File upload vulnerability is the fastest way to obtain server permissions. Although there are a lot of relevant materials, many people are still very vague about the upload verification method, how to bypass the detection, and which upload and analysis scenarios will cause harm. This paper makes some explanations, and then adds some unconventional mining gestures besides uploading webshell, including XSS, redirection, Dos, CSRF and so on.

1, basic knowledge:

In order to understand the file upload deeply, we must understand the upload properties, the structure of common files, graphic processing functions and so on.

1) Message characteristics:

Observe the characteristics of file upload messages:

The content type in the header has two characteristics:

1.multipart/form-data (enctype attribute of the form, designated as binary data)

2. Boundary string (used as a separator to distinguish POST data)

The content of the post has five characteristics:

1. Content-Disposal: Form-Data

2. Name: enter a name for the form.

3. File name: file name

4.Content-Type: define the type of file and the encoding of web page, and decide what form and encoding the browser will read this file;

5. Boundary: The value of content type is preceded by two-

2) Common inspection rules

Existing commonly used upload verification rules are nothing more than the following categories:

1. Client javascript authentication (suffix)

2. File header content type field check (image/gif): with parameters.

4. Check suffix: black/white list of extensions

5. File content header check: GIF89a

6. File content verification: file information, secondary rendering.

7. Custom specification check

3) Clarification

File uploading and file parsing are two processes. Even if we upload a php file, it is parsed as a picture. When you access a php file, "The picture cannot be displayed" will be displayed. Or we upload a jpg file, but there is a shell script mixed in it, which will be executed if it is parsed into a php file; Or the uploading place can't bypass the detection and can only upload jpg files, but other functions such as file inclusion can still be successfully executed.

Let's go back to the essence of security. Uploading is "input" and file parsing is "output". Any vulnerability mining needs to combine input and output.

2. Bypass skills:

Here are some bypass techniques commonly used in actual combat:

1) suffix blacklist

The following replacement suffixes can also be parsed as shell:

php:。 phtml，。 phpt，. php3，. php3p

asp:。 aspx、asmx、ashx、web.config

perl:。 pl，。 pm，。 cgi，。 liberation movement

jsp:。 jspx，。 jsw，。 jsv，。 jspf

Coldfusion:。 cfm，。 cfml，。 cfc，。 dbm

In addition, it can cooperate with the file naming rules of the operating system:

. php。 ,. php space,. php: 1.jpg，。 Php::$DATA and so on.

Files with these suffixes will be automatically deleted by windows system after irregular symbols, leaving only. php。

2) suffix white list

In addition to combining various server parsing features, null byte injection is often used. The reason for inserting null byte values is that some application server scripting languages use c/c++ libraries to check file names and contents. In C/C ++, a line ending in /00 is called NullByte. So as long as the interpreter sees an empty byte at the end of the string, it will stop reading and think it has reached the end of the string.

For example, we will change Happy.jpg's name to Happy.phpA.jpg, then upload the file, catch the request in hiccups, and switch to hexadecimal view. Find the file name in the string view. Check the corresponding hexadecimal table and replace 4 1('A') with 00 (empty byte). The resulting string becomes Happy.php (empty). jpeg。 Because the php interpreter uses the C language library internally, it will stop reading the file name after Happy.php, and the file will be saved as Happy.php.

Another way to bypass the white list is to use a double suffix: shell.php.jpg.