File Upload Vulnerability
Table of Contents
tags: Security Web
Types
File-based
上傳 Webshell、惡意文件
Route-based
Java-based
Bypass
Javascript Detection
- Burp Suite 中間修改
- disable javascript
MIME type (media type) Detection
- Burp修改Content-Type
Extension Black list
- 大小寫繞過
- pHP // (Windows)
- AsP // (Windows)
- 空格 / 點 繞過
-
.php(空格) // burp修改 (Windows) -
.asp.
-
- php3457
- .php3
- .php4
- .php5
- .php7
- .pht
- .phtml
- .htaccess
自訂解析規則
<FilesMatch "wfw"> SetHandler application/x-httpd-php </FilesMatch> - Appache 解析漏洞
設定檔配置錯誤
AddType application/x-httpd-php .phpshell.php.wildfootw == wildfootw 不認識 => shell.php
Magic Number
PHP 是內嵌式語⾔言,其餘部分不影響解析→構造 [Image Magic Number] + [<?php xxxxx ?>]
- jpg
-
FF D8 FF E0 00 10 4A 46 49 46
-
- gif
-
47 49 36 38 39 61
-
- png
-
89 50 4E 47
-
Other
- 常見場景:配合文件解析漏洞