File upload

Consequences of Vulnerable File Uploads

1. Denial of Service (DoS)

2. File Overwrite

3. Remote Code Execution (RCE)

Methodology for Testing File Upload Vulnerabilities

Enumeration

• Use tools like wappanalyser to identify the technology used.

• Use burpsuite to gather information about the server (which langage can it run ?) but also information about web requests..

• Use gobuster to determine how to access uploaded files.

• Identify how files are named.

Identify Uploadable Files

• Check for client-side verification.

• Check for server-side verification.

• Use burpsuite to gain more flexibility.

Types of Filtering

1. Extension Validation (Blacklist or Whitelist)

2. File Type Filtering (MIME, Magic Number)

3. File Length Filtering

4. File Content Filtering

Client-Side Filtering Bypass Techniques

1. Analyze the source code.

2. Turn off JavaScript on the web browser.

3. Modify external JavaScript files.

4. Intercept and modify JavaScript requests in burp.

5. Modify the file payload.

6. Upload the file directly using command line.

curl -X POST -F "submit=success" -F "fileToUpload=@coffee.jpg" "http://java.uploadvulns.thm/"

Server-Side Filtering Bypass Techniques

Modify Extension

Extension obfuscation

php3
php4
php5
php7
phps
php-s
pht
phar
phtml
phPWND

Double extension

jpg.php
php.jpg
php.
%2Ephp
asp;.jpg
asp%00.jpg
xC0 x2E
xC4 xAE
xC0 xAE
.p.phphp

Others

• change the magic number

• use polyglot files.

• Modify .htaccess :

  1. upload a crafted .htaccess with new directives;

  2. upload the file you want then.

• Use Cross-Site Scripting (XSS) or XML External Entity (XXE) attacks.

• Use PUT method for uploading files if no upload function is available.

General Techniques

1. Identify what is forbidden.

2. Determine the rights of an uploaded file.

3. Figure out how to access the uploaded file.

4. Handle blacklists (e.g., modify .htaccess, use extension obfuscation).

5. Upload via URL and then download the image.

6. Use pseudo-random functions for naming.

7. Upload XML for XSS attacks.

8. Upload .doc or .xls for XXE attacks.

Preventing File Upload Vulnerabilities

1. File Validation

   • Use a whitelist for checking file extensions.

   • Check MIME types (note: these can be modified).

   • Set appropriate rights in the directory where files are uploaded.

   • Prevent access to dangerous files by stripping extensions.

   • Check the content of the uploaded file (e.g., magic number), but note that this is inefficient for polyglot files.

   • Prevent directory traversal attacks.

2. Use a Framework

   • Modify the name randomly to prevent overwriting.

   • Validate in a sandbox environment.

3. Use an Anti-virus

   • Note that there can be a race condition for detecting the malicious file.

4. General Security Practices

   • Keep the system and services, including web application frameworks, updated with the latest version.

   • Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.

   • Use a Web Application Firewall (WAF) to help mitigate web application attacks.

   • Disable some PHP features that cause file inclusion vulnerabilities if they are not needed, such as allow_url_fopen and allow_url_include.

   • Carefully analyze the web application and allow only protocols and PHP wrappers that are needed.

   • Never trust user input, and implement proper input validation against file inclusion.

   • Implement whitelisting for file names and locations, as well as blacklisting.