File Upload: The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
Example: Consider a website “testsite.com” that has a feature where users can upload their profile pictures. Once the image was uploaded, that is processed by the website and then the image is rendered on the user profile. The uploaded image gets saved in folder i.e. /images(testsite.com/images/profile.jpeg) and clicking on the image can get the URL of the uploaded image. An attacker tries to upload a malicious file such as web shells. The content of the web shell looks like this.
Note: Shell is an interactive interface that helps the attacker to perform malicious tasks on the server.
The attacker saves this web shell as “profile.php” and then uploads this on “testsite.com” as a profile photo. Since there is no validation on the uploaded files, the “profile.php”, uploaded successfully. Attacker clicks on the uploaded shell and copied URL looks like this:
http://somesite.com/images/profile.php?command=<any command here>
By using URL, the attacker can now execute the commands on the server.
Exploit Scenario on live website:
There are multiple ways to bypass file upload vulnerability here I am explaining double extension functionality to bypass whitelisting of the file extensions.
Aim: Our aim is to upload a PHP shell and try to retrieve passwd file.Here is the main user interface where users can upload the image file that will be rendered on the page.
I uploaded a file “.png” extension and intercepted the traffic to check which type of validation application is using. It is clear from the following screenshot, that we can only upload .gif, .jpeg, .png extension.
Upon uploading a file it shows the path of the uploaded file on the next page.
After intercepting this request, we can see there are file name, content type mentioned in the request.
Now we try to upload PHP file i.e. “fupload.php” which is a PHP shell
After uploading PHP extension image, it showed me “Wrong file Extension” on page.
Therefore, above explanation it is clear that we have to upload any file which have “.jpg, .png, .gif “extension but content must be PHP. I try to upload file that has two extensions to bypass file upload vulnerability i.e. “fupload.php.png”.
Double Extension: Generally, a text file and image only have one extension, which comes after “.” symbol .These symbols helps us to recognize type of file. If any file have two symbol like “test.txt.php”, so from last extension, we can recognize type of file.
This file fulfill our two purpose :-
· This file has PHP code, which can easily fetch files with the provided inputs. Code inside this file look like:
$p = $_GET[‘p’];
$o= shell_exec(‘cat ‘.$p);
· By giving “.png” extension we can able to bypass “wrong file extension“.
Now we try to upload it.
Now as I checked the request in burp.
Therefore, after forwarding the request we got the message “File uploaded” with the file path.
Then I clicked on link, as according to PHP shell I update the link to fetch the credentials
Note: For more details of LFI, please check my previous blog.
By using double extension technique, we can upload malicious files or bypass file upload functionality.
Preventive Measures /mitigation
· Enforce a whitelist of accepted, non-executable file extensions.
· The application should perform filtering and content checks with a whitelist filter on files uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users.
Uploaded directory should not have any “execute” permission and all the script handlers should be removed from these directories.