Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


practical experience: upload vulnerability of business logic vulnerability exploration

Posted by muschett at 2020-04-05

Today's main content is to share the upload vulnerability of business logic vulnerability exploration. The number of words in this article is less than 2000, and it takes about 7 minutes to read.

Note: the examples provided in this article are all from the examples of network public test, for reference only.

Many websites allow users to upload photos and electronic files by themselves. If the upload function is not well protected, there will be a huge security risk. If the web application does not check the security of the file effectively during the file upload process, the attacker can attack the server by uploading malicious files such as webshell. In this case, the system is considered to have a file upload vulnerability.

1、 No filtering

At present, most of the R & D personnel will basically limit the upload function as long as they have a little sense of security, but it doesn't rule out that there is still no protection for the upload function of websites. For the upload function without any protective measures, malicious files can be uploaded at will. for instance:

1. A site has no protection for file upload.

2. Find the corresponding file upload function.

3. Upload a malicious file directly without changing the suffix.

4. After the file is uploaded successfully, the relative path of the upload will be returned.

5. After the full upload path, you can access the uploaded webshell to control the server.

2、 Client verification bypass

The most typical way of client-side detection is JavaScript detection. Because of the characteristics of JavaScript execution on the client side, it can be bypassed by modifying the client-side code or uploading the files that meet the requirements first and then using tools such as burp to tamper with the files during the upload process. for instance:

1. There is an upload vulnerability in a system.

2. After changing the suffix of shell file to the file allowed to upload, and then blocking and changing the suffix through burp, the upload is successful.

3. Access shell can control the whole server and obtain server permission.

3、 Server verification bypass

No.1mime bypass

Mime (Multipurpose Internet mail extensions) Multipurpose Internet mail extension type. It is a type of application to open a file with an extension. When the extension file is accessed, the browser will automatically open it with the specified application. In the standard file upload component, the MIME type of the file will be uploaded automatically. However, since the MIME type is passed from the client and the modification does not affect the normal operation of the file, this kind of detection can be easily bypassed by intercepting and modifying the MIME type through burp. for instance:

1. A vulnerability exists in a system that uses the ABCD editor to bypass upload.

2. The upload function requires that only image format files can be uploaded. We upload txt files and use the packet capturing tool to intercept.

3. Change the content type to the mime format of GIF.

4、 Successfully upload txt to bypass the restriction of mime.

No.2 file content bypass

There are usually two ways to detect the file header and the file content. The way of white list is to detect whether there is the first-class content characteristic information of the file of the type of white list in the uploaded file, which can be uploaded only when it meets the requirements. Blacklist is to detect the characteristics of some webshell. If it contains relevant characteristics, it is not allowed to upload. For whitelist detection, you can insert Trojan script statements to bypass the files that meet the requirements. The blacklist can be bypassed by various confusing changes to key functions. for instance:

1. There is an upload vulnerability in a system. Find the relevant upload function.

2. Add a sentence trojan in a normal picture, make a picture horse, and then upload the picture horse.

3. It is found that the file is successfully uploaded by bypassing content detection, and can be connected to the shell to control the whole server.

4. The Intranet can be further controlled.

No.3 extension bypass

Under normal circumstances, if the Trojan file uploaded by the user is not uploaded with the script file extension in response, it cannot run normally and control the website server. However, there are still risks if the implementation of file extension detection is improper. File extension detection is usually divided into blacklist detection and whitelist detection. There are two ways to bypass blacklist: using uncommon extension, case bypass and special character ending. For whitelist bypass, you can use truncation bypass and parsing vulnerability to bypass. for instance:

A. Special extension

Add a space and a decimal point after the suffix of the file. It is found that the upload limit can be bypassed.

You can execute any command.

B. Block vulnerability

4、 Repair suggestions

This is the conclusion of this time. If you also have a loophole to upload, you can leave a message to us. For the upload vulnerability, we still need to make some suggestions with the little brother of the program Ape:

1. The extension of the uploaded file and the header information of the file are compared with the whitelist on the server side, and those that do not meet the whitelist will not be saved.

2. The directory or file path should not be transferred during the upload process. The matching index value in the path list should be set in advance. It is strictly prohibited to disclose the absolute path of the file.

3. Rename the file and save it with random file directory and file name.

4. The temporary directory and save directory of the uploaded file are not allowed to execute permissions.

5. It can be saved in the content server or database when conditions permit.