This team mainly produced a penetration test basic series, on which the article will gradually become more difficult. This series of articles is mainly created by Orion, a security researcher. The follow-up video will also be recorded slowly, hoping to give you a better place to learn. Other researchers in the team are also preparing a series of articles and videos about PowerShell penetration. I hope you can look forward to it.
Series of articles of security Sieger - collection and explanation of sensitive information
Series of articles of safety Sieger - information collection and explanation with tools
A series of articles on the attack and defense of common vulnerabilities on the web
Series of articles of security Sieger - explanation of Web common vulnerabilities (middle)
Series of articles of security Sieger - explanation of Web common vulnerabilities (2)
A series of articles of security Sieger - the explanation of weak password mining of host computer
A series of articles of security City Raider - the explanation of the exploitation of host vulnerability
A series of articles on security siege division - intranet penetration
Security Sieger series articles - build basic loophole shooting range, penetration toolbox security Sieger series articles - comprehensive penetration test
This series of articles and the next series of articles will be released first in the official account.
If you want to be a qualified security siege, do not hesitate to pay attention to us. The video can only be received by the official account.
This series is the last section of the web series. Originally, Orion wanted to end this section, but Orion also wanted to write a piece for you, so this section ended the part of common web vulnerabilities. There may be more common web vulnerabilities in the following videos.
Content summary: upload common types + safe dog bypass + practical analysis
Most websites and application systems have upload functions, such as user image upload, picture upload, document upload, etc. Some file upload function implementation codes do not strictly limit the file suffix and file type uploaded by users, which allows attackers to upload arbitrary files to a directory that can be accessed through the web.
Let's explain the upload vulnerability through several cases
1、 JS front end verification
1. First of all, this is JS front-end verification
In a nutshell, the red part is mainly used to verify the client file extension authentication. You can see that only certain specific image formats are allowed to upload.
Upload page
To determine how to verify, first, we upload a PHP file. It can be found that we are prompted to upload only some types of suffixes, not PHP files. Through the code, we can preliminarily conclude that there may be foreground JS to verify the suffix of the uploaded file
Use F12 to view the source code. You can find that the file suffix is verified through the checkfile() function. Then you only need not let the JS run and bypass it
At the upload, you can find that there are calls for JS validation. Then what happens after we delete them? Let's try
You can see that the upload is successful. You can see the PHP file in the upload directory.
Connect with the kitchen knife. The connection is successful, which means that the upload is only to verify the suffix front end
Similarly, the front-end verification can also be uploaded through packet capturing and packet changing.
Changing the suffix of one sentence Trojan horse to JPG format for packet capturing
Modify the suffix to PHP, and you can see that the upload is successful
Similarly, we can upload PHP files by modifying JS code
First, select the JS code, and then click Edit to write the. PHP file format in the allowed upload format
Click upload to find that the upload is successful
2、 Mime header verification
First of all, we can simply look at the upload limit code and find that the server-side mime header of the file is verified.
Method 1:
Check the code and you can see that the mime header has been verified
Upload directly. It can be found that the prompt type is incorrect
When uploading the PHP file, we can find that the mime header is in the application / octet stream format. In the filter code, we can only see that the mime header in the picture format can be uploaded. Then we will change the current mime header to the picture format header.
Modified package
You can see that the upload is successful. We use the kitchen knife to connect
Successful connection
3、 File upload server extension verification
By looking at the code, you can see that the suffix of ASP, PHP, ASPX, JSP format has been verified. You can see that only four files are verified and not allowed to be uploaded. Here are some bypass methods
Method 1:
There may be a case bypass vulnerability - such as PHP, PHP, PHP, etc. Let's try changing the suffix to PHP
Found upload successful
Method two:
If there is such a line in httpd.conf of Apache
AddHandler php5-script .php
At this time, as long as the filename contains. PHP, even if the filename is 1.php.jpg, it will execute in PHP
Upload 1.php.jpg file, found the upload successful
Successful connection
4、 Test file content
Use getimagesize() function to check whether the file is a valid picture file. If not, an error will be reported. We can use file header spoofing to bypass it.
Since it is a content detection function, then we upload a Trojan with picture characteristics, write a sentence of Trojan into the picture to see if it can
It can be seen in 2.jpg that although it is in picture format, it contains a sentence of Trojan horse. At this time, the picture can be displayed normally or the file can be connected with a kitchen knife
When we upload a sentence in JPG format, the Trojan finds that it is not allowed to upload the file in this format, indicating that the content of the file is detected
Upload the picture horse and find the upload successful
Connection 2. PHP found the connection successful
Bypass some of the older security dogs (APACHE
Version) v3.5.12048)
First of all, there are no restrictions on the upload location. Only rely on the security dog to see if it can be bypassed
Method 1:
Upload the. PHP file directly. You can find it and intercept it
Grab the uploaded data package. Let's try to see if the% 00 truncation is successful
Again, you can see the intercepted
We modify content disposition
Upload success
Method two:
Use the extract function to bypass the security dog, and also delete the content type header in the HTTP package
0x04 security repair
- Disable execution permission of the storage directory of the uploaded file
- Suffix white list of files, note 0x00 truncation attack
- No local File Inclusion Vulnerability
- Fix code on the web in time
- Upgrade web server