Exploiting File Upload using Null byte

In my previous blog related to FILE upload, I already discussed some basic techniques to bypass whitelisting of file extensions. Now in this blog I am explaining other techniques here like MIME type, NULL byte injection.

MIME type:

Aim: Our aim is to upload PHP code and retrieve password in the file “.passwd”.

there are three tabs in the web application

· defaced

· upload

· pirate

Image for post
Image for post

From upload tab, I can upload an image .

Now to check the validation application is using I will try to upload a file which is not an image file.

· First I try to upload PHP shell i.e. “fupload.php”, we check corresponding request on burp.

Image for post
Image for post

In above screen shot please check yellow color highlighted portion. Which indicates application is checking content type of uploaded image. Without changing content type of uploaded the file, I forwarded the request. After forwarding the same request, i got “wrong file type” on User Interface.

Image for post
Image for post

Again I am trying to upload same file but this time I will changed Content-Type to “image/png” and then check is file upload possible or not. “fupload.php” contain PHP shell, which helps us to retrieve password. The code inside the “fupload.php” shown below:

Image for post
Image for post

Intercepting the request and updating its content type, request will look like:

Image for post
Image for post

After forwarding the request, I checked on UI where it shows me “File uploaded” message.

Image for post
Image for post

Now using LFI technique in the URL “/fUpload.php” where file, is uploaded we got the password (described in my previous blog of FLI bypassing techniques)

So updated URL:

By implementing LFI technique on stored URL, I got the Credentials by uploading a PHP shell.

NULL BYTE

This is another technique to bypass file upload functionality. In it we try to inject null byte character which is basically reserved character to signify the end of the string, Typically it known as “null-terminated string”.

Sometimes direct null character or sometimes its encoded form (%00) It depends on, how we are going to bypass it. Generally null byte injected with user supplied data.

Aim: Our aim is to upload PHP code and hack photo gallery and retrieve .passwd.

There are four tabs in the web application,

Image for post
Image for post

· upload

· Hackin9

· MISC

· Phrack

Now we try to upload PHP code in upload tab. I uploaded the same file of double extension, which I used in my previous blog of file upload i.e. “fupload.php.jpg”. After uploading, I checked its request on burp.

Image for post
Image for post

From highlighted portion, it is clear for png file content type is correct. Now I try to modify filename and content type in intercepted request:

Image for post
Image for post

Please check highlighted portion, after removing “.png” extension and giving corresponding content-type, it shows “Wrong file type” in response tab.

Now I try it with null byte injection on the same uploaded file.

After uploading, I injected “%00” before “.png” extension. So updated file name becomes filename=”fUpload.php%00.png”. When I forwarded the request, file with null byte injection uploaded on the server.

So when implement null byte in file name fUpload.php%00.png, it will remove .png extension from checking. By injecting a null byte, the extension rule won’t be enforced because everything after the null byte will be ignored. Now application only checking file name as fUpload.php

Please check below screen shot yellow color highlighted portion.

Image for post
Image for post

Here we also got the URL where our PHP shell uploaded. After opening that location till PHP extension we got the credentials. So our aim to fetch credentials by uploading a PHP code fulfilled.

And after implementing null byte we able to bypass file upload functionality.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store