top of page

File Upload Attacks : Explained

Hello everyone,


I am Nitin yadav(KD) back again with another write-up

Today I am going to talk about a critical vulnerability that exists in some file uploaders. When a user tries to upload a file, an attacker can inject malicious code into the file that will be executed when the file is uploaded. This could allow the attacker to execute arbitrary code on the user's computer or access sensitive information.

What are File Upload Vulnerabilities?

When a user is given the ability to use an application to upload files to a server, those files could be attachments or profile pictures. The application then stores those files in one of several different types of storage. Some applications might save those files directly on the server, but many organizations use storage buckets instead. The process of uploading files to a server is referred to as a file upload. In the event that the uploaded files are not securely managed, an attacker may be able to upload a malicious file to the server. This file may be a web shell, which, depending on the specifics of the situation, could either be used to execute commands or compromise the web server. The majority of the time, the application will typically carry out many checks on the files that have been uploaded, including adjusting their size, continuing to process them, or compressing them based on the requirements. They also use some of the mechanisms to add the verification on the files that have been uploaded. For example, they validate the content-type or MIME type of the file, both of which often function correctly in the majority of instances.


This means the failure to correctly manage the uploaded files may result in an attacker uploading a malicious file to the server, such as a web shell, which can be used to execute commands or compromise the web server, depending on the circumstances.


It is a major problem with web-based applications. In many web servers, this vulnerability depends entirely on purpose. Like an attacker might be able to put a phishing page on the website or deface the website or may reveal internal information of the webserver to others and in some chances, sensitive data might be informal, by unauthorized people.


What we can do with this?


If you are a pentester you can achieve remote code execution, XSS, SSRF, LFI, XXE, Phishing, parameter pollution, SQL injection, disclose sensitive info and internal paths, client-side vulnerabilities, server-side vulnerabilities, Cross-site Content Hijacking, and much much more.


Exploit File Upload Vulnerabilities?


There are several ways to exploit this vulnerability. Web Application usually puts restriction sometimes on the use of cookies and authentication information, but not always. In addition, some web applications do not show a specific way for users to check if they have been hacked or if there is any potential threat in using them on the web because it is normal for sites to have backdoors that allow staff members to use them with multiple levels of authority, which they are supposed to keep private and secure.


  • If the web application is only verifying the file extension of the file that is being uploaded then In that case, the attacker modifies the file while uploading the files. It can easily be done by intercepting the request using any proxy tool such as burp suite and then modifying the extension of the file. For Example, If the uploaded file has the PHP extension i.e. “bypass.php” and the application only accepts the image file extension such as png or jpeg. So the attacker uploads a file with a double extension like this: “bypass.php.jpg”. By doing this since only the extension is being matched, the attacker will be able to upload the file and it will bypass the restrictions. This bypassing technique is known as the double extension technique.

  • Sometimes applications verify the file based on the “Content-Type” header. The images have the content type of image/png but if you upload a file with a PHP extension then it will have this content-type header.

  • sometimes an attacker can inject the null byte character in the file name (%00)

  • You can use a tools

  • You can use msfvenom

  • Use double extentions

  • Inject Null hex character

  • bypass using unpopular php extentions like: phtml, php3, php4, php5, inc, pHtml, pHp, pHp3, pHp4,pHp5, iNc, iNc%00, iNc%20%20%20, iNc%20%20%20…%20.%20.. , iNc…… , inc%00, inc%20%20%20, inc%20%20%20…%20.%20.. , inc…… , pHp%00, pHp%20%20%20, pHp%20%20%20…%20.%20.. , pHp…… , pHp3%00, pHp3%20%20%20, pHp3%20%20%20…%20.%20.. , pHp3…… , pHp4%00, pHp4%20%20%20, pHp4%20%20%20…%20.%20.. , pHp4…… , pHp5%00, pHp5%20%20%20, pHp5%20%20%20…%20.%20.. , pHp5…… , pHtml%00, pHtml%20%20%20, pHtml%20%20%20…%20.%20.. , pHtml…… , php%00, php%20%20%20, php%20%20%20…%20.%20.. , php…… , php3%00, php3%20%20%20, php3%20%20%20…%20.%20.. , php3…… , php4%00, php4%20%20%20, php4%20%20%20…%20.%20.. , php4…… , php5%00, php5%20%20%20, php5%20%20%20…%20.%20.. , php5…… , phtml%00, phtml%20%20%20, phtml%20%20%20…%20.%20.. , phtml……

  • By using the small payload we can bypass length

  • Put file name ../../logo.png or ../../etc/passwd/logo.png to get directory traversal via upload file.

  • Upload the file using SQL command ‘sleep(10).jpg you may achieve SQL if image directly saves to db.

  • Check for .svg file upload you can achieve stored XSS using XML payload

  • Change the file name to xss payloads (<svg onload=alert(document.domain)> you can achieve xss

  • RCE via file upload

  • XSS via file upload : via filename via metadata via Svg file

  • SSRF via file upload : via Svg file via filename inframe in html

  • XXE via file upload : Try Uploading this code with .svg extension and retrieve the svg file from application to check: <?xml version="1.0" standalone="yes"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <text font-size="16" x="0" y="16">&xxe;</text></svg>

  • EXIF Metadata Leakage Go to https://github.com/ianare/exif-samples/tree/master/jpg. There you will find many images select one image. Upload the image to website. Download the uploaded Image from website. Visit https://www.verexif.com/en/ or https://www.pic2map.com/ check whether exif metadata is not stripped or not. If not then you can report it.

  • Open redirect via svg file

  • Large file DOS attack

Bypass


If you want to read disclosed reports on file uploads then click here and also now you will get an idea of how to find reports or blogs on that.


Therefore, to curb the increasing numbers of file upload vulnerabilities, we need to make a conscious shift towards better file upload controls.


I hope you enjoyed this one and I see you next time :)



Take care and stay safe!





297 views0 comments
bottom of page