Learning note 40: dual file upload and competitive upload

Time:2022-1-3

Dual file upload:

Application scenario:

Nanfang / Liangjing CMS

Regular default matches the first filename

Utilization principle:

The server takes the ⼆ th ⽂ piece as the real upload ⽂ piece by default, but only the ⼀ th ⽂ piece is detected during detection. Or only the extended name of the ⼀ th filename is verified.

Utilization method:

Directly add an upload form to the review element (that is, copy the code of the uploaded file to the lower line in the viewer. Then, when uploading, the first file is a normal file and the second file can be our malicious file)

After burp captures the package, it is added to the data package (after successful capturing, copy all the contents of the uploaded file or the file header to the back of the uploaded file)

Competitive upload:

Application scenario:

When accessing the web shell, you can access it in a short time, but you can’t access it again

Utilization principle:

The code logic is: first upload the ⽂ pieces to the server, and then detect the suffix. If it does not meet the requirements, delete the ⽂ pieces through unlink. Therefore, you can access the webshell before unlink through the ⽅ form of conditional competition.

Utilization method:

Use burp suite to upload continuously, and use Python script to access the uploaded files continuously. (upload the shell0.php file, send it to the intruder after burp grabs the package, modify the parameters, set the payload, make the test.py script run, and finally start attack)

Learning note 40: dual file upload and competitive upload

Learning note 40: dual file upload and competitive upload