Upload packet
As can be seen from the data package, the parameters for verifying the file type are: content type, filename, and filedata.
Client JS validation
Principle introduction
It is the most insecure way to verify the type of uploaded file through JS, because this way is the easiest to bypass. Let's first look at the code of JS implementation file detection as follows:
The common practice of client-side JS verification is to verify whether the extension of the uploaded file meets the verification criteria.
Bypass posture
1 modify JS code through F12 of Firefox to bypass verification
2. Use burp to grab packets and submit them directly, bypassing JS verification
Server MIME type detection
MIME type introduction
Different file types have different mime headers. The common mime headers are as follows:
Test code to verify mime header
The above is a simple server upload verification code, as long as the mime header conforms to image / GIF, upload is allowed.
Bypass mode
Use burp to intercept the uploaded data package, change the content type value to image / GIF to bypass the uploaded webshell successfully.
Server file extension detection
Extended validation test code
The default saved name of the uploaded file is to get the name.
Bypassing skills
1 use case bypass (for case insensitive systems such as windows), such as: PHP
2. Use the script type out of the blacklist, such as PHP5
3. Use file parsing vulnerability to break through extension verification, such as test.jpg.xxx (APACHE parsing vulnerability)
4. Break through the extension verification with the help of system features, such as test.php (under windows, the underscore is a space, and the rest of test.php is eaten when saving the file)
5. Use 00 truncation between double extensions to bypass verification and upload malicious code, such as test.php% 00.jpg
6 upload the malicious code with the help of. Htaccess file and analyze it. For example, upload an. Htaccess file with the content of addtypeapplication / x-httpd-php.jpg. The uploaded JPG file can be parsed as PHP
7 use 00 truncation to get webshell by bypassing suffix verification (PHP < 5.3.4 + turn off GPC)
8 super long file name truncation upload (windows 258byte | Linux 4096byte)
Server file content detection
Test file header
File header introduction
Different picture files have different file headers, such as:
Png: header ID (8 bytes) 89 50 4E 47 0d 0A 1A 0A
JPEG: file header ID (2 bytes): 0xff, 0xd8 (SOI) (JPEG file ID)
Gif: header ID (6 bytes) 47 49 46 38 39 (37) 61
Bypass mode
To bypass this detection, you only need to add the header ID that allows uploading files before the malicious script.
Document content detection
Detection mode
Use regular to match the content. Once the malicious code is matched, the upload will be interrupted and the user will be prompted to upload again.
Bypass mode
Through fuzzy, bypass regular upload.
Safety suggestion
1 use white list to limit the file extension that can be uploaded
2. Verify the content of the file and use regular matching malicious code to restrict upload
3. The uploaded files are named randomly, and the user is not allowed to control the extension
4. Fix possible parsing vulnerabilities in the server
5. Strictly restrict the upload of files that can modify the server configuration, such as. Htaccess
File analysis of code security in the next article