File upload bypass 2

There are many other ways of bypassing extensions checks. Taking the example of a php blacklist again, we could trick the uploader by mixing in some null bytes (url encoded) after the extension :

fileName.php%00 or fileName.php%20 or fileName.php%0a

Null bytes are used to end strings. So placing these in a url-encoded format confuses the uploader into not knowing when the extension ends. So code with the general format :

if extension ends with .php, don’t let upload

Will be bypassed here, since the uploader doesn’t know what the extension ends with.

Finally, in some cases, putting the php extension followed by a valid one code can still be executed :

fileName.php.jpg or fileName.php.png

This happens when the validation check looks for any file ending in php, but not the contents of the extension afterwards. The file doesn’t end in php, and it follows the allowed format (I think this vulnerability only works on misconfigured servers where php somehow executes).

Whilst it is true that better extension checks can solve these issues, most of these techniques I mentioned in post 1 and 2 won’t work if the validation check looks at the content of the file rather than the extension. Even if we change the extensions and bypass the extension checks, the script won’t execute because the uploader will recognize the file content as not an image. There are ways to bypass this however, so I’ll make a third post about it later.

Leave a Reply

Your email address will not be published. Required fields are marked *