File upload detection and bypass - server detection and bypass

1. Detection principle:

For file uploads, if the detection is only performed on the front end of the web, the protection is obviously insufficient, and the server also needs to be detected

The server side obtains the file suffix through the function pathinfo(), converts the suffix to lowercase, and checks whether it is the file format required to be uploaded

2. Bypass method

1. Suffix name detection and bypass

There are many ways to bypass the suffix detection, the common ones are:

1. 黑名单--大小写绕过
2. 黑名单--名单列表绕过
3. 黑名单--Windows特性（末尾的点【.】）绕过
4. 黑名单--Windows特性（空格【 】）绕过
5. 黑名单--Windows特性（::$DATA）绕过
6. 白名单（需要结合文件包含漏洞或者Web服务器解析漏洞）
7. .htaccess文件攻击--匹配文件内容
8. .htaccess文件攻击--配皮文件名中的关键字
9. .htaccess文件攻击--匹配文件名
10. Apache解析漏洞

黑名单--大小写绕过

1. Login: http://ip/upfile/2/upload1.html

2. Prepare the file (script file) to be uploaded on the operating machine, such as creating a new 1.php file

3. Click the "Select File" button to select the file to upload

4. Click the "submit" button, the file upload fails, and the suffix name is not allowed

5. Try to bypass the case, change the script file 1.php to 1.pHp, and select the script file again

6. Click the "submit" button to upload the file, and the script file is successfully uploaded

7. Visit http://ip/upfile/2/upload/1.pHp, the uploaded script file is parsed successfully

名单列表绕过

Principle: Some middleware allows parsing other file extensions, such as asp, cer, etc. or configure the following code in httpd.conf, then php, php3, phtml files can be parsed. So when the php suffix is blocked, you can try it with php3 and phtml

The previous 4 steps are the same, refer to the previous steps

5. Try to bypass the case, change the script file 1.php to 1.pHp, and select the script file again

6. Click the "submit" button to upload the file, but it still fails, and the suffix name is not allowed

7. Try to find file extensions that are allowed to be uploaded outside the blacklist to bypass, change the script file 1.php to 1.php3 or 1.phtml, and select the script file again

8. Click the "submit" button to continue uploading the file, and the script file is uploaded successfully

9. Visit http://ip/upfile/2/upload/1.php3, the uploaded script file is parsed successfully

Windows特性（末尾的点【.】）绕过

The previous 4 steps are still the same, refer to the first

5. Try to use capitalization to bypass, change the script file info.php to info.pHp, and try to find file extensions that are allowed to be uploaded outside the blacklist to bypass, and change the script file info.php to info. php3 or info.phtml, select the script file to upload again, still fails, this file is not allowed to upload

6. Open the "Burp" folder on the desktop, double-click "BURP.cmd" to start the Burp Suite packet capture tool, capture packets, and set the agent. Refer to the previous article

7. Click the "submit" button to upload the file again, and Bp successfully captures the data packet

8. Using the Windows feature, add "." to the file name to bypass the detection of the server-side suffix name, and change the suffix name info.php in the data packet to info.php.

9. Click "Forward" to forward the data packet, switch to the browser, and the script file is uploaded successfully

10. Close the browser proxy, visit http://ip/upfile/2/upload/info.php. (Visiting http://ip/upfile/2/upload/info.php is also available), and the uploaded script file is successful analyze

Windows特性（空格【 】）绕过

The previous 4 steps are the same,

6. Open the "Burp" folder on the desktop, double-click "BURP.cmd" to start the Burp Suite packet capture tool, capture packets, and set the agent. Refer to the previous article

7. Click the "submit" button to upload the file again, and Bp successfully captures the data packet

8. Using the Windows feature, add "." to the file name to bypass the detection of the server-side suffix name, and change the suffix name info.php in the data packet to info.php.

9. Click "Forward" to forward the data packet, switch to the browser, but the upload still fails, and the suffix name does not allow "." to appear

10. Close the browser proxy and re-select the script file

11. Open the browser agent again, click the "submit" button, upload the file and capture the data packet

12. Using Windows features, add "(space)" to the file name to bypass the detection of the server-side suffix name, and change the suffix name info.php in the data packet to info.php

13. Click "Forward" to forward the data packet, switch to the browser, and the script file is successfully uploaded

14. Close the browser proxy, visit http://ip/upfile/2/upload/info.php (you can also visit http://ip/upfile/2/upload/info.php), the uploaded script file is successfully parsed

Windows特性（::$DATA）绕过

The previous steps are the same

We try uppercase and lowercase, lists, and use windows features. Adding . or spaces to the suffix will not work. We try to use another feature

Still need to use Bp to capture and change the package, the steps are almost the same as above, only a few different steps are listed below

1. Using Windows features, add "(::$DATA)" to the file name to bypass the detection of the server-side suffix name, and change the suffix name info.php in the data packet to info.php

2. Click "Forward" to forward the data packet, switch to the browser, and the script file is uploaded successfully

3. Turn off the browser proxy

4. Visit http://ip/upfile/2/upload/info.php::$DATA, the parsing fails, the uploaded file is not found, because the Windows feature will automatically remove "::$DATA", info.php: :$DATA file will become info.php

5. Visit http://ip/upfile/2/upload/info.php, the uploaded script file is parsed successfully

.htaccess文件攻击

principle:

The .htaccess file is a distributed configuration file in the Apache server (the file does not exist in IIS). This configuration file will override the global configuration of the Apache server and act on the current directory and its subdirectories . In the httpd.conf configuration file, the AllowOverride parameter is to indicate whether the Apache server looks for the .htacess file as the configuration file. If it is set to none, the server will ignore the .htacess file; if it is set to All, the .htaccess file will be enabled. All All directives in the .htaccess file will be overridden, allowing the .htaccess file to override the Apache configuration.

If a web application allows uploading of .htaccess files, and .htaccess files are enabled, it means that an attacker can change the configuration of Apache, which is very dangerous.
There are three ways to attack .htaccess files:

When the content of the .htaccess file is as follows, the file whose content conforms to the php syntax rules will be parsed as a php file
Match keywords in the file name (for example: when the file name [info.php.png] contains the keyword [.php], and the content of the .htaccess file is as follows, the code in info.php.png will be executed)
Match the file name, when the content of the .htaccess file is as follows, the code in the file with the matched file name can be executed

1. Login address: http://ip/upfile/2/upload6.html

2. Prepare the file (script file) to be uploaded on the operating machine, such as creating a new info.php file

3. Click the "Select File" button to select the file to upload

4. Click the "submit" button, the file upload failed, this file is not allowed to upload

5. Tried case bypass, Windows features, still failed, this file is not allowed to upload

6. Create a new .htaccess file

7. Select the .htaccess file, click the "submit" button, upload the .htaccess file, and upload it successfully

8. Modify the suffix of the script file info.php to allow uploading info.jpg, and then select the file

9. Click the "submit" button to upload the file again and upload successfully

10. Visit http://ip/upfile/2/upload/info.jpg, the uploaded script file is parsed successfully

In order not to make this article too long, other content will be followed by the next article