File upload bypass 1

Letting users upload their files on your website can come with great risks if the necessary precautions aren’t made. For example, file uploads with no validation checks means that users are able to upload any files of any types. This can become dangerous when that file contains code that executes on the server-side, like PHP. Users are then able to execute their scripts on the server (assuming they know where their file is uploaded to and they have access to it). Obviously this is pretty bad. It doesn’t take a criminal mastermind to upload a PHP reverse shell script to a server and set up a listener to get a shell. There are 2 main types of ways to defend file uploads. Whitelisting and blacklisting. Whitelisting consists of only allowing certain types of files (probably images) to be uploaded. On the other hand, backlisting instead functions by disallowing certain types of files to be uploaded. However, both methods can be bypassed depending on other factors of the code behind the validation checks.

Bypassing extension checks (super simple)

Let’s say a file upload is blacklisting files with .php extensions by manually checking the extension. This can be bypassed by using any other valid php extensions available (PHP files need a valid php extension to be able to execute). Some of these include: .phtml, .phps, .php5 and .phar. Ok, but what about if we whitelist image files? Then only images will be able to be uploaded, and all the PHP extensions will be invalid. In that case, we can still trick the uploader by uploading a file with an added PHP extension on top of a valid one. For example :

fileName.png.php or fileName.jpg.php

We can upload this file since the uploader sees the file type as an image, even though the php extension at the end is able to execute whatever is in the file. I’ll make a second post on this with more ways to bypass a misconfigured extension check (with null bytes and other types of logical bypasses).

Leave a Reply

Your email address will not be published. Required fields are marked *