Hacking Book | Free Online Hacking Learning

 Home

code security upload file

Posted by herskovits at 2020-03-30
all

Upload packet

As can be seen from the data package, the parameters for verifying the file type are: content type, filename, and filedata.

Client JS validation

Principle introduction

It is the most insecure way to verify the type of uploaded file through JS, because this way is the easiest to bypass. Let's first look at the code of JS implementation file detection as follows:

The common practice of client-side JS verification is to verify whether the extension of the uploaded file meets the verification criteria.

Bypass posture

1 modify JS code through F12 of Firefox to bypass verification

2. Use burp to grab packets and submit them directly, bypassing JS verification

Server MIME type detection

MIME type introduction

Different file types have different mime headers. The common mime headers are as follows:

Test code to verify mime header

The above is a simple server upload verification code, as long as the mime header conforms to image / GIF, upload is allowed.

Bypass mode

Use burp to intercept the uploaded data package, change the content type value to image / GIF to bypass the uploaded webshell successfully.

Server file extension detection

Extended validation test code

The default saved name of the uploaded file is to get the name.

Bypassing skills

1 use case bypass (for case insensitive systems such as windows), such as: PHP

2. Use the script type out of the blacklist, such as PHP5

3. Use file parsing vulnerability to break through extension verification, such as test.jpg.xxx (APACHE parsing vulnerability)

4. Break through the extension verification with the help of system features, such as test.php (under windows, the underscore is a space, and the rest of test.php is eaten when saving the file)

5. Use 00 truncation between double extensions to bypass verification and upload malicious code, such as test.php% 00.jpg

6 upload the malicious code with the help of. Htaccess file and analyze it. For example, upload an. Htaccess file with the content of addtypeapplication / x-httpd-php.jpg. The uploaded JPG file can be parsed as PHP

7 use 00 truncation to get webshell by bypassing suffix verification (PHP < 5.3.4 + turn off GPC)

8 super long file name truncation upload (windows 258byte | Linux 4096byte)

Server file content detection

Test file header

File header introduction

Different picture files have different file headers, such as:

Png: header ID (8 bytes) 89 50 4E 47 0d 0A 1A 0A

JPEG: file header ID (2 bytes): 0xff, 0xd8 (SOI) (JPEG file ID)

Gif: header ID (6 bytes) 47 49 46 38 39 (37) 61

Bypass mode

To bypass this detection, you only need to add the header ID that allows uploading files before the malicious script.

Document content detection

Detection mode

Use regular to match the content. Once the malicious code is matched, the upload will be interrupted and the user will be prompted to upload again.

Bypass mode

Through fuzzy, bypass regular upload.

Safety suggestion

1 use white list to limit the file extension that can be uploaded

2. Verify the content of the file and use regular matching malicious code to restrict upload

3. The uploaded files are named randomly, and the user is not allowed to control the extension

4. Fix possible parsing vulnerabilities in the server

5. Strictly restrict the upload of files that can modify the server configuration, such as. Htaccess

File analysis of code security in the next article

© 2023