File Upload Vulnerability

Posted on 2021-01-27 Edited on 2024-11-19 In Security Waline:

File Upload Vulnerabilities and Their Harm

File upload vulnerability refers to a network attacker uploading an executable file to the server and executing it. The uploaded file here can be a Trojan horse, virus, malicious script or WebShell, etc.

Due to insufficient programmer control over the user file upload portion or processing defects, resulting in the user can cross its own authority to upload executable dynamic script files to the server.

For example, if you use a windows server and use asp as a dynamic website environment on the server side, then in the upload function of your website, you must not allow users to upload asp type files, otherwise he uploads a webshell, and your server The files on it can be arbitrarily changed by him. Therefore, the harm caused by file upload vulnerabilities is often devastating. Apache, Tomcat, Nginx, etc. have all exposed file upload vulnerabilities.

For example, we transfer a php file to the background, the content of the file is very simple, just a line of code, through the eval function to execute the value of the hacker field in the request parameter.

If we upload this file to the server and assume that it is stored in http://localhost/images/shell.php

So at this time, let’s use the command line to execute

1	curl -d "hacker=echo get_current_user();" http://localhost/images/shell.php

At this time, it will echo the current user of the server.

Of course, we can also use other PHP built-in system functions to infer the information of the entire backend server.

File upload vulnerability preliminary: suffix domain name bypass

Suffix name detection

An important part of the reason why the example we mentioned at the beginning can be executed successfully is that the file’s suffix name is php, so the server will use the php parser to execute the executable code when parsing the entire file.

If this file is just an ordinary txt file, even if there is malicious code in it, our server will just treat it as an ordinary string.

Therefore, based on this premise, if we can perform a detection on the suffix name of the uploaded file, we can avoid such vulnerabilities by intercepting file suffixes like php.

How to bypass detection

Taking php as an example, if our suffix detection only detects’ * .php ', then if I upload a php3 type file, I can actually upload it successfully, but a proxy like Apache2 will use php, php3, All files with php4 and php5 suffixes are parsed as php files.

File upload vulnerability intermediate

Server Affinity Vulnerability

IIS5.x

When creating a file directory ending in .asp, any files in this directory will be parsed into asp files.
The server does not parse content after “;” by default

Based on two points, we can have two forms of utilization

www.xxx.com/xx.asp/xx.jpg will be parsed into an asp file
www.xxx.com/xx.asp; .jpg will be parsed into an asp file

Nginx parsing vulnerability

A file parsing vulnerability caused by PHP-CGI exists in older versions of Nginx.

A key option in the PHP configuration file, cgi.fix_pathinfo, is located locally in the php.in configuration file and is enabled by default.

When there are non-existent files in the URL, PHP will forward parse by default.

Based on this, we can:

Access: www.xx.com/phpinfo.jpg/1.php (actually this 1.php does not exist)
The phpinfo.jpg file will be parsed, but it will be parsed using the php parser.

Apache parsing vulnerability

A parsing vulnerability exists in Apache versions 1.x and 2.x

Apache will judge the suffix from right to left, and will skip the unrecognized suffix until the first recognizable suffix is found, and then parse according to the modified suffix.

Based on this, we can:

Upload shell.php.test
Visit shell.php.test, the server will parse the shell.php.test file, but parse it according to the php file format.

Front-end authentication bypass

Many websites only use JavaScript for verification on the front end.

Take advantage of this vulnerability:

Modify the content by means of packet capture.
Disable or remove JavaScript code by Chrome

.Htaccess bypass

The .htaccess file (distributed configuration file) provides a way for configuration files to vary from folder to folder, and the folders and subfolders they are placed in are affected, with the same syntax as the main Apache configuration file.

If the server has htaccess enabled, we can upload the htaccess file to modify the server configuration of this folder

Upload a .htaccess file with the file content set to ‘[AddType application/x-http-php.test]’
Upload a one-sentence Trojan horse file with the file name set to shell.test.
Accessing shell.test will actually be executed as a php file.

Case bypass

For the detection of the blacklist, we can change the case of the suffix name to bypass it.

For example, if we want to upload a PHP file, we can upload a pHp.

But the question is, why does this work:

Is PHP really the same as pHp?

If different, then why pHp can be performed.

For Windows systems, it is actually case-insensitive to suffix names.

But for the Linux system, he is case-sensitive, but because of this, it may lead to inconvenience for users, so some developers will manually modify the configuration of their app to make it case-insensitive.

File Upload Vulnerability Advanced

Windows File Stream Feature Bypass

The file stream system of Windows is NTFS, which implements multi-file stream characteristics.

NTFS environment, a file is used by default unnamed file stream, but at the same time we can also create other named file stream, Windows Explorer does not display the file named file stream by default, these named file stream function and grinding named file stream is the same.

We can try the following three commands on the Windows platform:

1	Echo 111 > test.txt: 1.txt//write data 111 to the named file stream 1.txt of test.txt.

1	Echo 222 > test.txt//write data 222 to test.txt.

1	Echo test > test.txt :: $data//writes data to the default file stream of test.txt.

With the first command, we will create a test.txt file, but when we open the file, we will find nothing. At this time, we open the file stream with’notepad test.txt: 1.txt ‘and we can see’ 111 '.

The second and third commands have the same effect and will write content in the file.

Based on the above characteristics, we can understand that NTFS file stream allows us to make a file with multiple file streams. Usually, our graphical interface uses the default unnamed file stream, but other file streams once created through the command line., in fact, it exists and is attached to the file, and this attachment can ignore the suffix, which means that you can attach a php to the txt file, such as

1	Echo Malware > test.txt: shell.php

This code can attach malicious code to a common txt file, thus helping us bypass type detection.

File header check bypass

Different types of files actually have their own signature file headers.

Some servers may verify these file headers.

To bypass this vulnerability, we can try splicing the code directly behind the allowed file types and then use a parser to execute it, such as:

1	cat shell.php > test.jpg

In this way, we will splice a piece of PHP code after test.jpg.

At this time, we use the PHP parser to execute, and we can successfully execute the final code.

One thing to note here is that there may be some character encodings in the image that the parser cannot perform, so we can delete these unparsed contents directly, because all we need is the header of the jpg file.