The introduction

Share some file upload bypass ideas, the following content contains actual combat pictures, so the code will be very serious, can see more text expression; This article is only used for exchange and learning. Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article shall be borne by the user himself, and the author of this article shall not assume any responsibility.

Case a

When a project is infiltrated, you can add a character to the PNG suffix to know that the upload point is a whitelist upload point, which cannot be bypassed normally

The interface name is UploadImg, and the interface is used for uploading pictures. According to the custom of development, there is no interface such as Temp, test, etc. Then, fuzz is used to find the existing upload interface (File), but the interface (File) still has restrictions on uploading files, which needs to be bypged.

Because the blacklist restriction is not strict enough, after several attempts of pseudo suffixes, it is found that the. Cer suffix can bypass the restriction and be resolved

And then getShell into the Intranet, the following operations will not be said.

Many teachers see white list uploaded can think this upload point enough safety, unable to bypass, but actually otherwise, in the presence of multiple upload interface, may exist do not limited or restricted strictly upload point does not necessarily, the key is how do we find these interfaces, when there is a limit in the interface, how to go around, Here is another example related to interface bypassing.

Case 2

Upload_2018.php interface whitelist upload. In normal cases, changing the suffix will cause upload failure, as follows

After further testing, multiple upload interfaces were found. Deleting _2018 used the Upload interface to upload files, causing any file to be uploaded

Waf (a message cloud) is found during shell transmission, which needs to be further bypassed.

By looking for the real IP of the domain name, using the real IP for file upload, bypass the WAF restrictions, in order to prevent anyone interested, here directly to the IP code to play covered, just in case.

Most of the time have some development for the sake of convenience, in the deployment upload interface not rigorous restriction with or simply do not limited, as a result, once has been handed a shell to bypass the restrictions, can lead to serious consequences, of course, we can find some temp, test upload this kind of interface, because such interfaces are mostly used as a test in the process of development, This interface is almost unlimited upload file type, we can also find some API documentation upload interface discovery, which may be a surprise

Case 3

This is a file upload type that transfers images to Base64, bypassing the following:

Through packet capture, it was found that the image was uploaded based on Base64. After observing the data package, it was found that any file could be uploaded by changing the content of upload_0 field

If the HTML page is successfully parsed, you can upload the shell to obtain permissions.

In a word, the shell upload found unable to execute the command, after the upload PHPinfo found its disable_functions, use a sla to bypass the limit, getshell

Case # 4

Nginx parsing vulnerability exploit, this vulnerability was dug a long time ago, this vulnerability should not exist now, only waF can be removed, this as a thinking development said:

A dot net found the target of a core system, by reconnaissance discovered a upload function, but upload interface have white list limit, and no other upload interface, because the shell site is important, must obtain, after digging through the leaks, found target nginx parsing loophole, combining with capturing the image upload some successful Intranet sites.

Other scenarios & summary

If there is an injection, we can use sqlMap’s –search parameter or SQLshell to search for the id number returned, and maybe we can find the shell address. In a recent attack and defense, we encountered this situation. Later, we used fuzz to find the complete shell path. In addition, at some time, the file can be uploaded across directories, so we can use.. / upload across directories, maybe in a few… / upload the shell to the root directory of the domain name. If the current upload folder does not have execution permission, then it is a good idea to upload the shell across the directory. In addition, if the upload directory is controllable and files can be uploaded to any directory, in the Linux scenario, we can upload an SSH secret key for remote login. If it is extreme, passwd and shadow files can be uploaded to overwrite system users, but the premise is that the permissions are large enough.

If you can’t cross directories and your site doesn’t have an injection, you can try to find a site log file, such as a generic e-cology log. There are regular log files like this, you can use burp to burst the log, and maybe you can find a shell path in the log file.

Then there is file inclusion and file reading. For file reading, shell addresses can be found by reading logs and configuration files, but the success rate is too low. As for file inclusion, except for the firing range and CTF, the actual combat has not been touched.

There is another tip about the use of burp, this is a real encounter, after uploading the shell, there is no return path, but through the HTTP history search shell name found the complete shell path, because the uploaded files, such as pictures, will always be displayed, this time you can first dot around the Web application. Load more packets, then search HTTP History for shell names, and you might be surprised.

Sometimes the upload blacklist is not strict, so we can use pseudo suffixes to bypass, not to mention the other many, the general idea is like this, when bypassing the restrictions to get shell, it always brings me fun, maybe this is why I like infiltration.