search
TwitterBlog

Unrestricted File Upload

hashtag
Introduction

Unrestricted File upload consists of uploading unintentional files to the web application. This occurs due to insufficient or improper file-type validation controls before uploading the files. Thus, a malicious actor may be able to craft a malicious file or request to bypass the application file validators, uploading the file.

Finally, if the attacker has access to the uploaded malicious file, usually stored on uploads or assets, it could gain Remote Command Execution on the system.

hashtag
File Overwrite

Existing original web application files and uploaded files can be found under the same directory. Therefore, a malicious user could overwrite the former files changing the application functions.

hashtag
File type filtering

There are different ways to validate the type of file.

hashtag
Name extension filtering

In practice, the extension of a file is quite easy to change. However, Microsoft Windows still relies on extensions to identify files. Such filters are pretty simple; they use a blacklist of not allowed extensions or a whitelist of allowed extensions.

To bypass this filter, an attacker should enumerate all file extensions allowed by the web application.

hashtag
Multipurpose Internet Mail Extension (MIME) validation filtering

The MIME type is attached in the request header Content-Type when uploading a file. An attacker could modify the header with the image/png value making the application believe the uploaded file is a png.

POST /?submit=success HTTP/1.1
Host: shell.uploadvulns.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Upgrade-Insecure-Requests: 1

-----------------------------73964126537709154571754089304
Content-Disposition: form-data; name="fileToUpload"; filename="php-reverse-shell.php"
Content-Type: application/x-php

<?php
// Usage
// -----

hashtag
Magic Numbers filtering

Checking the Magic Numbers is the most accurate way to check the contents of files. In this image, the magic bytes are 8950 4e47 0d0a.

However, an attacker could manually change the magical bytes tricking the server it is an image.

hashtag
Length filtering

File length filtering avoids huge files being uploaded to the server. This could prevent attackers from uploading files like reverse shells due to their size.

hashtag
Methodology

In order to be able to upload files unexpected by the developer, the following steps can be followed:

  1. Using tools such as Wappalizer, you can get indicators of which languages or frameworks are used.

  2. Find the file upload directory.

  3. Upload a legitimate file, paying attention to the parameters used and whether you can access it.

  4. Search for code (usually JavaScript) on the client-side, used to check the files to be uploaded.

  5. Upload a file bypassing the client-side filters. This can be done by removing the javascript code from the server response.

It is expected to get an error produced by the server-side filter. The error message may help determine the next steps.

  • If you can successfully upload a file with a random invalid extension (e.g. shell.fake), the server will most likely use a blacklist filter. If this upload fails, the server may use a whitelist filter or other type of filter.

  • Try re-uploading a file expected by the application, but change the file's magic number. If the upload fails, you will know that the server uses a filter based on a magic number.

  • Upload another file expected by the application, but intercept the request with Burpsuite and change the MIME type, different from the one expected. If the upload fails, you will know that the server is filtering based on the MIME.

  • Analizar los filtros de longitud de los archivos se puede realizar a través de subir un archivo pequeño, y luego subir archivos progresivamente más grandes hasta que salte el filtro. Puede darse el caso de que el mensaje de error directamente cuál es el límite de tamaño.

hashtag
References

Last updated