Unrestricted File Upload
Unrestricted File upload consists of uploading unintentional files to the web application. This occurs due to insufficient or improper file-type validation controls before uploading the files. Thus, a malicious actor may be able to craft a malicious file or request to bypass the application file validators, uploading the file.
Finally, if the attacker has access to the uploaded malicious file, usually stored on
assets, it could gain Remote Command Execution on the system.
Existing original web application files and uploaded files can be found under the same directory. Therefore, a malicious user could overwrite the former files changing the application functions.
There are different ways to validate the type of file.
In practice, the extension of a file is quite easy to change. However, Microsoft Windows still relies on extensions to identify files. Such filters are pretty simple; they use a blacklist of not allowed extensions or a whitelist of allowed extensions.
To bypass this filter, an attacker should enumerate all file extensions allowed by the web application.
The MIME type is attached in the request header
Content-Typewhen uploading a file. An attacker could modify the header with the
image/pngvalue making the application believe the uploaded file is a png.
POST /?submit=success HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Disposition: form-data; name="fileToUpload"; filename="php-reverse-shell.php"
Checking the Magic Numbers is the most accurate way to check the contents of files. In this image, the magic bytes are
8950 4e47 0d0a.
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
However, an attacker could manually change the magical bytes tricking the server it is an image.
00000000: 8950 4e47 0d0a 1a0a 0000 3c3f 7068 7020 .PNG......<?php
00000010: 7379 7374 656d 2829 3b20 3f3e 0a system(); ?>.
File length filtering avoids huge files being uploaded to the server. This could prevent attackers from uploading files like reverse shells due to their size.
In order to be able to upload files unexpected by the developer, the following steps can be followed:
- 1.Using tools such as Wappalizer, you can get indicators of which languages or frameworks are used.
- 2.Find the file upload directory.
- 3.Upload a legitimate file, paying attention to the parameters used and whether you can access it.
It is expected to get an error produced by the server-side filter. The error message may help determine the next steps.
- If you can successfully upload a file with a random invalid extension (e.g.
shell.fake), the server will most likely use a blacklist filter. If this upload fails, the server may use a whitelist filter or other type of filter.
- Try re-uploading a file expected by the application, but change the file's magic number. If the upload fails, you will know that the server uses a filter based on a magic number.
- Upload another file expected by the application, but intercept the request with Burpsuite and change the MIME type, different from the one expected. If the upload fails, you will know that the server is filtering based on the MIME.
- Analizar los filtros de longitud de los archivos se puede realizar a través de subir un archivo pequeño, y luego subir archivos progresivamente más grandes hasta que salte el filtro. Puede darse el caso de que el mensaje de error directamente cuál es el límite de tamaño.