V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
czvatqin
V2EX  ›  问与答

如何在文件名里输入 Unicode U+0000 这个字符

  •  
  •   czvatqin · 2021-12-16 02:37:20 +08:00 · 1450 次点击
    这是一个创建于 1070 天前的主题,其中的信息可能已经有所发展或是发生改变。

    rt ,Windows 环境下如何输入这个空字符到文件名里

    第 1 条附言  ·  2021-12-16 03:17:09 +08:00
    U+0000-U+001F 都可以
    第 2 条附言  ·  2021-12-16 22:11:16 +08:00
    测试漏洞需要,CVE-2020-35489 这个里面的,他那个 U+0000 的字符是怎么输入到文件名里的
    原文如下:
    # Exploit Title: Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
    # Date: 12/20/2020
    # Exploit Author: Ramón Vila Ferreres (@ramonvfer)
    # Vendor Homepage: https://contactform7.com
    # Software Link: https://wordpress.org/plugins/contact-form-7/
    # Version: 5.3.1 and below
    # Tested on: Windows 10 1909, Ubuntu 20.4

    Explanation
    ---------------------------------------------------------------------
    ContactForm7 version 5.3.1 and below doesn't properly sanitize
    uploaded filenames to prevent Arbitrary File Upload that can lead
    to full server takeover in the worst-case scenario.

    This happens in the wpcf7_antiscript_file_name function, that fails
    to sanitize the provided filename if it ends with any Unicode special
    character ranging from U+0000 (null) to U+001F (us).

    The function matches both the file name and the file extension against
    an exclusion regex. Appending any unicode special character to the
    file extension results in a complete bypass of this verification (as
    the regex doesn't match) leading to the Unrestricted File Upload.

    Exploit
    ---------------------------------------------------------------------
    1. Change the file extension of the file you want to upload (e.g:
    "shell.php") to its equivalent with the special character ending (in
    this case "shell.php" (appended U+0000))

    2. Upload the file using ContactForm7 file upload feature in the
    target website.

    3. Go to <target.com>/wp-content/uploads/wpcf7_uploads/shell.php
    Note the special character at the end
    Note that the file upload location may vary as it is configurable.

    4. Now you have uploaded your file!
    9 条回复    2021-12-18 00:25:46 +08:00
    ysc3839
        1
    ysc3839  
       2021-12-16 02:50:57 +08:00
    绝大多数文件系统应该都不支持在文件名中包含 NULL 字符。
    iBugOne
        2
    iBugOne  
       2021-12-16 03:55:55 +08:00 via Android   ❤️ 1
    @ysc3839 说得对。Linux 的典型文件系统( ext, xfs 等)在允许用作文件名的字符这里已经做到极限了,除了零字符( C 语言风格字符串)、正斜杠(用作目录分隔符)之外的字符全都可以出现在文件名里。仅剩的例外是文件名不能是刚好 1 个或 2 个点(当前目录和上级目录)。
    crab
        3
    crab  
       2021-12-16 04:08:15 +08:00
    0000 遇到直接截断了,剩下范围 31 个非打印字符不行的。
    ysc3839
        4
    ysc3839  
       2021-12-16 17:47:17 +08:00
    不包括 NULL 的话很简单
    echo -ne '\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F' | xargs -0 touch
    czvatqin
        5
    czvatqin  
    OP
       2021-12-16 22:12:24 +08:00
    @crab 看我的附言里面他这个是怎么实现的...
    crab
        6
    crab  
       2021-12-17 00:31:58 +08:00   ❤️ 1
    @czvatqin 这个是利用上传类似 文件名为 1.php[\x00].jpg ,后端处理遇到 00 截断后面的.jpg ,直接存储了文件名为 1.php 。
    czvatqin
        7
    czvatqin  
    OP
       2021-12-17 13:27:29 +08:00
    @crab 那这个 x00 如何输入?
    crab
        8
    crab  
       2021-12-17 14:06:02 +08:00   ❤️ 1
    @czvatqin 浏览器下上传你要拦截下来包修改,如果直接发包就直接写 00 就可以啊。
    czvatqin
        9
    czvatqin  
    OP
       2021-12-18 00:25:46 +08:00
    @crab 但是我看他们还有传这个文件的截图...改包的话怎么截图....
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5844 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 801ms · UTC 06:20 · PVG 14:20 · LAX 22:20 · JFK 01:20
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.