这是一个创建于 864 天前的主题,其中的信息可能已经有所发展或是发生改变。
rt ,Windows 环境下如何输入这个空字符到文件名里
第 1 条附言 · 2021-12-16 03:17:09 +08:00
U+0000-U+001F 都可以
第 2 条附言 · 2021-12-16 22:11:16 +08:00
测试漏洞需要,CVE-2020-35489 这个里面的,他那个 U+0000 的字符是怎么输入到文件名里的
原文如下:
# Exploit Title: Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
# Date: 12/20/2020
# Exploit Author: Ramón Vila Ferreres (@ramonvfer)
# Vendor Homepage: https://contactform7.com
# Software Link: https://wordpress.org/plugins/contact-form-7/
# Version: 5.3.1 and below
# Tested on: Windows 10 1909, Ubuntu 20.4
Explanation
---------------------------------------------------------------------
ContactForm7 version 5.3.1 and below doesn't properly sanitize
uploaded filenames to prevent Arbitrary File Upload that can lead
to full server takeover in the worst-case scenario.
This happens in the wpcf7_antiscript_file_name function, that fails
to sanitize the provided filename if it ends with any Unicode special
character ranging from U+0000 (null) to U+001F (us).
The function matches both the file name and the file extension against
an exclusion regex. Appending any unicode special character to the
file extension results in a complete bypass of this verification (as
the regex doesn't match) leading to the Unrestricted File Upload.
Exploit
---------------------------------------------------------------------
1. Change the file extension of the file you want to upload (e.g:
"shell.php") to its equivalent with the special character ending (in
this case "shell.php" (appended U+0000))
2. Upload the file using ContactForm7 file upload feature in the
target website.
3. Go to <target.com>/wp-content/uploads/wpcf7_uploads/shell.php
Note the special character at the end
Note that the file upload location may vary as it is configurable.
4. Now you have uploaded your file!
原文如下:
# Exploit Title: Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
# Date: 12/20/2020
# Exploit Author: Ramón Vila Ferreres (@ramonvfer)
# Vendor Homepage: https://contactform7.com
# Software Link: https://wordpress.org/plugins/contact-form-7/
# Version: 5.3.1 and below
# Tested on: Windows 10 1909, Ubuntu 20.4
Explanation
---------------------------------------------------------------------
ContactForm7 version 5.3.1 and below doesn't properly sanitize
uploaded filenames to prevent Arbitrary File Upload that can lead
to full server takeover in the worst-case scenario.
This happens in the wpcf7_antiscript_file_name function, that fails
to sanitize the provided filename if it ends with any Unicode special
character ranging from U+0000 (null) to U+001F (us).
The function matches both the file name and the file extension against
an exclusion regex. Appending any unicode special character to the
file extension results in a complete bypass of this verification (as
the regex doesn't match) leading to the Unrestricted File Upload.
Exploit
---------------------------------------------------------------------
1. Change the file extension of the file you want to upload (e.g:
"shell.php") to its equivalent with the special character ending (in
this case "shell.php" (appended U+0000))
2. Upload the file using ContactForm7 file upload feature in the
target website.
3. Go to <target.com>/wp-content/uploads/wpcf7_uploads/shell.php
Note the special character at the end
Note that the file upload location may vary as it is configurable.
4. Now you have uploaded your file!
 |
1
ysc3839 2021-12-16 02:50:57 +08:00
绝大多数文件系统应该都不支持在文件名中包含 NULL 字符。
|
 |
2
iBugOne 2021-12-16 03:55:55 +08:00 via Android  1
@ysc3839 说得对。Linux 的典型文件系统( ext, xfs 等)在允许用作文件名的字符这里已经做到极限了,除了零字符( C 语言风格字符串)、正斜杠(用作目录分隔符)之外的字符全都可以出现在文件名里。仅剩的例外是文件名不能是刚好 1 个或 2 个点(当前目录和上级目录)。
|
 |
3
crab 2021-12-16 04:08:15 +08:00
0000 遇到直接截断了,剩下范围 31 个非打印字符不行的。
|
|
4
ysc3839 2021-12-16 17:47:17 +08:00
不包括 NULL 的话很简单
echo -ne '\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F' | xargs -0 touch |
Select Language