File Upload Vulnerabilities

00:00

file upload vulnerabilities

00:03

are learning objectives are to understand what file, upload vulnerabilities are and identify how to exploit file upload vulnerabilities.

00:12

So a lot of applications allow people to upload different kinds of files. Maybe it's an avatar image, maybe uh it's a medical application where you can upload receipts in a pdf form.

00:27

Um a lot of them you have to be authenticated. Some, you don't have to be authenticated, which is even better for us as Attackers. But what this allows us to do is possibly change the file extension

00:39

to then upload a malicious file. And again, it's important to understand the underlying architecture of the server. What what is it PHP is, is it a sp that's going to ultimately determine what type of file file you're going to upload.

00:58

So our, our administrator portal for the awesome photo blog

01:02

doesn't allow file extensions named PHP.

01:06

Why doesn't do that? Because it runs PHP?

01:10

And if I can upload a shell, it will execute that shell and I'm able to get on that server.

01:15

So it really depends how the

01:19

code is written, some have rejects. So it's looking for different, different types of file extensions

01:26

in this case is actually looking for dot PHP. So I could fool it by making it PHP three

01:33

or making it uh an uppercase p lowercase H uppercase P again, to block that rejects. So it's not a very well thought out application. Of course, it's intentionally vulnerable, but here, that's how I tricked it. You can also do other things like p. Html

01:49

as well. I have a whole other slide to show you what are the things you can try.

01:53

So, if you if you understand the underlying architecture of the server and you know, it's running PHP here are a few extensions that you can use a sp you can use a sp a sp x Pearly have a few other options to choose from. Jsp and called fusion. So

02:12

just because one file extension type is blocked,

02:15

doesn't mean another file type

02:17

is not blocked which is allowed.

02:21

So try these because I've done a few hacked the box challenges, challenges or cts where PHP is blocked, but PHP five is not.

02:30

So this is a good a good source to take a look at as well.

02:38

Mime types. Why are mime types important?

02:40

Because some servers don't look at the extension itself, they look at the mime type of the file.

02:46

So you can run the file command and Mime type and you can see here that it is text X PHP.

02:54

And I changed the file extension two JPG to jpeg and run my type again. Well, it doesn't fool it, it sees that it's a a PHP file.

03:04

So in this case, simply changing the extension

03:08

will not trick the server

03:12

into thinking that. Is that actually a Jpeg file? So what do you do

03:15

you use Burp suite? So when you intercept this post request

03:22

in Burp suite,

03:23

you're changing the content type from application X PHP to image our image forward slash jpeg.

03:31

So now it thinks it's a Jpeg Jpeg file and not a PHP file. Despite having a PHP extension,

03:43

you can do this by hiding hiding code in an image. I thought this is a pretty cool little script from Techie Zilla.

03:52

Um and here's the script that I used for to basically take a Jpeg file,

04:00

an office kate PHP into that. And you can see here, I run around the strings come in on it and you can see my little shell down there written in PHP.

04:11

So if I run Mime Type on this, even though it has a PHP three extension. The Mime type is J Peg.

04:18

That has to do with magic bytes. You can you can look this up in google, but you see

04:24

magic bytes. J f I F. If you look up magic bytes for things like, like Jif or GIF files,

04:31

um I know there's a big war about what you call it, um or any type of file, there are magic bytes. So when something looks at a file, it will look at things like the headers of the file. And if it says J F I F, it will think it's a

04:46

on this case. It thinks it's a Jpeg file, but these magic bytes are also important as well. So it's recognizing this file from magic bytes as a Jpeg file.

04:58

Yeah,

05:00

so here we go. I was able to confiscate my code in that image

05:05

and Iran that cat and was able to get a reverse shell

05:10

by tricking the server into thinking that my PHP

05:15

uh that the PHP

05:16

Jpeg was a Jpeg when in fact it had PHP embedded inside of it.

05:21

And the um, server, of course, is running PHP. So that's how I was able to get a reverse shell.

05:29

Yeah,