The silent page awaits the waking dawn.
:$DATA), and content checks (bypassed by encrypting code). It also details parsing vulnerabilities in Apache, IIS (including directory parsing and WebDAV), and Nginx (with PHP fastcgi). For cases where the file save path is unknown, the text suggests brute-forcing directories, exploiting information leaks, or using error messages. Security recommendations include making upload directories non-executable, using whitelist-based file type validation, randomizing filenames, and using a separate domain for file storage.
1. Principles:
When an application fails to rigorously validate the type, content, or size of user-uploaded files — or when its validation logic contains flaws — an attacker can disguise a malicious script (e.g., a PHP or JSP web shell) and upload it to the server. By directly accessing the uploaded file via URL or exploiting a file inclusion vulnerability, the attacker can execute the script and take control of the server.
Direct Impact:
Indirect Impact:
2. Common Upload Entry Points
3. Common Detection Methods and Bypass Techniques
3.1 Client-Side JavaScript Detection
Typically checks the file extension.
Behavior: Only validates the extension or file size in the browser, displaying a pop-up alert.
Bypass: Upload an allowed file type, then intercept and modify the file extension using a packet capture tool.
Example: disable JavaScript, intercept and tamper with the request using Burp Suite, and send a .php file directly.
3.2 Server-Side MIME Type Detection
3.2.1 MIME (Multipurpose Internet Mail Extensions)
MIME types define how files with a given extension should be opened by an application. When a file with that extension is accessed, the browser automatically designates which application to use. MIME types are commonly used to specify custom client-side file names and the opening methods for media files.
For instance, a browser's MIME Sniff feature determines a file's type by reading its first 256 bytes.
Each MIME type consists of two parts: the first part indicates the broad data category (e.g., audio, image), while the second specifies the concrete type.
3.2.2 Common MIME Types
Name
File Extension
Type
HTML Text
.html
text/html
XML Document
.xml
text/xml
XHTML Document
.xhtml
application/xhtml+xml
Plain Text
.txt
text/plain
PDF Document
.pdf
application/pdf
Microsoft Word Document
.word
application/msword
PNG Image
.png
image/png
GIF Image
.gif
image/gif
JPEG Image
.jpeg .jpg
image/jpeg
MPEG File
.mpg .mpeg
video/mpeg
Arbitrary Binary Data
application/octet-stream
Behavior: Only the Content-Type header is checked. If you manually change it to image/jpeg, the file body can still contain PHP code.
Bypass Techniques:
3.3 Server-Side File Extension Detection
Blacklist: Bypass by varying filename case or using an extension not present in the blacklist, such as .cer.
Whitelist: Exploit parsing vulnerabilities or use excessively long filenames to evade detection.
0x00 (Null Byte) Truncation:
.htaccess file: Modifying this configuration file can force files in a specific directory to be parsed with a designated handler.
Rename the file to test.asp. or test.asp_ (the underscore here denotes a trailing space).
:$DATA Bypass
3.4 Server-Side File Content Detection
Checks whether the file content is legitimate or contains malicious code.
Encrypt the malicious code before uploading to bypass content inspection.
3.5 Web Application Parsing Vulnerabilities
3.5.1 Apache Parsing Vulnerability
Cause: Apache 1.x and 2.x have a file parsing issue: Apache parses filenames from right to left, continuing until it encounters a file type it recognizes.
Example: test.php.rar.rar
3.5.2 IIS Parsing Vulnerability (Internet Information Services)
Parsing Issues:
Configuration Issues:
3.5.3 Nginx Parsing Vulnerability
Cause:
4. Exploitation Strategies When the Upload Path Is Not Disclosed
5. Security Hardening