FILE UPLOAD RESTRICTION BYPASS
We all might have faced a file upload functionality while testing a site,
Maybe during ctf’s, or real world pentest, or bug bounties.
In this blog, I will show you the basic bypass techniques which I used while
testing a site, and I gathered these from different sources, and it helped me a lot.
So, without any delay, lets continue:
1.When the application blocks file extensions like “.php”:
Bypass it by changing the file extensions to “.php3 .php5, .phtml”
2)When the application only allows certain file types like “.png” or “.asp”:
Bypass it by appending the file extensions like “file.php.png” or “file.php.asp”
3)When the application has strict rules to only allow image files:
We can add the magic bytes at the start of the php file:
For e.g:
A malicious php code you want to upload will be like:
“<?php echo shell_exec($_GET[‘cmd’]); ?>”
The application checks at first few bytes of file and determines it as php file.
If we change the first few bytes, and add image magic bytes like:
“GIF8; <?php echo shell_exec($_GET[‘cmd’]); ?>”
The application will only see the first few bytes and confirms it as image file.
Hence File Upload is Successful.
4)Sometimes, When upload gives us error, we can simply intercept the request and change the ‘Content-Type:’ header to
“text/plain”, we might bypass the upload restrictions.
5)If an application uses filters to remove the extensions like:
If it filters “.php” we can bypass it by renaming file to “file.p.phphp”
When the filter removed “.php”, it still gives us “file.php”
6)In Apache, The files we upload gets stored in /www/uploads directory. So, if we upload a file with name “../../../../file.php”
It will add file.php to a different location then intended.
7)Sometimes, we can also bypass certain functionalities by changing the case of the files like:
“file.aSp” or “file.PHp3” etc.
8)when running PHP on IIS, the “>”, “<”, and double quote “ characters respectively convert to “?”, “*”, and “.” characters that can be used to replace existing files (e.g. “web<<” can replace the “web.config” file). In order to include the double quote character in the filename in a normal file upload request, the filename in the “Content-Disposition” header should use single quotes (e.g. filename=’web”config’ to replace the “web.config” file).
9)You can also see IPPSEC’s video on Falafel box, where php file upload bypass is done by exploiting maximum file characters.
So, That’s it for now, and hope any one of these techniques helped you with your problem.
Thank you