<> preface

The previous article explained the principle of file upload , And pictures of horses , Then some simple JS,MIME, Case , Dot space ,htaccess File bypass upload .

<> Continue below

<> one ,PHP345 File bypass upload

PHP3 representative PHP edition 3, This can be used for file bypass detection

General software can be downward compatible , therefore PHP3 Code of PHP5 It can also be executed

Use this to upload -test.php3 or test.php4 To bypass

<> two ,Windows::$DATA bypass

This method is only suitable for Windows, yes NTFS A feature of file system

NTFS A property of a file system that stores data streams DATA Time , It's a request test.php Own data , If test.php It also contains other data streams ,

such as test.php:a.php Then request test.php:a.php::$DATA. It means request test.php Stream data in a.php Stream data content .

Simply put, the data is followed by ::\$DATA To bypass ,test.php::$DATA Return data test.php

<> three ,Apache Parsing vulnerability

Apache It is judged and analyzed from left to right , If it cannot be recognized, continue to parse to the left ,

such as :1.php.xxx Among them xxx Is the non resolvable part , Will eventually be Apache treat as 1.php implement

<> four , Content verification file upload

Content verification is an important means of website security

such as : We will include a sentence about horses test.php Modified into test.jpg upload , The website will report an error , because jpg Format cannot be executed PHP File script

He will judge the file header of the picture , image gif,jpg,png etc.

The file header is used to determine the data format , Similarly, you can cheat detection by modifying the file header

such as GIF File header can be added GIF89a

<> five ,%00 truncation

0x00 Represents hexadecimal , stay ASCii Code represents 0 character , In some function processing, it will be regarded as the end flag , Therefore, it can also be used to bypass file upload

Note that %00 Truncation in GET The following is automatic conversion , but POST Special conversion required

If BP Packet capture is directly modified to 1.php%001.jpg, that 1.php May be filtered out , Can put %00, again URL Code once or change 16 Hexadecimal digit

Set as 00, Upload again and you will find 1.php Successfully bypassed upload , The following is truncated

<> six ,IIS6.0 Parsing vulnerability

There are two types of vulnerabilities : Directory resolution , File parsing
1, Directory resolution
with *.php The contents of the files in the named folder will be treated as php Document execution
such as ;1.php/test.jpg, Among them test.jpg Will be treated as test.php Be executed

2, File parsing
image *.php;.jpg Named malformed file ,”;“ The following contents are ignored directly , In other words, it will eventually be regarded as .php implement