<>1, Vulnerability description :

File upload vulnerability , Face up to the meaning WEB Upload specific files . In general, file upload vulnerability refers to the user uploading an executable script file , Through this script file, the ability to execute server-side commands is obtained . The file upload itself is web One of the most common functional requirements in , The key is the server-side processing after file upload , Is the process of interpreting documents safe . In general, there are :

1, upload Web scripting language , Server's WEB The container interprets and executes the script uploaded by the user , Causes code execution .

2, upload Flash Policy file crossdomain.xml, To control it Flash Behavior under this domain .

3, Upload virus , Trojan files , It can be used by attackers to trick users or administrators to download and execute .

4, Upload fishing images or images containing scripts , Some browsers execute as scripts , Commit fishing or fraud .

<>2, Detection conditions

1, Known Web The website has an upload page before or after login .

2, The uploaded file is executable or can affect server behavior , So the directory where the file is located must be in the WEB Within the path covered by the container .

3, Users can access the WEB Access this file on , So that WEB The container interprets the execution of the file .

4, The uploaded file must go through security check , Will not be formatted , Compression and other processes change its content .

<>3, test method

The upload method depends on the web language , There are various detection methods , The following list is based on JS Several common file upload bypass methods for verified uploads :

1, We delete the code directly onsubmit Event about the code related to verifying the uploaded file when uploading the file .F12 The front end can be modified .

2, Direct change file upload JS The file extension you want to upload is allowed in the code .

3, Just submit the form locally , Make changes accordingly .

4, use burpsuite Or is it fiddle And so on , Local file first changed to jpg, Block when uploading , Then change the file extension to asp that will do .

5, Of course, it is not based on JS Verified upload , For example, some middleware IIS,Nginx,PHP,FCK The vulnerability of the editor and so on , There are many ways to bypass the upload . By checking the upload page , The common file upload check is based on the file type , It can be modified manually POST Add after package %00 Bytes are used to truncate the judgment of some functions on the file name . In addition to modifying the file name to bypass type checking , You can also modify the header to forge the header , Cheat file upload check .

The above are several common uploads , More needs to be studied by ourselves , Upload bypass . The following is the overall test process :

1, Login website , And open the file upload page .

2, click “ browse ” Button , And choose a local one JSP file ( such as hacker.jsp), Confirm upload .

3, If the client script limits the type of file to be uploaded ( For example, allow gif file ), Then hacker.jsp Renamed as hacker.gif; to configure HTTP
Proxy(burp) conduct http Request interception ; Click again “ browse ” Button , And choose hacker.gift, Confirm upload .
4, stay WebScarab Intercepted HTTP Request data , take hacker.gif Revised as hacker.jsp, Send request data again .

5, Log in to the background server , Use the command find / -name hacker.jsp
see hacker.jsp File storage path . If you can Web Method visit , The URL, And through the browser access hacker.jsp
, If it can be accessed normally , Has been obtained WebShell, End of test . If hacker.jsp Unable to pass web Method visit , for example hacker.jsp Stored in /home/tmp/
Under the table of contents , and /home/tomcat/webapps Directory correspondence http://www.example.com/, Then proceed to the next step .

6, repeat 1~3, stay burp Intercepted HTTP Request data , take hacker.gif Revised as ../tomcat/webapps/hacker.jsp, Send request data again .
Enter in the browser address bar http://www.example.com/hacker.jsp, Access the backdoor , obtain WebShell, End detection .

<>4, Restoration plan

According to the characteristics of file upload vulnerability and the three necessary conditions , We can achieve the purpose of organizing file upload attack by blocking any condition :

1, The most effective , Set the file upload directory directly to not executable , about Linux for , Whose directory is revoked ’x’ jurisdiction ; In fact, many large-scale website upload applications will be placed in independent storage as static files , One is to facilitate the use of cache to accelerate the reduction of energy consumption , The second is to eliminate the possibility of script execution ;

2, Document type check : White list is highly recommended , combination MIME
Type, Suffix check, etc ( In other words, only allowed file types can be uploaded ); In addition, the compression function or the resize function , Processing an image destroys its contained HTML code ;

3, Rewrite the file name and file path with random numbers , So that users can not easily access their own uploaded files ;

4, Set the domain name of the file server separately ;

5, Log .