# Upload vulns 101 ###### tags: `file uploads` `web security` `cyber security` Upload vulns include: * Overwriting existing files on a server * Uploading and executing shells on a server * Bypassing client-side filtering * Bypassing various kinds of server-side filtering * Fooling content-type validation checks **Gobuster** is great for bruteforcing directories to find out what's on the server. Combine it with **burpsuite** and **wappalyzer** for a good time. Example syntax to run gobuster in directory enumeration mode is: ``` gobuster dir -u http://[ip] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ``` RCE allows us to arbitrarily execute code on the server. RCE through a web app usually results from uploading a program in the same language as the back-end of the website or in another language the web server understands and will execute. (traditionally PhP but of late Python Django and Js Node.js are more common) 2 basic ways to achieve RCE on a server: * web shells * reverse shells For more on popping shells, check out the '[What the Shell?](https://hackmd.io/@codeAssassin/rJPs_rzlc)' post. ## Filtering Js is the most common client-side scripting language. When a script is called client-side, it means that the script runs in the user's browser as opposed to on the server. A server-side script will be run on the server. Traditionally PhP was the goto language for server-side scripting with Microsoft's ASP coming in second for IIS. However, Python, Node.js, Ruby on Rails are increasingly common. Client side filtering is easy to bypass as it is a highly insecure way to verify that uploaded files are not malicious. Server side filtering is more difficult to bypass as we have to form a payload which conforms to the filter while still allowing us to execute code. **Types of filtering** ### Extension Validation File extensions are theoretically used to identify the contents of a file. To filter by extension one of these approaches is employed: 1. **blacklist extensions**: having a list of extensions that are not allowed 2. **whitelist extensions**: rejecting everything and then having a list of extensions that are allowed ### Filetype filtering #### Mime Validation Multipurpose internet Mail Extension (MIME) types are used as identifiers for files, initially for emails but now also when files are being uploaded over HTTPS. The MIME type for a file upload is attached in the header of a request. They follow the [type]/[subtype] format e.g image/jpg Can be checked both server-side and client-side however, since MIME is based on the extension of a file it is extremely easy to bypass. #### Magic Number Validation Is a more accurate way to determine file contents. The **magic number** of a file is **a string of bytes at the beginning of a file's content which identify the content.** **Unix systems use magic numbers for identifying files whereas windows uses extension validation.** While not a guaranteed solution it is way more effective than checking the extension of a file. ### File length filtering Used to prevent huge files from being uploaded to the server via an upload form. If an upload form only expects a small file, there might be a length filter in place to ensure the file length requirement is adhered to. ### File name filtering Files uploaded to a server must be unique and their names should be sanitized to ensure they don't contain 'bad chars' e.g nullbytes, forward slashes on linux, ; and unicode chars. Thus on a well administered sys, our files are unlikely to have the same name they had when we uploaded them so we may have to go phishing to find our exploit file. ### File content filtering More complicated filtering sys that scans entire files to ensure they are not spoofing the extension, file type and magic number. Note that these filters are usually used in conjuction with one another to thus providing a multi-layered filter, and increasing the security of the upload significantly. ## Bypassing client-side filtering Client side filtering is the first and weakest line of defence. 4 ways to bypass: 1. Turn javascript in your browser off completely. 2. Intercept and modify the incoming page using burpsuite. Strip off the js filter before it has a chance to run. 3. Intercept and modify the file upload. This method intercepts the file upload after it has already been accepted by the filter. 4. Send the file directly to the upload point. Here we post the data directly to the page that is responsible for handling the file upload using a tool like **curl** e.g ``` curl -X POST -F "submit:[value]" -F "[file-parameter]:@[path-to-file]" [site] ``` To use this method, first intercept a successful upload using burpsuite to see what parameters are used. ## Bypassing server-side filtering Experiment to see which extensions are allowed through. For file extension filters, simply intercept the request and edit the extension to the appropriate extension. For magic number filters, simply use hexeditor to edit the first 8 chars of the file's magic number to match the magic number for the appropriate file type. ## Steps to follow * Read/skim the source code * Use wappalyzer to inspect technologies utilized * Intercept requests with burpsuite to understand technology used for the site * Interact with the site as you normally would to get an understanding of what files are permitted * Note that if js is used, you'll need to remove the js exception in burpsuite's: Proxy>Options>Intercept Client Requests> file extension match type * Check for a client side filter , disable it via intercepting the request in burpsuite * Anticipate the server side filter by labelling uploads in the format you inferenced from the source code e.g if resources are in .jpg format then label your file with a .jpg extension * Carry on as trained.