Bypass thinking
web applications often allow clients to upload files, but programmers will lead to file upload vulnerabilities if they do not verify and restrict the uploaded files. There are two aspects to detect uploaded files, client-side detection and server-side detection.
Client bypass
The client realizes the detection of files through js code. Then the attacker can control the js code to bypass or modify the http request.
Control js code
A piece of front-end code
<form action="" method="post" enctype="multipart/form-data" onsubmit="return checkfilesuffix()">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
function checkfilesuffix()
{
var file=document.getElementsByName('file')[0]['value'];
if(file==""||file==null)
{
alert("Please add upload file");
return false;
}
else
{
var whitelist=new Array(".jpg",".png",".gif");
var file_suffix=file.substring(file.lastIndexOf("."));
if(whitelist.indexOf(file_suffix) == -1)
{
alert("This file is not allowed to be uploaded");
return false;
}
}
}
After selecting the upload file, the From form will be submitted. The From form triggers the onsubmit event, which will call the checkfile function. You can directly delete the onsubmit event in the From form to bypass it.
bp modify request packet
For the transmitted data package, modify the extension of the filename file and modify the content length (content length indicates the length of the entity body).
For example, the content length is 200 and the filename is "xss.jpg"; If the filename is changed to "1.php", the content length should be 198. If it is not modified, the file upload may fail.
Server side bypass
Front end verification is simple after all, so back-end verification is particularly important. Server side verification mainly includes the following:
MIME detection
MIME type is used to set the opening method of a file with an extension. When a file with this extension is accessed, the browser will automatically open it with the specified application. For example, the MIME type of GIF image is image/gif, and the MIME type of CSS file is text/css. In HTTP, the corresponding is content type.
When uploading PHP files, the content type field in the HTTP request corresponds to the MIME type. Modifying the content type field can bypass the MIME type detection.
MIME validation code
<?php
header("Content-type: text/html;charset=utf-8");
error_reporting(0);
//Set upload directory
define("UPLOAD_PATH", dirname(__FILE__) . "/upload/");
define("UPLOAD_URL_PATH", str_replace($_SERVER['DOCUMENT_ROOT'], "", UPLOAD_PATH));
if (!file_exists(UPLOAD_PATH)) {
mkdir(UPLOAD_PATH, 0755);
}
if (!empty($_POST['submit'])) {
if (!in_array($_FILES['file']['type'], ["image/jpeg", "image/png", "image/gif", "image/jpg"])) {
echo "<script>alert('Incorrect file type')</script>";
} else {
$name = basename($_FILES['file']['name']);
if (move_uploaded_file($_FILES['file']['tmp_name'], UPLOAD_PATH . $name)) {
echo "<script>alert('Upload succeeded')</script>";
echo "Relative path of uploaded file<br>" . UPLOAD_URL_PATH . $name;
} else {
echo "<script>alert('Upload failed')</script>";
}
}
}
?>
00 truncation
Encountered% 00 while reading string. String can be truncated. ctf different problems have different solutions. ctfhub 00 truncation,The WP of this problem.
PHP pathinfo function
<form action=?road=/var/www/html/upload/ method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
if (!empty($_POST['submit'])) {
$name = basename($_FILES['file']['name']); //The basename() function returns the file name part of the path
$info = pathinfo($name);
$ext = $info['extension']; // File suffix
$whitelist = array("jpg", "png", "gif");
if (in_array($ext, $whitelist)) {
$des = $_GET['road'] . "/" . rand(10, 99) . date("YmdHis") . "." . $ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $des))
// move_ uploaded_ The file function is the key to 00 interception. After% 00, the string after% 00 will be ignored, and the storage path will be changed to the path before% 00.
{
echo "<script>alert('Upload succeeded')</script>";
} else {
echo "<script>alert('Upload failed')</script>";
}
} else {
echo "File type mismatch";
}
}