series of articles of security sieger - explanation of web common vulnerabilities (2)

Posted by fierce at 2020-03-31

This team mainly produced a penetration test basic series, on which the article will gradually become more difficult. This series of articles is mainly created by Orion, a security researcher. The follow-up video will also be recorded slowly, hoping to give you a better place to learn. Other researchers in the team are also preparing a series of articles and videos about PowerShell penetration. I hope you can look forward to it.

Series of articles of security Sieger - collection and explanation of sensitive information

Series of articles of safety Sieger - information collection and explanation with tools

A series of articles on the attack and defense of common vulnerabilities on the web

Series of articles of security Sieger - explanation of Web common vulnerabilities (middle)

Series of articles of security Sieger - explanation of Web common vulnerabilities (2)

A series of articles of security Sieger - the explanation of weak password mining of host computer

A series of articles of security City Raider - the explanation of the exploitation of host vulnerability

A series of articles on security siege division - intranet penetration

Security Sieger series articles - build basic loophole shooting range, penetration toolbox security Sieger series articles - comprehensive penetration test

This series of articles and the next series of articles will be released first in the official account.

If you want to be a qualified security siege, do not hesitate to pay attention to us. The video can only be received by the official account.

This series is the last section of the web series. Originally, Orion wanted to end this section, but Orion also wanted to write a piece for you, so this section ended the part of common web vulnerabilities. There may be more common web vulnerabilities in the following videos.

Content summary: upload common types + safe dog bypass + practical analysis

Most websites and application systems have upload functions, such as user image upload, picture upload, document upload, etc. Some file upload function implementation codes do not strictly limit the file suffix and file type uploaded by users, which allows attackers to upload arbitrary files to a directory that can be accessed through the web.

Let's explain the upload vulnerability through several cases

1、 JS front end verification

1. First of all, this is JS front-end verification

In a nutshell, the red part is mainly used to verify the client file extension authentication. You can see that only certain specific image formats are allowed to upload.

Upload page

To determine how to verify, first, we upload a PHP file. It can be found that we are prompted to upload only some types of suffixes, not PHP files. Through the code, we can preliminarily conclude that there may be foreground JS to verify the suffix of the uploaded file

Use F12 to view the source code. You can find that the file suffix is verified through the checkfile() function. Then you only need not let the JS run and bypass it

At the upload, you can find that there are calls for JS validation. Then what happens after we delete them? Let's try

You can see that the upload is successful. You can see the PHP file in the upload directory.

Connect with the kitchen knife. The connection is successful, which means that the upload is only to verify the suffix front end

Similarly, the front-end verification can also be uploaded through packet capturing and packet changing.

Changing the suffix of one sentence Trojan horse to JPG format for packet capturing

Modify the suffix to PHP, and you can see that the upload is successful

Similarly, we can upload PHP files by modifying JS code

First, select the JS code, and then click Edit to write the. PHP file format in the allowed upload format

Click upload to find that the upload is successful

2、 Mime header verification

First of all, we can simply look at the upload limit code and find that the server-side mime header of the file is verified.

Method 1:

Check the code and you can see that the mime header has been verified

Upload directly. It can be found that the prompt type is incorrect

When uploading the PHP file, we can find that the mime header is in the application / octet stream format. In the filter code, we can only see that the mime header in the picture format can be uploaded. Then we will change the current mime header to the picture format header.

Modified package

You can see that the upload is successful. We use the kitchen knife to connect

Successful connection

3、 File upload server extension verification

By looking at the code, you can see that the suffix of ASP, PHP, ASPX, JSP format has been verified. You can see that only four files are verified and not allowed to be uploaded. Here are some bypass methods

Method 1:

There may be a case bypass vulnerability - such as PHP, PHP, PHP, etc. Let's try changing the suffix to PHP

Found upload successful

Method two:

If there is such a line in httpd.conf of Apache

AddHandler php5-script .php

At this time, as long as the filename contains. PHP, even if the filename is 1.php.jpg, it will execute in PHP

Upload 1.php.jpg file, found the upload successful

Successful connection

4、 Test file content

Use getimagesize() function to check whether the file is a valid picture file. If not, an error will be reported. We can use file header spoofing to bypass it.

Since it is a content detection function, then we upload a Trojan with picture characteristics, write a sentence of Trojan into the picture to see if it can

It can be seen in 2.jpg that although it is in picture format, it contains a sentence of Trojan horse. At this time, the picture can be displayed normally or the file can be connected with a kitchen knife

When we upload a sentence in JPG format, the Trojan finds that it is not allowed to upload the file in this format, indicating that the content of the file is detected

Upload the picture horse and find the upload successful

Connection 2. PHP found the connection successful

Bypass some of the older security dogs (APACHE

Version) v3.5.12048)

First of all, there are no restrictions on the upload location. Only rely on the security dog to see if it can be bypassed

Method 1:

Upload the. PHP file directly. You can find it and intercept it

Grab the uploaded data package. Let's try to see if the% 00 truncation is successful

Again, you can see the intercepted

We modify content disposition

Upload success

Method two:

Use the extract function to bypass the security dog, and also delete the content type header in the HTTP package

0x04 security repair