Analysis upload vulnerability-vulnerability warning-the black bar safety net

2008-06-11T00:00:00
ID MYHACK58:62200819327
Type myhack58
Reporter 佚名
Modified 2008-06-11T00:00:00

Description

In a brief introduction through the injection vulnerability check and fill, following the coupling re-introduce a vulnerability--upload vulnerability, which is a ratio to inject more lethal vulnerability. By injecting the resultant is often a database of some sensitive information such as administrator name, password etc Note: This injection refers to a MDB database, but upload vulnerability is different, it can be ASP, JSP, CGI, PHP, etc. format Trojan is uploaded to the website within the directory, the resulting permissions are the lowest also is a WEBSHELL, if the encounter is security awareness is not strong Administrator, the hedgehog 2 0 0 5 works huh! It can be a cameo one of the Administrators! The cardiac! OK! Then LET'S GO!

For upload vulnerability find, the still is from the source file to start with, the target has two, one is the FilePath the file path, the other is FileName-file name.

A FilePath Say to the FilePath, some friends may feel strange, but mention to move the network 6. 0 Upload vulnerability, we are no strangers! Its upload vulnerability is due to FILEPath filter is not strict caused. Although the moving mesh does not already exist for this vulnerability, but using this to upload the source code of the program or a lot of people, for example I have this“MARRIOTT download program”, which ADS(ad)section of Upfile. asp(upload, you have the Filepath filter is not strictly a vulnerability, the hedgehog 2 0 0 5 work to analyze which part of the source: <% dim upload,file,formName,formPath,iCount,filename,fileExt '//define the upload variable set upload=new upload_5xSoft '//create the upload object JM test code formPath=upload. form("filepath") '//first, get the file path, here is the key. if right(formPath,1)<>"/" then formPath=formPath&"/" for each formName in upload. file '//use For to read the Upload File set file=upload. file(formName) '//generate a file object jmdcw ........................ '//Omitted part of the code fileExt=lcase(right(file. filename,4)) '//from the file name after the interception of 4 bits, and converted to lowercase characters. if fileEXT<>". gif" and fileEXT<>". jpg" and fileEXT<>". zip" & fileEXT<>". rar" and fileEXT<>". swf"then '//file extension determines response. write "<font size=2>File format is not valid [ <a href=# onclick=history. go(-1)>re-upload</a> ]</font>" response. end end if randomize ranNum=int(9 0 0 0 0*rnd)+1 0 0 0 0 filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&fileExt '//the second step, the filename by a commit of the file path + the date the random file name plus the conversion after the extension of the composition if file. FileSize>0 then file. SaveAs Server. mappath(FileName) '//save file jmdcw end if set file=nothing next %> In this section the source code, to be critical on this two sentences: a 1, The formPath=upload. form("filepath") The 2, filename=formPath&year(now)&month(now)&day(now)&hour (now)&minute(now)&second(now)&ranNum&fileExt Advertising spots. Variables and constants: the so-called variable refers to the program of the running process at any time may change the value; and the constant is on the contrary, refers to the program of the running process always remains the same value hedgehog 2 0 0 5 work in.

Let's look at vulnerability is formed. In the first sentence of the code, from the variable filepath to obtain the File Save path, and then in the second sentence, with the PATH variable formPath plus a randomly generated number and after determination of the extension of the synthesis of a new variable, the variable Filename is the uploaded file save path and name. So say some in General terms, the following examples. For example, select “111.jpg”file upload in the upload process, with the file uploaded there is a FilePath variable, assuming its value is“image”, when these values are passed to the upfile. asp, the filename becomes:“image/200512190321944973.jpg”and after a successful upload, the 1 1 1. jpg will be saved to the image folder, the file name is also changed to:“the 200512190321944973.jpg”it. This process, seem invulnerable, but still is a cow who developed a breakthrough method, what method? Very simple, point break is in the variable body, if its FilePath value to“image/aa. asp□”, followed by“□”represents binary 0 0 empty of meaning, and thus, the variables submitted into the upfile. asp after the Filename value into the “image/aa. asp□/200512190321944974.jpg”, the server reads this variable, because of“□”is a binary of 0 0, that the variable statement has the end, then“□”behind the character will be ignored, as a result, the Filename became:“the image/aa. asp”, the program again with the file. SaveAs to save it, this file is saved into aa. asp file, and voila! The vulnerability appeared.

For this exploits, you can use the Guilin veterans of the upload tool, you can also take with WinSock packet capture, and then use Notepad to save the submitted data and add, modify the relevant content, and then use WinHex to modify the spaces of the binary, and finally with the NC submit method. The above two kinds of method of use, see the related articles hedgehog 2 0 0 5 work in.

Second, the FileName

Introduced FilePath(upload path filter is not strictly a vulnerability, and then take a look at the FileName(Upload File name filtering is not strict result of the vulnerability, the Upload File name filtering is not strict the form is varied, the coupling is presented here in two ways:

1, moving-articles 2005.10 period of the reproduction of the former vulnerability--Qin bamboo musical program of the negligence of the involved upload vulnerability is dynamic and easy upload vulnerability, the following as an example, take a look at the uploaded file Upfile_Article. asp in the part of the source: <% Const UpFileType="rar|gif|jpg|bmp|swf|mid|mp3" '//allowed Upload File Types jmdcw Const SaveUpFilesPath="../../brought you" '//store the Upload File Directory, note: the above two constants are in the config. asp file defined within the'hedgehog test code dim upload,oFile,formName,develop this program specifically,filename,fileExt //variable definition ........................ FoundErr=false '//this is whether to allow the upload of variable, initialized to false, indicating that you can upload. EnableUpload=false '//this is the uploaded file extension is legitimate variable, initialized to false, indicating that it is not legitimate. Develop this program specifically = SaveUpFilesPath '//store the Upload File Directory ........................ sub upload_0() '//use of the context-free component upload set upload=new upfile_class '//create the upload object ........................ for each formName in upload. file '//use For loop to read the Upload File. jmdcw set ofile=upload. file(formName) '//generate a file object ........................ fileExt=lcase(ofile. FileExt) '//the filename is converted to lowercase characters arrUpFileType=split(UpFileType,"|") '//read back the definition of allowable upload extensions for i=0 to ubound(arrUpFileType) '//first off, use a FOR loop to read arrUpFileType array. if fileEXT=trim(arrUpFileType(i)) then '//if fileEXT is allowed to upload the extension EnableUpload=true '//EnableUpload to true, indicates that the file is legitimate. exit for end if next if fileEXT="asp" or fileEXT="asa" or fileEXT="aspx" then '// second off, verify that the fileEXT is asp, asa, aspx extension. EnableUpload=false '//if belongs to these three, then EnableUpload is defined as false, the uploaded file extension is not valid. jm end if if EnableUpload=false then '// third turn, verification off. If you pass this EnableUpload variable is false, then the description of the uploaded file extension is not valid. msg="this file type not allowed to upload!\ n\n only allow the upload of several file types:" & amp; UpFileType FoundErr=true '//note: because the file name is not illegal, just change the FoundErr value, by the initial false instead of true. end if strJS="<SCRIPT language=javascript>" & vbcrlf if FoundErr < > true then '//the fourth turn the upload off. If FoundErr not equal to true before you can upload. randomize ranNum=int(9 0 0*rnd)+1 0 0 filename=develop this program specifically&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."& amp;fileExt '//define the filename, and its value as a fixed path name+date and a random value generated name+pass over the fileExt extension. ofile. SaveToFile Server. mappath(FileName) '//save file cw's msg="file upload success!" ........................ next set upload=nothing end sub %> In this section the source code, use two FOR loops, two logic variables, the first FOR loop“for each formName in upload. file”used to get all the uploaded file names; the second FOR loop“for i=0 to ubound(arrUpFileType) ”for detecting file extensions. While the two logic variables is EnableUpload and FoundErr, the EnableUpload used to denote the file extension the legitimacy of the True legitimate; and FoundErr then used to indicate whether the file can be uploaded, a False representation may upload, strange? With is False it! If we Upload a file, then this section of code is invulnerable, but want to upload two? Because of the context-free component upload can upload multiple files, OK! Take a look at the upload multiple files process: First, the structure of a There are two upload boxes to a local HTM file, the HTM code is as follows: <form action="<http://www.jmdcw.com/admin/Article/Upfile_AdPic.asp>" method="post" name="form1"> <input name="FileName1" type="FILE" class="tx1" size="4 0"> <input name="FileName" type="FILE" class="tx1" size="4 0"> <input type="submit" name="Submit" value="upload" > </form> Run this HTM, in the first box select a jpg picture, the file is named“111.jpg”in the second box to select a Cer file, the file named“2 2 2. cer”, click“Upload”to put the two files submitted to the program. Next to Upfile_AdPic. asp was observed in the two files the upload process-note in which the logical variables. 1, in the into the first FOR read the file name before, the program first sets the variable FoundErr is defined as false, EnableUpload defined as false, then reads the file name, 先验证第一个文件111.jpg in the verification of first off, the jpg belongs to the allowed upload types, variables EnableUpload=true. 2, and then to the second off, verify whether belong to the three forbidden transmission types, because they do not belong, variable EnableUpload is still true. 3, and then to the third level, if EnableUpload=false then FoundErr=true, while the front passed to the EnableUpload=true then FoundErr still enters the first FOR loop before the false. 4, and finally into fourth off this off of the validation is: if FoundErr<>true it can be, look at from the third turn to pass over the FoundErr of the value is false, you can upload. Note here that, in the 1 1 1. jpg after uploading, EnableUpload the value remains true, FoundErr the value is false. 5, then the program reads the second file 2 2 2. cer into the first off verify whether the allowed upload types, if the cer belonging to this range will give EnableUpload defined as true, while the cer does not belong to, so it keep the original value, EnableUpload of the original value? Look at 1 1 1. jpg after uploading variable value:“EnableUpload the value of the holding as true”, so in this case cer file. EnableUpload value is true. 6, and then to the second off cer also does not belong to this restricted range, and skip the IF statement, and then see EnableUpload the value remains true. 7, and to a third off, because EnableUpload=true, skip this off validation. Directly into the fourth turn, then look back at FoundErr value from the cer were uploaded to verify, does not appear FoundErr, the FoundErr of the value? Oh, it's still 1 1 1. jpg after uploading the value false, and the fourth off the verification is as long as the FoundErr not true you can upload, so, this cer file is also through the layers of checkpoints, into the server. In addition to the cer format, you can also upload asp□(□here represents a space, following the same, the asp. The format of the file, the method is very simple, is to put the upload box in the asp name added to a space or decimal point, as is the asp□, asp. Format, which bypasses the way and cer is the same, but upload to the server in the asp□or asp. The extension, because Windows file naming principle, it will remove the back of the spaces and the decimal point, the Save is asp format.

2, the dynamic business 2 0 0 5 Said movable-upload vulnerability, and then to introduce dynamic business 2 0 0 5 upload vulnerability today, what a coincidence, moving mesh, dynamic and easy, dynamic, full of drive, ha ha! Move easy is due to the upload multiple files cause of the vulnerability, and the dynamic is because the file name filter does not strictly appear upload vulnerability. (Hedgehog 2 0 0 5 works the following is Action 2 0 0 5 upload upfile. asp in the part of the source: <% Private Sub SaveFile_0() '//no component upload ........................ Set File = UploadObj. File(FormName) '//get uploaded file name cw's files FileExt = FixName(File. FileExt) '//first, use the FixName function of filtering the Upload file extension If CheckFileExt(FileExt) = False then '//the second step, with CheckFileExt check for filtered file extension ErrCodes = 5 EXIT SUB '//exit the upload End If FileName = FormatName(FileExt) '//meet the conditions, then use the FormatName function by date to generate the file name ........................ If File. FileSize>0 Then File. SaveToFile Server. Mappath(FilePath & FileName) '//save the file path and name is the Filepath+FileName ........................ End Sub %> The following look at the upload relates to some of the parameters. A, FixName()function: Private Function FixName(Byval UpFileExt) '//the first step of the filtering function, the filter special extension. If IsEmpty(UpFileExt) Then Exit Function '//such as extension of the empty on exit interactive FixName = Lcase(UpFileExt) '//the filename is converted to lowercase characters. FixName = Replace(FixName,Chr(0),"") '//the binary 0 0 null character filter is empty FixName = Replace(FixName,".","") '//The single quotation mark the filter is empty, the same below. jmdcw FixName = Replace(FixName,"'","") FixName = Replace(FixName,"asp","") FixName = Replace(FixName,"asa","") FixName = Replace(FixName,"aspx","") FixName = Replace(FixName,"cer","") FixName = Replace(FixName,"cdx","") FixName = Replace(FixName,"htr","") FixName = Replace(FixName,"shtml","") End Function From which, we can be seen, the application asp. dll is mapped to the type all of the filter, in addition, there is a decimal point, the single quotes are also filtered, or even Chr(0)filter, Chr(0)? It is the 1 6 hexadecimal 0x00, expressed as binary is 0 0 0 0 0 0 0 0, that is, in front of the FilePath upload vulnerability in the reduced space character. B, CheckFileExt()function: Private Function CheckFileExt(FileExt) '//the second step of the determination function, to determine whether the file type is desirable Dim Forumupload,i CheckFileExt=False '//defined CheckFileExt the initial value is false, If FileExt="" or IsEmpty(FileExt) Then '//first time, empty then exit CheckFileExt = False Exit Function End If If FileExt="asp" or FileExt="asa" or FileExt="aspx" or FileExt="shtml" Then '//second, if you belong to these four types also backThe interaction CheckFileExt = False Exit Function End If Forumupload = Split(InceptFile,",") '//third, from InceptFile extract backend upload extension For i = 0 To ubound(Forumupload) '//use a For Loop test If FileExt = Trim(Forumupload(i)) Then '//if and a background in any one upload the extension identifier, the CheckFileExt = True. CheckFileExt = True Exit Function Else CheckFileExt = False End If Next End Function This function on the FixName()function after filtering extension again to judgment, of which there are three checks, the first is the judgment passed to the extension is empty, is empty then exit the upload, the second is to determine the extension belongs to asp, asa and other four limit of the Transmission Type, belonging to the also quit the upload, the third is to use the extension with a background within custom upload extension for contrast, consistent with allowing the upload. C, FilePath value: They use the filepath in the upload. asp, its values are as follows: if info_name="bbs" then FilePath = "/bbs/upload/" else FilePath = "/uploadpic/" end if FilePath is a constant, from this road looking for vulnerabilities is not feasible. OK! Following uploading a file to look at its validation process, such as the upload of a file named“1 1 1. cer”, with“FileExt = FixName(File. FileExt)”filter extension, because the cer belongs to fixName()function of the filter range, so the extension cer became empty, when the empty filename passed to CheckFileExt (), in which the proceeds to the“If FileExt="" or IsEmpty(FileExt)”statement, it will be because of FileExt is null and exits the interaction, the return format is incorrect, reject the upload. How to break through? Its breaking point in FixName()function, above, we also see that when you upload the cer will be filtered is empty, but if we take the uploaded file extension to ccerer, while, in the background of the custom upload type“ccerer”and“cer”, so that the extension ccerer the file after the first step FixName()after filtration, ccerer it becomes a cer(intermediate of cer of characters to be filtered is empty, and passes this value to the CheckFileExt()function, by its first non-null level, and then through second restricted types of levels, and finally to contrast the background upload type levels, because in the front we have added a“ccerer”, the“cer”of the two types, then also by CheckFileExt()the third judgment, CheckFileExt = True, also put the extension ccerer the file uploaded to the server, and after upload the extension is cer. Some friends may ask, if the upload extension aaspsp□or aaspsp. The format of the file, after FixName()function of the filter, not into the asp□or asp. While the two formats are not limiting of the scope, as long as in the background plus the several types, not you can put the uploaded files are saved as asp format? Actually I had also this idea, but after careful research and analysis, found no exit, and why? Be the first to say the decimal point, in the FixName (), so the sentence FixName = Replace(FixName,".",""), the The decimal point filter is empty, and voila! The decimal point of the channel cross-section. Then look at the space, although FixName()is not filtering spaces, but in CheckFileExt()to read the background to upload types when there are so sentence:“If FileExt = Trim(Forumupl oad(i)) Then”, which has a Trim () on the Trim's role is to remove the string start and trailing spaces. Although in the background can write the asp□type, but when reading, but it will be Trim()filter into the asp, and the aaspsp□through the layers of checkpoints by here, has turned into the asp□asp□<>asp, the document does not match all! Sorry, refused to enter