Hey Whatsup! This is Satyendra an Infosec noob, I hope you are doing well. I’m presenting here my little research on Unrestricted file upload vulnerabilities. Sorry for the all mistakes -_- in advance. So let’s start with what you are looking for without wasting much time.
- What is a file upload functionality?
- How does it work?
- What we can do with uploading the unrestricted file into the server?
- Types of filters
- Filter bypassing techniques
- Basic Filter bypass
- Advance Filter bypass
- File Upload Testing Labs
What is a file upload functionality?
(Skip this if you are leet) lol :P
File upload is a functionality which you often see in almost every web application in the form of profile picture section or other document upload section.
Basically, it is used for storing the file from local machine to the server and use it according to web app requirement.
How does it work?
Important question! Note it down fast.
Let's see an example how file upload works first then we can understand whole attacking scenarios…
Junior developer mode on :P
Visit — file upload working
Understand Every code function and flow of the code. Try to run every code in your local machine for better understanding.
What we can do with uploading the unrestricted file into the server?
I’ll not show you the demonstration of every attack here. You have to search for it on Google. If you don’t know how to do this then you should learn this first.
- Remote code execution
- Parameter pollution
- uploaders may disclose internal paths
- SQL injection
- DoS attack
- Add if you know more…
Types of filters?
I hope you have learned file upload working carefully then you should know what is the filter.
Here are some common filters used by the developers
1. Blacklisting Bypass:
Blacklisting can be bypassed by uploading unpopular PHP extensions.
such as: pht, phpt, phtml, php3,php4,php5,php6
2. Whitelisting Bypass:
Whitelisting can be bypassed by uploading a file with some type of tricks, Like adding a null byte injection like ( shell.php%00.gif ). Or by using double extensions for the uploaded file like ( shell.jpg.php ).
Pro Tip: Always brute-force extension to check acceptance of extensions
3. Content-type Validation
This type of validation can be bypassed by changing the file name for example to “shell.php” or
“shell.aspx” but keeping the “Content-Type” parameter as “image/ *” Content-Type. Such as
“image/png”, “image/jpeg”, and “image/gif”.
Pro Tip: Same as above brute-force it (Fuzzing = win)
4. Content length Validation
It can be bypass using a small length of payload like
Filter Bypassing Techniques -
1. upload php file using .pht extension when web app validates for the extension. (Apache-Linux)
2. upload asp file using .cer & .asa extension (IIS — Windows)
3. Upload .eml file when content-type = text/html
4. Inject null byte shell.php%001.jpg
5. Check for .svg file upload you can achieve stored XSS using XML payload
6. put file name ../../logo.png or ../../etc/passwd/logo.png to get directory traversal via upload file
7. Upload large size file for DoS attack test using the image.
8. (magic number) upload shell.php change content-type to image/gif and start content with GIF89a; will do the job!
9. If web app allows for zip upload then rename the file to pwd.jpg bcoz developer handle it via command
10. upload the file using SQL command ‘sleep(10).jpg you may achieve SQL if image directly saves to db.
Advance Bypassing techniques —
Imagetragick aka imagemagick
2. LFI using video upload
Exploit — https://github.com/neex/ffmpeg-avi-m3u-xbin
3. Cross Content Hijacking
Exploit = http://126.96.36.199/blog/?p=242
4. Encoding scripts in PNG IDAT chunk