web security / Penetration test --42-- File upload vulnerability
<>1, Vulnerability description ：
File upload vulnerability , Face up to the meaning WEB Upload specific files . In general, file upload vulnerability refers to the user uploading an executable script file , Through this script file, the ability to execute server-side commands is obtained . The file upload itself is web One of the most common functional requirements in , The key is the server-side processing after file upload , Is the process of interpreting documents safe . In general, there are ：
1, upload Web scripting language , Server's WEB The container interprets and executes the script uploaded by the user , Causes code execution .
2, upload Flash Policy file crossdomain.xml, To control it Flash Behavior under this domain .
3, Upload virus , Trojan files , It can be used by attackers to trick users or administrators to download and execute .
4, Upload fishing images or images containing scripts , Some browsers execute as scripts , Commit fishing or fraud .
<>2, Detection conditions
1, Known Web The website has an upload page before or after login .
2, The uploaded file is executable or can affect server behavior , So the directory where the file is located must be in the WEB Within the path covered by the container .
3, Users can access the WEB Access this file on , So that WEB The container interprets the execution of the file .
4, The uploaded file must go through security check , Will not be formatted , Compression and other processes change its content .
<>3, test method
The upload method depends on the web language , There are various detection methods , The following list is based on JS Several common file upload bypass methods for verified uploads ：
1, We delete the code directly onsubmit Event about the code related to verifying the uploaded file when uploading the file .F12 The front end can be modified .
2, Direct change file upload JS The file extension you want to upload is allowed in the code .
3, Just submit the form locally , Make changes accordingly .
4, use burpsuite Or is it fiddle And so on , Local file first changed to jpg, Block when uploading , Then change the file extension to asp that will do .
5, Of course, it is not based on JS Verified upload , For example, some middleware IIS,Nginx,PHP,FCK The vulnerability of the editor and so on , There are many ways to bypass the upload . By checking the upload page , The common file upload check is based on the file type , It can be modified manually POST Add after package %00 Bytes are used to truncate the judgment of some functions on the file name . In addition to modifying the file name to bypass type checking , You can also modify the header to forge the header , Cheat file upload check .
The above are several common uploads , More needs to be studied by ourselves , Upload bypass . The following is the overall test process ：
1, Login website , And open the file upload page .
2, click “ browse ” Button , And choose a local one JSP file ( such as hacker.jsp), Confirm upload .
3, If the client script limits the type of file to be uploaded ( For example, allow gif file ), Then hacker.jsp Renamed as hacker.gif; to configure HTTP
Proxy(burp) conduct http Request interception ; Click again “ browse ” Button , And choose hacker.gift, Confirm upload .
4, stay WebScarab Intercepted HTTP Request data , take hacker.gif Revised as hacker.jsp, Send request data again .
5, Log in to the background server , Use the command find / -name hacker.jsp
see hacker.jsp File storage path . If you can Web Method visit , The URL, And through the browser access hacker.jsp
, If it can be accessed normally , Has been obtained WebShell, End of test . If hacker.jsp Unable to pass web Method visit , for example hacker.jsp Stored in /home/tmp/
Under the table of contents , and /home/tomcat/webapps Directory correspondence http://www.example.com/, Then proceed to the next step .
6, repeat 1～3, stay burp Intercepted HTTP Request data , take hacker.gif Revised as ../tomcat/webapps/hacker.jsp, Send request data again .
Enter in the browser address bar http://www.example.com/hacker.jsp, Access the backdoor , obtain WebShell, End detection .
<>4, Restoration plan
According to the characteristics of file upload vulnerability and the three necessary conditions , We can achieve the purpose of organizing file upload attack by blocking any condition ：
1, The most effective , Set the file upload directory directly to not executable , about Linux for , Whose directory is revoked ’x’ jurisdiction ; In fact, many large-scale website upload applications will be placed in independent storage as static files , One is to facilitate the use of cache to accelerate the reduction of energy consumption , The second is to eliminate the possibility of script execution ;
2, Document type check ： White list is highly recommended , combination MIME
Type, Suffix check, etc ( In other words, only allowed file types can be uploaded ); In addition, the compression function or the resize function , Processing an image destroys its contained HTML code ;
3, Rewrite the file name and file path with random numbers , So that users can not easily access their own uploaded files ;
4, Set the domain name of the file server separately ;
5, Log .