©2020-2024 ioDraw All rights reserved
<> preface
The previous article explained the principle of file upload , And pictures of horses , Then some simple JS,MIME, Case , Dot space ,htaccess File bypass upload .
<> Continue below
<> one ,PHP345 File bypass upload
PHP3 representative PHP edition 3, This can be used for file bypass detection
General software can be downward compatible , therefore PHP3 Code of PHP5 It can also be executed
Use this to upload -test.php3 or test.php4 To bypass
<> two ,Windows::$DATA bypass
This method is only suitable for Windows, yes NTFS A feature of file system
NTFS A property of a file system that stores data streams DATA Time , It's a request test.php Own data , If test.php It also contains other data streams ,
such as test.php:a.php Then request test.php:a.php::$DATA. It means request test.php Stream data in a.php Stream data content .
Simply put, the data is followed by ::\$DATA To bypass ,test.php::$DATA Return data test.php
<> three ,Apache Parsing vulnerability
Apache It is judged and analyzed from left to right , If it cannot be recognized, continue to parse to the left ,
such as :1.php.xxx Among them xxx Is the non resolvable part , Will eventually be Apache treat as 1.php implement
<> four , Content verification file upload
Content verification is an important means of website security
such as : We will include a sentence about horses test.php Modified into test.jpg upload , The website will report an error , because jpg Format cannot be executed PHP File script
He will judge the file header of the picture , image gif,jpg,png etc.
The file header is used to determine the data format , Similarly, you can cheat detection by modifying the file header
such as GIF File header can be added GIF89a
<> five ,%00 truncation
0x00 Represents hexadecimal , stay ASCii Code represents 0 character , In some function processing, it will be regarded as the end flag , Therefore, it can also be used to bypass file upload
Note that %00 Truncation in GET The following is automatic conversion , but POST Special conversion required
If BP Packet capture is directly modified to 1.php%001.jpg, that 1.php May be filtered out , Can put %00, again URL Code once or change 16 Hexadecimal digit
Set as 00, Upload again and you will find 1.php Successfully bypassed upload , The following is truncated
<> six ,IIS6.0 Parsing vulnerability
There are two types of vulnerabilities : Directory resolution , File parsing
1, Directory resolution
with *.php The contents of the files in the named folder will be treated as php Document execution
such as ;1.php/test.jpg, Among them test.jpg Will be treated as test.php Be executed
2, File parsing
image *.php;.jpg Named malformed file ,”;“ The following contents are ignored directly , In other words, it will eventually be regarded as .php implement
Technology