当前位置:网站首页>[web security from getting started to giving up] 07_ Insecure file download and upload vulnerability

[web security from getting started to giving up] 07_ Insecure file download and upload vulnerability

2022-01-15 02:18:29 AnQ_ xiao

07_ Insecure file download and upload vulnerability

【Web Security from getting started to giving up 】01_ Brute force crack holes
【Web Security from getting started to giving up 】02_ Cross-site scripting vulnerability
【Web Security from getting started to giving up 】03_ Cross-site request forgery (CSRF) Loophole
【Web Security from getting started to giving up 】04_Sql-Inject Loophole
【Web Security from getting started to giving up 】05_ Remote command 、 Code Execution Vulnerability
【Web Security from getting started to giving up 】06_ The file contains a vulnerability

File download vulnerability Overview

Many websites will provide file download function , That is, users can click the download link , Download to the file corresponding to the link .
however , If the file download function is not designed properly , It may lead to an attack by constructing a file path , So as to obtain
Other sensitive files on the background server .( also called : Download any file )

pikachu Range example :

 Insert picture description here

Click the name to download the picture , Then let's look at the download link

http://127.0.0.1/pikachu/vul/unsafedownload/execdownload.php?filename=ns.png

It directly uploads the file name to the background for searching and downloading , If we change the file name, can we download other files , Try it .

 Insert picture description here

I create a new one in the root directory 1.txt file , Then I visit it and download it to see if it works .

http://127.0.0.1/pikachu/vul/unsafedownload/execdownload.php?filename=../../../../../../../1.txt

 Insert picture description here

Enter the link and jump to the download interface , It seems that it can be downloaded .

Background source code :

 Insert picture description here

 Insert picture description here

When we select a picture , Would pass a Send the label to the download address for download .

Command injection vulnerability - Preventive measures

1. Strictly filter and qualify the incoming file names
2. Strictly limit the directory of file download ;

Unsafe documents , Upload Vulnerability Analysis Overview

Because the business function needs , quite a lot web Sites have files . Upload interface , such as :
1. Upload avatar pictures when registering ( such as jpg,png,gif etc. ) ;
2. Upload file attachments ( doc,xIs etc. ) ;
In the background development, there is no security consideration for the uploaded file function or defective measures are adopted , Cause the attacker to pass through
Some means bypass security measures to upload some malicious files ( Such as : In a word, Trojans )
Thus, the whole system can be controlled by accessing the malicious file web backstage .

File upload vulnerability testing process

1. Upload files according to requirements where files are uploaded , View return results ( route , Tips, etc );
2. Try uploading different types of “ malice ” file , such as xx.php file , The results of the analysis ;
3. see htm| Source code , See if it's passed js Upload restrictions are made on the front end , To bypass ;
4. Try different ways to bypass : Black and white lists bypass /MIME Type bypass / Catalog 0x00 Truncation, bypass, etc ;
5. Guess or combine other vulnerabilities ( Such as disclosure of sensitive information ) Get the Trojan path , Connect the test ;

Insecure file upload vulnerability, server authentication

Server side verification of file upload vulnerability bypasses ( MIME )
Server side verification of file upload vulnerability bypasses ( getimagesize )

MIME Introduce :

MIME(Multipurpose Internet Mail Extensions) Multipurpose Internet mail extension type . Is a file with a certain extension
A type of way to open an application , When the extension file is accessed , The browser will automatically use the specified application to
open . Mostly used to specify some client-side customized file names , And some ways to open media files .
Every MIME The type consists of two parts , The big categories of data are ahead , For example, sound audio、 image image etc. , Back
Define specific categories . common MIME type , such as :
Hypertext markup language text .html,.html text/html
Plain text .txt text/plain
RTF Text .rtf application/rtf
GIF graphics .gif image/gif
JPEG graphics .ipeg, jpg image/jpeg

$_FILES() Function introduction :

By using PHP The global array of $_ FILES , You can upload files from a client computer to a remote server .
The first parameter is the form's input name , The second subscript can be "name", “type”, “size”, “tmp_ name" or "error”.

Just like this. :
$_FILES[file"]["name"] The name of the uploaded file
$_FILES["file"]["type"]- The type of file being uploaded
$_FILES["file"]["size"] The size of the uploaded file , In bytes
$_FILES["file"]["tmp. name"] The name of the live copy of the file stored on the server
$_FILES["file"]["error"]- Error code caused by file upload

MIME Bypass :
 Insert picture description here

First upload a picture normally and see the returned results , Then try the last sentence .

 Insert picture description here

The returned result says that you can only upload jph,jpeg,png Format file . We make packet capture modification MIME Bypass validation of information .

 Insert picture description here

 Insert picture description here

Modify the information here as image/jpeg Upload .

 Insert picture description here

File uploaded successfully , Link the backstage with a kitchen knife or ant sword .

 Insert picture description here

You can see that we have entered the background page .

Getimagesize ( ) function :

Getimagesize ( ) The returned results include file size and file type , If you use this function to get the type , So as to determine whether it's a picture , There will be problems .
Is it possible to bypass ? Sure , Because the picture head can be forged .

File upload vulnerability of file containing vulnerability

Making of picture Trojan horse :
Method 1 : Directly falsifying the head GIF89A
Method 1.CMD: copy /b test.png + muma.php ccc.png
Method 2. Use GIMP ( Open source image modification Software ), By adding remarks , Write execute command

How to make a picture horse :

Open command window :
Switch to the corresponding path , Then enter the window command
copy webshell.jpg /b + backdoor.php /a backdoor.jpg

webshell.jpg It's just plain jpg file
backdoor.php It's a sentence
bakcdoor.jpg For the generated picture horse

Unsafe file upload vulnerability - Preventive measures

Do not use on the front end JS Implement upload restriction policy
Limit the uploaded files through the server :
1. Perform a multi condition combination check : For example, the size of the file , route , Extension , file type , Document integrity
2. Rename the uploaded file when it is stored on the server ( Make reasonable naming rules )
3. On the server side _ The directory of uploaded files is used for permission control ( Like read-only ) , Harm caused by restricting Execution Authority

版权声明
本文为[AnQ_ xiao]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/12/202112122241391801.html

随机推荐