Skip to content

Introduction

almandin edited this page Aug 16, 2017 · 5 revisions

Introduction

Detect and exploit file upload vulnerabilities

Let's say your are auditing a web application and you found a web page allowing file upload through a multipart encoded POST form. You want to test the underlying file upload server-side script to see if it is possible to take over the system. If you manage to upload and execute a web shell, you could completely control the operating system. Such file upload features are often used to let users choose an avatar or upload images in general, but can also be used to share documents or similar.

Considering that the target url is :

http://192.168.1.42/myfiles/upload.php

We already know that the http server is using PHP as the underlying programming language. We may want to upload a php file to gain code execution on the system. This target url is supposed to have an upload form similar to the following :

File upload form
Typical file upload form The file upload form is generally made of
one file upload input and other several miscellaneous
inputs for additional information.
When sending a file to the underlying server,
the system is supposed to check what
type of file we are sending, its size and other
things related to what the service is supposed to be.
Traditionally, the file type is checked to match only
the ones the server wants to accept (say images, jpg
and png style). The file size is also often checked to
limit users sending only small files.

The main problem is that checking the uploaded file type can be done using different techniques, and none is reliable. A clever combination of different checks must be used to reliably deny some file types to be upload (for more information, see the OWASP unrestricted file upload page).

For example, checking the uploaded file type in PHP can be done different ways :

  • Checking the mime type in the $_FILES['inputName']['type'] variable
    • Whitelisting specific mime types
  • Checking the file extension in the $_FILES['inputName']['name'] variable
    • Whitelisting specific extensions
    • Blacklisting specific extensions
  • Checking the content of the file using a function like getimagesize() to validate that the file is an image

Every file type detection method relies on information given by the client, and can't be trusted by definition : the user can send a certain file using a different extension and yet another mime type (let's say a jpeg image with a .php extension along with a application/x-http mime type).

Sending files messing with extensions and mime types can bypass some server-side restrictions. For example, if only the mime type is checked, it could be enough to tamper some HTTP requests to send a PHP application instead of an image, specifying an image like mime type.

The main issue when testing this kind of vulnerabilities is that it can be quite tedious, as any missing combination of the previous type checking techniques can lead to a vulnerability. Fuxploider can automate the process of identifying the missing server-side checks to upload arbitrary code and execute it. It can even detect the correct execution of the payload.

Fuxploider wiki pages


Clone this wiki locally