4.8. File Upload¶
4.8.1. File Type Detection Bypass¶
4.8.1.1. Change Request Bypass¶
Some sites only detect file types on the front end, and this type of detection can be bypassed by directly modifying network requests.
Similarly, some sites only check the information in the HTTP header at the back end, such as Content-Type etc. This check can also be bypassed by modifying the network request.
4.8.1.2. Magic Detection Bypass¶
Some sites use file headers to detect file types, which can be bypassed by adding the corresponding bytes before the shell. The header bytes of several common file types are shown in the following table:
Type |
binary value |
|---|---|
JPG |
FF D8 FF E0 00 10 4A 46 49 46 |
GIF |
47 49 46 38 39 61 |
PNG |
89 50 4E 47 |
TIF |
49 49 2A 00 |
BMP |
42 4D |
4.8.1.3. Suffix Bypass¶
Some services only determine the file type based on the suffix, upload information, or Magic Header, which can be bypassed at this time.
Due to historical reasons, some interpreters may support regular suffixes like /ph(p[2-7]?|t(ml)?)/ ,such as php / php5 / pht / phtml / shtml / pwml / phtm etc. This type can be tested when uploading php files is prohibited.
The jsp engine may parse like jspx / jspf / jspa / jsw / jsv / jtml suffixes,asp supports asa / asax / cer / cdx / aspx / ascx / ashx / asmx / asp{80-90} etc. suffixes。
In addition to these bypasses, other suffixes may also cause problems, such as vbs / asis / sh / reg / cgi / exe / dll / com / bat / pl / cfc / cfm / ini etc.
4.8.1.4. System Naming Bypass¶
On Windows systems, upload index.php. will renamed to . which can bypasses the suffix check.
Also try index.php%20 , index.php:1.jpg index.php::$DATA etc.
In Linux systems, you can try uploading file named like index.php/. or``./aa/../index.php/.``
4.8.1.5. .user.ini¶
During the execution of php, except the php.ini PHP also scans INI files in each directory, starting from the directory where the PHP file to be executed is located and rising to the web root directory (specified by $_SERVER[‘DOCUMENT_ROOT’] ). If the PHP file being executed is outside the web root directory, only that directory is scanned.You can define options for other modes except PHP_INI_SYSTEM in .user.ini , so you can use .user.ini and a non-php suffix file to construct a shell, eg auto_prepend_file=01.gif.
4.8.1.6. WAF Bypass¶
Some WAFs only process a part of the data considering performance reasons during the writing process. At this time, the processing function can be bypassed by adding a large amount of garbage data.
In addition, Waf and web handle boundary inconsistently, you can use the wrong boundary to complete the bypass.
4.8.1.7. condition upload bypass¶
Some servers use the method of first saving and then deleting illegal files. In this kind of server, you can repeatedly upload a file that will generate a Web Shell and try to access it, and you can obtain the Shell after many times.
4.8.2. Attack techniques¶
4.8.2.1. Apache Override GetShell¶
Apache may consider uploading .htaccess based on whether redirects are allowed
Content is:
AddType application/x-httpd-php .png
php_flag engine 1
You can use png or other suffixed files to make php scripts
4.8.2.2. Soft link to read files arbitrarily¶
When the uploaded compressed package file will be decompressed, you can consider uploading files containing symbolic links. If the server is not well protected, the effect of reading any file can be achieved.
4.8.3. Protection techniques¶
Use a whitelist to limit the types of uploaded files
Use stricter file type checking
Restrict Web Server parsing of upload folders