1, utilize 00 truncation ,brupsuite Upload

utilize 00 Truncation is to use programmers to filter the upload path of files when writing programs , produce 0X00 Upload truncation vulnerability .
Assume that the upload path of the file is http://xx.xx.xx.xx/upfiles/lubr.php.jpg , adopt Burpsuite Packet capture truncation will lubr.php hinder “.” Switch to “0X00”. When uploading , When the file system reads ”0X00″ when , Will think the file is over , So that lubr.php.jpg The content of lubr.php in , So as to achieve the purpose of attack .

2, Construct server-side extension detection upload

When the browser submits the file to the server , The server will detect the file extensions submitted by the browser according to the set blacklist , If the extension of the uploaded file does not meet the restriction of the blacklist , Will not be uploaded , Otherwise, the upload will succeed .
Explanation of this example , In a word, the file name of the Trojan horse lubr.php Change to lubr.php.abc. First , When the server verifies the file extension , The proof is .abc, As long as the extension conforms to the server-side blacklist rules , Upload . in addition , When the file is accessed on the browser side ,Apache If you can't parse .abc Extension , Will look forward to the resolvable extension , namely ”.php”. In a word, the Trojan horse can be parsed , It can be connected through a Chinese kitchen knife .

3, Bypass Content-Type Detect file type upload

When the browser uploads files to the server , The server uploads files Content-Type Type to test , If the white list allows , It can be uploaded normally , Otherwise, the upload will be invalid . Bypass Content-Type File type detection , Just use Burpsuite Intercept and modify the file in the package Content-Type type , Make it comply with the rules of the white list , Achieve the purpose of uploading .

4, Construct picture Trojan horse , Bypass file content detection upload Shell

General document content verification use getimeagesize() Function detection , Will determine whether the file is a valid file image , If it is , Allow to upload , Otherwise, you are not allowed to upload .

Make picture Trojan horse ： copy 1.jpg/b+2.php/a 3.jpg

Three methods of making picture Trojan horse

https://blog.csdn.net/whatday/article/details/54731043