One of the most promising attacks in a web application is the file transfer. With results ranging from XSS to full code execution, file uploads are an attractive target for hackers, but there are usually limitations in place that can make it challenging to carry out an attack. However, there are various techniques that a hacker can use to break restrictions on uploading files to get a shell.
Method 1: Bypass blacklists
The first method we examine is how to bypass blacklisting. Blacklisting is a type of protection where certain strings of data, in this case specific extensions, are expressly prohibited from being sent to the server. At first glance, it may seem like an optimal solution to prevent bad extensions, often executable files, from being uploaded, but it is trivial to bypass.
In addition to the standard extensions, there are alternative extensions that can be used to get around blacklist filters. Here are some extensions for PHP files:
.pht, .phtml, .php3, .php4, .php5, .php6, .inc
Another popular extension for web shells is JSP, and here are some options:
.jspx, .jspf, .jsw, .jsv
In some situations, you can simply change the case of the extension to trick filters into accepting the file, such as:
.pHp, .Php, .phP
Method 2: Transfer whitelists
Another type of prevention that often occurs on the web is whitelisting. Whitelisting is the exact opposite of blacklisting, where the server only accepts specific extensions. For example, an application that allows you to upload a profile picture can only take JPG, JPEG or PNG files. Although this type of prevention is better than blacklisting, it can still be easily bypassed.
Some web servers, such as Apache, allow duplicate extension files. This means that we can trick the server into accepting a PHP file that also has a JPG extension tackled at the end:
We can also use a zero-replacement injection to bypass whitelist filters. Depending on the zero sign is ignored when saving the file, so injection between a prohibited extension and a permitted extension may result in a bypass:
This can also be accomplished with Burp and modifying the Hex request. Name the file shell.phpD.jpg ̵1; we will replace D characters with a zero character on request. When uploading the file, capture the request, go to the hex tab and find the hex representation for D character:
Simply replace 44 with 00 and send the request through:
This technique can be used in difficult situations where the standard zero-exchange injection does not work.
Another way to whitelist is to trick the server with file header headers. Usually, if a upload function accepts images, it also accepts GIF files. We can add GIF89a; to the beginning of the shell to trick the charge:
Method 3: Exif data
The next method for bypassing file transfer restrictions is using Exif data in an image. We can insert a comment that contains valid PHP code that will be run by the server when the image is processed.
We can use exiftool to do this – if it is not already installed, install it using the package manager:
~# apt install exiftool
Then we can insert a simple command shell as a comment in our image:
~# exiftool -Comment="" pic.jpg
Now if we use file command on our image, we can see that the code has been entered:
~# file pic.jpg pic.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "", baseline, precision 8, 1920x840, components 3
All we need to do now is add a PHP extension so that it can run:
~# mv pic.jpg pic.php.jpg
This technique can be combined with any of the methods to bypass blacklists or whitelists.
Method 4: Other bypass techniques
The content type of a file can also be used as a way to validate uploaded content. For example, an image upload will usually verify that the content type of the file is an image and not a script or other malicious file type. This type of prevention can be easily bypassed by capturing the request and changing the content type.
In some situations, the length of the content can also be used as a way to validate uploaded files. It will depend on the specific circumstances, but all that is needed is a shorter payload. For example, a typical PHP command shell can be abbreviated to this:
Prevent unlimited file uploads
There are several precautions that developers can take to prevent unlimited file uploads and reduce the likelihood that an attacker will circumvent restrictions. First of all, the directory where the transfers are stored should not have any driving privileges. Consider storing files in a database rather than in the file system at all.
File types to upload should be kept to a minimum for the necessary business functionality. In addition, all control characters or special characters should be removed from the uploaded file name and extension, and only one point should be allowed. The size should also be limited as several large files can lead to the service being denied.
Once a file has been uploaded, the name should be changed, preferably to a hash that cannot be guessed. This prevents the attackers from being able to find their file after it has been uploaded. It is wise to prevent files from being overwritten as well, so hashes cannot be pulled by an attacker.
In this tutorial, we covered various methods to get around common file upload restrictions. We learned to bypass blacklist filters, whitelist filters, content validation and more. Uploading files, if they can be beaten, is a sure way to the shell.
Want To Get Into The Gift Basket Business? Jump your career with hat hacking with our training package for premium ethical hacking 2020 from the new Null Byte store and get over 60 hours of training from professional ethical hacking.
Buy now (90% off)>