“Magic Numbers” in the World of Pentesting
In the exciting world of pentesting, ethical hackers, also known as pentesters, often encounter challenges that require creativity and cleverness to overcome. One of these challenges is uploading files through web panels or forms with specific restrictions. In this article, we will explore the fascinating technique of “Magic Numbers” and how they can be used to bypass these limitations.
What are Magic Numbers?
Magic Numbers are sequences of bytes found at the beginning of a file that indicate the type. For example, a PDF file starts with ‘%PDF-’, while a JPEG file begins with ‘FF D8 FF’. These initial bytes help systems identify the file format without relying on the extension.
The Challenge: uploading a PHP file as a PDF
Let’s say we are conducting a web audit and we come across a form that allows file uploads but has one restriction: it only accepts PDF files. Our goal is to upload a PHP file to achieve remote command execution. How can we bypass this limitation?
The Bypass
There are several techniques to work around this problem, but one is particularly interesting because it involves manipulating the Content Type and Magic Numbers. Let’s dive into the process:
1. Intercepting the request with Burp Suite
Using Burp Suite, we can intercept the file upload request and modify the Content Type to ‘application/pdf’, which will make the server believe we are uploading a PDF file.
2. Modifying the Magic Numbers
In addition to changing the Content Type, we need to modify the first bytes of the PHP file to make it appear as a PDF file. In order to do this, we will use HexEdit, a tool that allows us to edit the bytes of a file. Here are the specific steps:
- Open the PHP file in HexEdit.
- Modify the first bytes to match the Magic Numbers of a PDF file (‘%PDF-’).
Practical example
Let’s say tha we have a PHP file named ‘exploit.php’. As explained before, we open it in HexEdit and change the first bytes to look like this:
‘’’
%PDF-1.4
<?php
// PHP file content
?>
‘’’
This way, the server will interpret the file as a PDF, even though it actually contains executable PHP code.
This is a common technique among pentesters and is also part of the attack simulations we conduct at edataconsulting for our clients. However, in the wrong hands, it can also be used for malicious purposes. Keep an eye out!
It is crucial that these practices are always used ethically and within the legal framework. Therefore, obtaining the proper authorization and ensuring compliance with current security and privacy regulations is essential before implementing them.
Last but not least, if you want to protect your systems from this type of attack and prevent unauthorized file uploads through file type spoofing, check out our next article on security recommendations.
Article by David Delgado, translated by Aranzazu Rodríguez
