‎
File upload
‎
Scenario
‎
Blacklisting Dangerous files
‎
developer validates that the uploaded file
‎
such as exe , php , ... and block them
‎
if it doesn’t check the case sensitivity of file
‎
extension ‎
we can use PHP , PhP , EXE , ExE
‎
mitigation
‎
block all case sensitive
‎
^.*.(php|php1|php2|php3|php4|php5|php6|
‎
php7|phtml|exe)$/i ‎
/i => capital and small
‎
Scenario 2 (IIS-Windows)
‎
same validation is done for asp pages
‎
bypass ‎
using .cer & .asa extensions
‎IIS <= 7.5 have Both *.asa and *.cer mapped
‎
to asp.dll, thus executing ASP code
‎
Scenario 3 Validating Filename
‎
only (Whitelist)
‎
here e regex is validates that the filename contains .jpg
‎
but doesn’t validate that the filename
‎
ends with .jpg
‎
bypass ‎
use file.jpg.php
‎
it's an php file but we put jpg to bypass
‎
regex filter
‎
Scenario 4 Null Byte Injection if php
‎
extension blocked ( Just image )
‎
null character is a control character with
‎
the value zero.
‎
PHP treats the Null Bytes %00 as a
‎
terminator
‎
bypass ‎shell.php%001.jpg or shell.phpx00.jpg
‎
here server check for the last extension
‎
and the file name 1.jpg
‎
but the file will be treated as .php due to
‎
termination of whatever after the Null Byte.
‎
then server work with file remove .jpg and
‎
it will be shell.php
‎
Scenario 5 Vuln in Content Type (port
‎
swigger)
‎
application upload just image
‎
when we try to upload file.php
‎
the app refuse and tell us he just upload
‎
image/png files
‎
bypass
‎
intercept request when uploading file.php
‎
change the content type of our upload to
‎
image/png and send the requst
‎
it may be success and upload file.php
‎
bypass
‎
scenario 1 we can use old extention ‎
.pht - .htmls ......
‎
scenario 2 we can add a new configuration
‎
file ( .htaccess )
‎
upload a file .htaccess
‎change content type to text change
‎
content type to text
‎
add this as payload to allow execute php
‎
file with .lol extension ‎
AddType application/x-httpd-php .lol
‎
upload our php file as exploit.lol
‎
our upload will be shell.php
‎
file upload via path traversal
‎
if application allow php
‎
add payload in image if server allowed just
‎
image
‎
get any photo and use exiftool to put
‎
payload in image
1
‎
and then upload our php file and the
‎
server see it as image
‎
mean
‎vulnerability happen when a web server allows users to upload files to its
‎
filesystem without validating things
‎impact
‎
attacker could potentially upload a server-side code and
‎
take full control over the server.
‎
allow an attacker to overwrite critical files
‎
if it also vulnerable to Path Traversal
‎
attackers able to upload files to
‎
unanticipated locations
‎
Scenario 2 (Apache-Linux)
‎
developer Properly Blacklisting .php files ‎
.php, PHP, or php5
‎
bypass validation
‎using the .pht extension. => apache understand
‎
it as php and execute it normally
‎
PHT file stores HTML page that includes a
‎
PHP script.
‎
we can upload file in the back folder
‎
with ../exploit.php