banner
osuni

osuni

HomeArchives

upload-labs (Updated to Pass-12

#Web66
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The text outlines various methods for bypassing file upload restrictions on a web application. 1. **Pass-01**: A JavaScript function checks for valid file uploads, allowing only specific image types (.jpg, .png, .gif). Alerts are shown for invalid uploads. 2. **Pass-02**: After uploading a file, the Content-Type can be manipulated in a packet capture tool to bypass checks, allowing uploads of files with restricted extensions. 3. **Pass-03**: By modifying file extensions (e.g., using .php1, .pht), users can bypass blacklists and upload files, although uppercase extensions may still be restricted. 4. **Pass-04**: Using a `.htaccess` file, all files in a directory can be set to be parsed as PHP, allowing any uploaded file that contains valid PHP code to be executed. 5. **Pass-05**: Randomizing the case of file extensions can also help bypass restrictions. 6. **Pass-06**: Adding a space to the file extension can exploit weaknesses in the file name handling, allowing uploads to succeed. 7. **Pass-07**: Adding an extra dot to the file extension can also bypass restrictions. Overall, these methods illustrate vulnerabilities in file upload validation that can be exploited to upload potentially harmful files.

Pass-01#

Bypassing Frontend JS
Set to disable Java

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("Please select a file to upload!");
        return false;
    }
    // Define allowed file types for upload
    var allow_ext = ".jpg|.png|.gif";
    // Extract the type of the uploaded file
    var ext_name = file.substring(file.lastIndexOf("."));
    // Check if the uploaded file type is allowed
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "This file type is not allowed for upload. Please upload a file of type " + allow_ext + ". The current file type is: " + ext_name;
        alert(errMsg);
        return false;
    }
}

Pass-02#

MME Verification
Upload file extensions as above
Perform packet capture
Modify Content-Type
Change application/octet-stream to image/png
Then upload

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = 'Upload error!';
            }
        } else {
            $msg = 'Incorrect file type, please upload again!';
        }
    } else {
        $msg = UPLOAD_PATH.' folder does not exist, please create it manually!';
    }
}

Pass-03#

Bypassing Blacklist
Capture packets, modify the extension, and upload directly
But cannot connect
Uppercase letters in the extension also cannot be uploaded,
You can bypass the blacklist using php1, pht, phtml, phps
Find the file path from the webpage source
Connect to shell

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name); // Remove trailing dot from filename
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); // Convert to lowercase
        $file_ext = str_ireplace('::$DATA', '', $file_ext); // Remove string::$DATA
        $file_ext = trim($file_ext); // Trim spaces

Pass-04#

Bypassing Blacklist - .htaccess

.htaccess#

.htaccess is a configuration file for Apache services, responsible for web page configuration in the relevant directory.
It can achieve web page 301 redirection, custom 404 error pages, change file extensions, allow/block access for specific users or directories, prohibit directory listing, configure default documents, and more.
The content of the .htaccess file:
SetHandler application/x-httpd-php
Sets all files in the current directory to be parsed by PHP, so regardless of the uploaded file, as long as the file content conforms to PHP language code specifications, it will be executed as PHP. If not, an error will be reported.
So first upload a .htaccess configuration file
Then upload a one-character trojan
Connect to shell

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name); // Remove trailing dot from filename
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); // Convert to lowercase
        $file_ext = str_ireplace('::$DATA', '', $file_ext); // Remove string::$DATA
        $file_ext = trim($file_ext); // Trim spaces

Pass-05#

Uppercase Bypass
By mixing random uppercase and lowercase letters, it can bypass

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name); // Remove trailing dot from filename
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext); // Remove string::$DATA
        $file_ext = trim($file_ext); // Trim spaces

$file_ext = strtolower($file_ext); // Convert to lowercase

Pass-06#

Space Bypass
Principle: In Windows systems, spaces in filenames are treated as empty, but the detection code in the program cannot automatically remove spaces. Thus, it bypasses the blacklist.
So perform packet capture and add a space after the file extension
Successfully bypassed

    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name); // Remove trailing dot from filename
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); // Convert to lowercase
        $file_ext = str_ireplace('::$DATA', '', $file_ext); // Remove string::$DATA

$file_ext = trim($file_ext); // Trim spaces

Pass-07#

Dot Bypass
Add a dot to the extension. Successfully bypassed

    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); // Convert to lowercase
        $file_ext = str_ireplace('::$DATA', '', $file_ext); // Remove string::$DATA
        $file_ext = trim($file_ext); // Trim spaces

$file_name = deldot($file_name); // Remove trailing dot from filename

Pass-08#

::$DATA Bypass
Principle: In Windows, if the filename + "::$DATA" is used, the data after::$DATA will be treated as a file stream, and the extension will not be checked, while keeping the filename before::$DATA. Its purpose is to not check the extension. Similar to spaces

    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name); // Remove trailing dot from filename
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); // Convert to lowercase
        $file_ext = trim($file_ext); // Trim spaces

$file_ext = str_ireplace('::$DATA', '', $file_ext); // Remove string::$DATA

Pass-09#

Look at the source code, capture packets and modify the extension
Add '. .' to the php extension
Successfully uploaded

if (isset($_POST['submit'])) {

    if (file_exists(UPLOAD_PATH)) {

        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name); // Remove trailing dot from filename
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); // Convert to lowercase
        $file_ext = str_ireplace('::$DATA', '', $file_ext); // Remove string::$DATA
        $file_ext = trim($file_ext); // Trim spaces

GPT Analysis:
This PHP code mainly handles file uploads, first checking if there is data submitted via POST (if the submit button was clicked), then checking if the upload directory exists, and defining an array of disallowed file types deny_ext. Next, it retrieves the uploaded file name and removes the trailing dot. It then uses the strrchr function to get the file extension, converts it to lowercase, removes the string ::DATA, and trims spaces to ensure consistency in the file extension. Ultimately, this information can be used to determine whether to allow the file upload; if the file type is in the $deny_ext array, it will not be allowed, otherwise, it can be uploaded.

Pass-10#

According to the prompt, this pass will remove from the filename
That is, if you upload a file with the above extension, it will automatically be removed
For example, hack.php --> hack extension disappears.
But it only removes once, so using double letters can bypass
The double letter format should be pphphp

$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;

ChatGPT: This code's principle is to restrict file types for upload to protect the application's security mechanism. The code defines an array named "$deny_ext" that lists the file types that users are not allowed to upload. Before uploading a file, the code retrieves the name of the uploaded file, removes all file types listed in the "{$deny_ext}" array from the name, and reassigns the modified filename to the "$file_name" variable.

Next, the code retrieves the temporary file path from the $ _FILES['upload_file']['tmp_name'] variable and moves it to the "$_SERVER['DOCUMENT_ROOT'] . UPLOAD_PATH . '/' . $file_name" directory. At this point, if the move process is successful, the application will mark the upload as completed ($is_upload = true); if the move process fails, the application will output an error message ($msg = 'Upload error!';).

Pass-11 GET 00 Truncation#

What is 00 truncation
Whether it is 0x00 or %00, ultimately parsed is one thing: chr(0)
chr() is a function that returns the character corresponding to the parameter, meaning that the parameter is an ASCII code, and the returned value is a character of type string.
chr(0) corresponds to NULL (empty character)
When a string contains a null character, it causes characters after the null character to be discarded during parsing
Using 00 truncation:

  1. The file name directly used in path concatenation is $file_name
  2. The file path is controllable
    According to the prompt, the upload path is controllable
    So find the file upload path
<?php
include '../config.php';
include '../head.php';
include '../menu.php';
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload error!';
        }
    } else{
        $msg = "Only .jpg|.png|.gif file types are allowed for upload!";
    }
}
?>

GPT Analysis:
This PHP code contains a simple file upload function:

  1. First, it includes other files like config.php, head.php, and menu.php.
  2. Then, it checks if there is any POST data submitted; if so, it continues; otherwise, it does nothing.
  3. Here, it defines an array of allowed file types $ext_arr, which includes three file types: jpg, png, and gif. This will be used later.
  4. The program retrieves the uploaded file name through the $_FILES array and stores its extension in the variable $file_ext.
  5. If $file_ext is in the $ext_arr array, it means the uploaded file type is acceptable, and the upload operation can proceed.
  6. The temporary file is stored in the $temp_file variable, and a new file name is generated using the rand() function and the current date and time, along with the original file extension, stored in the $img_path variable.
  7. The move_uploaded_file() function is used to perform the file upload operation; if successful, the is_upload variable is set to true; otherwise, the msg variable is set to "Upload error!".
  8. If the file type does not meet the requirements, the $msg variable is set to "Only .jpg|.png|.gif file types are allowed for upload!".

Pass-12 POST 00 Truncation#

Also 00 truncation, but POST
Capture packets through burp
Modify the hex value of %00 to 00000
Then upload
kuku.png

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.