This presentation includes different file upload validations and ways to bypass them. It also lists the prevention mechanisms which should be used by developers during file upload functionality implementation.

1. www.mobiliya.com
© 2017 Mobiliya. All Rights Reserved
Compromising Server via File Upload
Ankit Rai

2. © 2017 Mobiliya. All Rights Reserved 2
Agenda
Ø Introduction to Burp Suite
Ø FAQs
Ø Some Terminologies
Ø File validation approaches and their bypasses
Ø Uploading Shell - getting server command line access
Ø Preventions

3. © 2017 Mobiliya. All Rights Reserved 3
Intercepting Proxy - Burp Suite
Ø It obstructs the normal communication between the client and the destined server to give us an opportunity of
modifying the parameters as per our need before sending it to it's original destination.
Ø Clients need not be aware of the existence of proxy which means we need to alter borwser's proxy setting to intercept.
Ø Used for security assessments
Ø Intercept/Capture all the traffic going to server from Browser(Client)
Ø Can be used on the same system as of browser (Client) or another system

4. © 2017 Mobiliya. All Rights Reserved 4
FAQs
Ques.-1 What can be done even if unrestricted file upload is possible ?
Ans.- Virus, worms, malwares, keyloggers, etc. can be uploaded
Ques.-2 What we get out of it ?
Ans.- Nothing
Ques.-3 Is there anything interesting then ?
Ans.- Yes, it is possible to control server and maintain access.
Ques.-4 What do we want here ?
Ans.- To upload a php file so that it would get interpreted over the server.

5. © 2017 Mobiliya. All Rights Reserved 5
Terminologies
Ø Content-type: It's a request header every browser sets which depicts the type of data it sends to the server. For e.g.
application/x-www-form-urlencoded for forms, text/plain for text files, multipart/form-data for file upload etc.
Ø Blacklist - A list of what's not allowed. E.g., In Casinos they allow everyone but make a list of who is not allowed.
Ø Whitelist - A list of what's all allowed. E.g, our company have created an access list of who all are allowed instead of
havig a long list of every other men on the earth who is not allowed.

6. © 2017 Mobiliya. All Rights Reserved 6
Ø Implement blacklist and search for extension in the file name
Bypass: To upload php file, type extension as PhP
File upload validation approaches _ DEMO

7. © 2017 Mobiliya. All Rights Reserved 7
File upload validation approaches _ DEMO
Ø Implement whitelist of extension and search a match in file name
Bypass: To upload a php file, try .txt.php as extension

8. © 2017 Mobiliya. All Rights Reserved 8
File upload validation approaches _ DEMO
Ø Content type validation
Bypass: Keep the content-type request header's value same and upload file with any extension

9. © 2017 Mobiliya. All Rights Reserved 9
Ø Proper whitelisting implementation
Bypass: Upload a txt file with php content, it will get interpreted at server because of the use of include.
File upload validation approaches _ DEMO

10. © 2017 Mobiliya. All Rights Reserved 10
File upload validation approaches _ DEMO
Ø Mime type validation using file signatures (Magic bytes)
Bypass: Keep the file signature same and change the actual content to bypass this filter

11. © 2017 Mobiliya. All Rights Reserved 11
MIME Type Validation
Ø Every file have specific signature which is stored in initial bytes (a.k.a Magic Bytes)
Ø A file would rendered unusable if these magic bytes would get changed/altered
Ø This can not be used alone as file validation mechanism but needs to be used with other secured approaches

12. © 2017 Mobiliya. All Rights Reserved 12
Compromising Server
Ø Upload a shell or custom script to take full control of the server
Ø What some one would do after compromising a server ???
Ø There is a list of things here depending upon the data your server holds:
o Fun/Hobby
o Steal
o Fame
o Criminal mind/disrupt

13. © 2017 Mobiliya. All Rights Reserved 13
Recommendations
Ø Always upload files in a folder which is outside web root directory.
Ø Allow only whitelisted extensions with strict extension validation.
Ø Check the File type (Mime Type) of expected files.
Ø Restrict the file size
Ø Limit the number of uploaded files
Ø Never give away the exact file location
Ø Never include any untrusted file in a page directly
Ø Store a file with new random file name
Ø User Virus/malware scanners over the server for better security
Ø If possible, provide only read and write permission over the uploaded directory and remove execute permission

14. © 2017 Mobiliya. All Rights Reserved www.mobiliya.com
Thank You