-
Notifications
You must be signed in to change notification settings - Fork 500
Introduction
Let's say your are auditing a web application and you found a web page allowing file upload through a multipart encoded POST form. You want to test the underlying file upload server-side script to see if it is possible to take over the system. If you manage to upload and execute a web shell, you could completely control the operating system. Such file upload features are often used to let users choose an avatar or upload images in general, but can also be used to share documents or similar.
Considering that the target url is :
http://192.168.1.42/myfiles/upload.php
We already know that the http server is using PHP as the underlying programming language. We may want to upload a php file to gain code execution on the system. This target url is supposed to have an upload form similar to the following :
File upload form | |
---|---|
The file upload form is generally made of one file upload input and other several miscellaneous inputs for additional information. When sending a file to the underlying server, the system is supposed to check what type of file we are sending, its size and other things related to what the service is supposed to be. Traditionally, the file type is checked to match only the ones the server wants to accept (say images, jpg and png style). The file size is also often checked to limit users sending only small files. |
The main problem is that checking the uploaded file type can be done using different techniques, and none is reliable. A clever combination of different checks must be used to reliably deny some file types to be upload (for more information, see the OWASP unrestricted file upload page).
For example, checking the uploaded file type in PHP can be done different ways :
- Checking the mime type in the
$_FILES['inputName']['type']
variable- Whitelisting specific mime types
- Checking the file extension in the
$_FILES['inputName']['name']
variable- Whitelisting specific extensions
- Blacklisting specific extensions
- Checking the content of the file using a function like
getimagesize()
to validate that the file is an image
Every file type detection method relies on information given by the client, and can't be trusted by definition : the user can send a certain file using a different extension and yet another mime type (let's say a jpeg image with a .php extension along with a application/x-http mime type).
Sending files messing with extensions and mime types can bypass some server-side restrictions. For example, if only the mime type is checked, it could be enough to tamper some HTTP requests to send a PHP application instead of an image, specifying an image like mime type.
The main issue when testing this kind of vulnerabilities is that it can be quite tedious, as any missing combination of the previous type checking techniques can lead to a vulnerability. Fuxploider can automate the process of identifying the missing server-side checks to upload arbitrary code and execute it. It can even detect the correct execution of the payload.
- Introduction - Introduction to fuxploider
- Techniques - File upload vulnerabilities supported by fuxploider
- Features - A brief list of supported features
- Download and update - Keep your copy up to date
- Dependencies - Information about used third-party libraries and tools
- Usage - Exhaustive breakdown of all options and switches together with examples
- Adding templates and test cases - Explanations about the templates system and how test cases are configured
- License - Copyright information