jpg" ; . . . ..filename="x.php"; filename= " x . p h p " ;

• ； truncation
  

• Repeat parameter
  

• With the help of the white list, write some of the previous data in filename, and finally write x.php. When the program determines filename, it will release if it finds the previous data. When it encounters x.php, it finds that there is no variable reception, and then gives up the detection, but finally x.php uploads it to filename
  

• /Truncation
  

#File upload security repair scheme Back end validation:Suffix detection using server authentication mode: Filtering based on blacklist and whitelist M work ME testing: Type detection based on upload Content detection:File header, integrity detection Built in function filtering:reference resources uploadlabs function Custom function filtering:function check_file(){ } WAF Protective products:pagoda,Cloud shield,Safety company products, etc

Resources involved

https://github.com/fuzzdb-project/fuzzdb
https://github.com/TheKingOfDuck/fuzzDicts

Add new comment

0 comments