File Upload Vulnerabilities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
file upload vulnerabilities
00:03
are learning objectives are to understand what file, upload vulnerabilities are and identify how to exploit file upload vulnerabilities.
00:12
So a lot of applications allow people to upload different kinds of files. Maybe it's an avatar image, maybe uh it's a medical application where you can upload receipts in a pdf form.
00:27
Um a lot of them you have to be authenticated. Some, you don't have to be authenticated, which is even better for us as Attackers. But what this allows us to do is possibly change the file extension
00:39
to then upload a malicious file. And again, it's important to understand the underlying architecture of the server. What what is it PHP is, is it a sp that's going to ultimately determine what type of file file you're going to upload.
00:58
So our, our administrator portal for the awesome photo blog
01:02
doesn't allow file extensions named PHP.
01:06
Why doesn't do that? Because it runs PHP?
01:10
And if I can upload a shell, it will execute that shell and I'm able to get on that server.
01:15
So it really depends how the
01:19
code is written, some have rejects. So it's looking for different, different types of file extensions
01:26
in this case is actually looking for dot PHP. So I could fool it by making it PHP three
01:33
or making it uh an uppercase p lowercase H uppercase P again, to block that rejects. So it's not a very well thought out application. Of course, it's intentionally vulnerable, but here, that's how I tricked it. You can also do other things like p. Html
01:49
as well. I have a whole other slide to show you what are the things you can try.
01:53
So, if you if you understand the underlying architecture of the server and you know, it's running PHP here are a few extensions that you can use a sp you can use a sp a sp x Pearly have a few other options to choose from. Jsp and called fusion. So
02:12
just because one file extension type is blocked,
02:15
doesn't mean another file type
02:17
is not blocked which is allowed.
02:21
So try these because I've done a few hacked the box challenges, challenges or cts where PHP is blocked, but PHP five is not.
02:30
So this is a good a good source to take a look at as well.
02:38
Mime types. Why are mime types important?
02:40
Because some servers don't look at the extension itself, they look at the mime type of the file.
02:46
So you can run the file command and Mime type and you can see here that it is text X PHP.
02:54
And I changed the file extension two JPG to jpeg and run my type again. Well, it doesn't fool it, it sees that it's a a PHP file.
03:04
So in this case, simply changing the extension
03:08
will not trick the server
03:12
into thinking that. Is that actually a Jpeg file? So what do you do
03:15
you use Burp suite? So when you intercept this post request
03:22
in Burp suite,
03:23
you're changing the content type from application X PHP to image our image forward slash jpeg.
03:31
So now it thinks it's a Jpeg Jpeg file and not a PHP file. Despite having a PHP extension,
03:43
you can do this by hiding hiding code in an image. I thought this is a pretty cool little script from Techie Zilla.
03:52
Um and here's the script that I used for to basically take a Jpeg file,
04:00
an office kate PHP into that. And you can see here, I run around the strings come in on it and you can see my little shell down there written in PHP.
04:11
So if I run Mime Type on this, even though it has a PHP three extension. The Mime type is J Peg.
04:18
That has to do with magic bytes. You can you can look this up in google, but you see
04:24
magic bytes. J f I F. If you look up magic bytes for things like, like Jif or GIF files,
04:31
um I know there's a big war about what you call it, um or any type of file, there are magic bytes. So when something looks at a file, it will look at things like the headers of the file. And if it says J F I F, it will think it's a
04:46
on this case. It thinks it's a Jpeg file, but these magic bytes are also important as well. So it's recognizing this file from magic bytes as a Jpeg file.
04:58
Yeah,
05:00
so here we go. I was able to confiscate my code in that image
05:05
and Iran that cat and was able to get a reverse shell
05:10
by tricking the server into thinking that my PHP
05:15
uh that the PHP
05:16
Jpeg was a Jpeg when in fact it had PHP embedded inside of it.
05:21
And the um, server, of course, is running PHP. So that's how I was able to get a reverse shell.
05:29
Yeah,
05:30
So in summary, we should now understand what file upload vulnerabilities are and identify how to exploit file upload vulnerabilities.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By