Some dynamic websites allow it’s users to upload files, images, songs, movies, or anything specific. Such as Facebook and Linkedin allow their users to upload profile pictures and resume. File uploading is crucial for many web applications and at the same time, its a big risk if proper security controls are not implemented on file uploads.
Because there are various techniques for hackers to bypass and beat file upload restrictions to pop a shell.
Today, we’ll discuss how a hacker can make use of unrestricted file upload vulnerability to compromise websites and servers.
Before getting started! It is important to know the basic details about web shells and file upload vulnerabilities. Attackers use web shells for various operations such as executing shell commands, deleting files, creating files, downloading files, etc.
Often times it is possible just to upload a reverse shell without bypassing filters and restrictions.
In blacklisting certain types of extensions are explicitly prohibited from being uploaded to the server. This might seems like an optimal solution to protect your server from getting infected, but it is possible to bypass certain conditions.
Developers my blacklist certain file extensions and prevent users from uploading those files that are considered dangerous for the server. But this can be bypass by changing some strings in extensions to upload and execute payload or web shell.
|PHP||.pht, phtml, .php, .php3, .php4, .php5, .php6, .inc|
|JSP||.jsp, .jspx, .jsw, .jsv, and .jspf|
|Perl||.pl, .pm, .cgi, .lib|
|Coldfusion||.cfm, cfml, .cfc, .dbm|
In some cases changing extensions might not do the trick instead you have to do like,
.pHp, .Php, .phP
In whitelisting, where the server only accepts only specific extensions. For example, a website where you have to upload a profile picture that might take JPG, JPEG, or PNG files.
Apache allows files to be uploaded with double extensions. That means we can trick the server into accepting a shell that also has a PNG extension in the end.
shell.php.png shell.php%00.png shell.php\x00.jpg
Another way to bypass whitelisting is to manipulating file type headers.
If a certain website accepts images that will also accept GIF images. We can add GIF89a to trick the server into uploading shell.
GIF89a; <?php system($_GET['cmd']); ?>
GIF89a; <? system($_GET['cmd']); # shellcode goes here ?>
This method allows us to bypass file upload restrictions by utilizing EXIF data in an image. Inserting a comment that contains PHP code will be executed by the server when an image is processed.
You can do this with gimp or ExifTool
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.png mv image.jpg image.php.png
Blacklisting MIME types is also a method of file upload validation. It may be bypassed by intercepting the POST request on the way to the server and modifying the MIME type.
Normal PHP MIME type:
Other Bypassing Methods
In some situations, the length of content can also cause trouble to validate uploaded files. For that, PHP shell command can be shortened like this,