当前位置：网站首页>[web security from getting started to giving up] 07_ Insecure file download and upload vulnerability
[web security from getting started to giving up] 07_ Insecure file download and upload vulnerability
2022-01-15 02:18:29 【AnQ_ xiao】
【Web Security from getting started to giving up 】01_ Brute force crack holes
【Web Security from getting started to giving up 】02_ Cross-site scripting vulnerability
【Web Security from getting started to giving up 】03_ Cross-site request forgery （CSRF） Loophole
【Web Security from getting started to giving up 】04_Sql-Inject Loophole
【Web Security from getting started to giving up 】05_ Remote command 、 Code Execution Vulnerability
【Web Security from getting started to giving up 】06_ The file contains a vulnerability
Many websites will provide file download function , That is, users can click the download link , Download to the file corresponding to the link .
however , If the file download function is not designed properly , It may lead to an attack by constructing a file path , So as to obtain
Other sensitive files on the background server .( also called : Download any file )
Click the name to download the picture , Then let's look at the download link
It directly uploads the file name to the background for searching and downloading , If we change the file name, can we download other files , Try it .
I create a new one in the root directory 1.txt file , Then I visit it and download it to see if it works .
Enter the link and jump to the download interface , It seems that it can be downloaded .
Background source code ：
When we select a picture , Would pass a Send the label to the download address for download .
1. Strictly filter and qualify the incoming file names
2. Strictly limit the directory of file download ;
Because the business function needs , quite a lot web Sites have files . Upload interface , such as :
1. Upload avatar pictures when registering ( such as jpg,png,gif etc. ) ;
2. Upload file attachments ( doc,xIs etc. ) ;
In the background development, there is no security consideration for the uploaded file function or defective measures are adopted , Cause the attacker to pass through
Some means bypass security measures to upload some malicious files ( Such as : In a word, Trojans )
Thus, the whole system can be controlled by accessing the malicious file web backstage .
1. Upload files according to requirements where files are uploaded , View return results ( route , Tips, etc );
2. Try uploading different types of “ malice ” file , such as xx.php file , The results of the analysis ;
3. see htm| Source code , See if it's passed js Upload restrictions are made on the front end , To bypass ;
4. Try different ways to bypass : Black and white lists bypass /MIME Type bypass / Catalog 0x00 Truncation, bypass, etc ;
5. Guess or combine other vulnerabilities ( Such as disclosure of sensitive information ) Get the Trojan path , Connect the test ;
Server side verification of file upload vulnerability bypasses ( MIME )
Server side verification of file upload vulnerability bypasses ( getimagesize )
MIME(Multipurpose Internet Mail Extensions) Multipurpose Internet mail extension type . Is a file with a certain extension
A type of way to open an application , When the extension file is accessed , The browser will automatically use the specified application to
open . Mostly used to specify some client-side customized file names , And some ways to open media files .
Every MIME The type consists of two parts , The big categories of data are ahead , For example, sound audio、 image image etc. , Back
Define specific categories . common MIME type , such as :
Hypertext markup language text .html,.html text/html
Plain text .txt text/plain
RTF Text .rtf application/rtf
GIF graphics .gif image/gif
JPEG graphics .ipeg, jpg image/jpeg
By using PHP The global array of $_ FILES , You can upload files from a client computer to a remote server .
The first parameter is the form's input name , The second subscript can be "name", “type”, “size”, “tmp_ name" or "error”.
Just like this. :
$_FILES[file"]["name"] The name of the uploaded file
$_FILES["file"]["type"]- The type of file being uploaded
$_FILES["file"]["size"] The size of the uploaded file , In bytes
$_FILES["file"]["tmp. name"] The name of the live copy of the file stored on the server
$_FILES["file"]["error"]- Error code caused by file upload
MIME Bypass ：
First upload a picture normally and see the returned results , Then try the last sentence .
The returned result says that you can only upload jph,jpeg,png Format file . We make packet capture modification MIME Bypass validation of information .
Modify the information here as image/jpeg Upload .
File uploaded successfully , Link the backstage with a kitchen knife or ant sword .
You can see that we have entered the background page .
Getimagesize ( ) The returned results include file size and file type , If you use this function to get the type , So as to determine whether it's a picture , There will be problems .
Is it possible to bypass ? Sure , Because the picture head can be forged .
Making of picture Trojan horse :
Method 1 : Directly falsifying the head GIF89A
Method 1.CMD: copy /b test.png + muma.php ccc.png
Method 2. Use GIMP ( Open source image modification Software ), By adding remarks , Write execute command
Open command window ：
Switch to the corresponding path , Then enter the window command
copy webshell.jpg /b + backdoor.php /a backdoor.jpg
webshell.jpg It's just plain jpg file
backdoor.php It's a sentence
bakcdoor.jpg For the generated picture horse
Do not use on the front end JS Implement upload restriction policy
Limit the uploaded files through the server :
1. Perform a multi condition combination check : For example, the size of the file , route , Extension , file type , Document integrity
2. Rename the uploaded file when it is stored on the server ( Make reasonable naming rules )
3. On the server side _ The directory of uploaded files is used for permission control ( Like read-only ) , Harm caused by restricting Execution Authority
- Jenkins 配置中文显示（汉化）
- Jenkins 通过API 执行 grovvy 脚本
- Jenkins API接入指南
- [highcharts] 04_ wrap
- (highly recommended) mobile audio and video from zero to start
- Push failed Dst refspec V1.0.0 matches more than one.
- Série de microservices - compréhension approfondie des principes sous - jacents et des pratiques de conception du CPR
- Push failed DST refspec v1. 0,0 matches more than one.
Analyse de la commande NPM Run Service
Jenkins obtient le secret du noeud via l'API
Jenkins API Access Guide
Quickly write a vs code plug-in
Yyds dry goods inventory trunk (I)
Modify a value to make Scrollview and listview elastic and APK volume optimized
Jenkins exécute le script grovvy via l'API
Jenkins configure l'affichage chinois (chinois)
Jenkins Distributed Architecture
Introduction à Jenkins
- Problème avec les demandes inter - domaines ne portant pas de cookies
- Appel asynchrone, Multithreading
- Compréhension approfondie du Multithreading
- Utilisation de is et as
- Classe générique, interface générique
- Classe générique, héritage de l'interface générique, délégué
- Exercice de base de données d'accès
- Accès à la base de données SQL avec Multithreading, invoke et action
- Écrire et tester le Protocole Modbus
- . net how to connect to Youxuan database?
- Splitting e-commerce system into micro service
- Écrire un programme winform en utilisant plusieurs threads
- Déclarations SQL couramment utilisées
- Utilisez le texte. Json analyse le fichier json
- Plusieurs adresses de nuget
- Lire Modbus TCP avec nmodbus
- Module 6 operation of the actual combat camp
- TypeError: Object of type ‘TrackedArray‘ is not JSON serializable
- The world is always hostile to good people.
- Re regular matching findall (. +?) Match any content that conforms to a certain format (regular matching catch bullet screen)
- La corne d'agneau d'Android, c'est assez pour l'interview
- Huit modèles d'analyse des données: modèle ogsm
- Exemple d'application de linq
- Utilisez S7. Net communication library
- Écrire La Bibliothèque de communication Modbus TCP
- Lire le profil INI
- Utilisez S7. Net read Siemens 1500plc
- Halcon joint C # Programming Experiment
- Utiliser nmodbus4 pour lire les données à la fois RTU et TCP
- Tiktok Data Analysis options Platform - tichoo Data
- MySQL review: create tables, MySQL data types, primary key constraints, primary key
- Linear Algebra: matrix review
- Review of Linear Algebra: determinant
- The digital RMB cross-border payment test has been continuously promoted, and mainland residents can also shop in Hong Kong in the future
- Thesis classification and writing basis
- YC Framework version update: v1.0 zero point two