User-uploaded files can provide hackers with an access point into online applications, making their secure management a critical duty for administrators and the security team. If these files are not properly validated, a remote attacker could upload a malicious file to the web server, resulting in a serious breach. Malicious file uploads are caused by insufficient file validation. This results in code execution. Unrestricted file upload vulnerabilities, according to OWASP, can allow two sorts of attacks. Web apps often have limits in place to make this type of attack more difficult, but there are a variety of tactics hackers may employ to circumvent file upload restrictions and obtain a reverse shell.
The Blacklist And Bypass
Blacklisting is a sort of security in which particular strings of data, often certain extensions, are explicitly forbidden from being delivered to the web app server. This may appear to be the best method for preventing dangerous extensions, frequently shells, from being published to your website, but they are not difficult to circumvent. Here are some alternative extensions for avoiding blacklist filtering.
php.txt, .sh, .pht, .phtml, .phP, .Php, .php7, .php%00.jpeg, .cgi
JSP – a server-generated web page — is another common extension for web shells. It is comparable to an.ASP or.PHP file, except instead of ActiveX or PHP, it includes Java code.
.MF, .jspx, .jspf, .jsw, .jsv, xml, .war, .jsp, .aspx
The Whitelist and Bypass
The second method is to use whitelists. Whitelisting, as the name implies, is the inverse of blacklisting. These servers’ whitelists will only allow jpeg, gif, png, jpg, and so on. This may appear to be a better method of safeguarding your server than utilizing a blacklist, but it may still be circumvented using a few ways. There are certain drawbacks to this strategy as well. They are recordings of server-side flaws that allow users to circumvent this security, one of which is:
The semi-colon vulnerability in IIS 6 is caused by a parser flaw, allowing users to upload and execute files with names like testing.asp;.jpg.
Hackers can trick a web app into accepting a php file with a JPG/PNG extension by using a reverse shell with a picture extension:
payload.php.jpg
We may also use a null character injection to circumvent whitelist filters, causing characters to be disregarded when the file is saved; injecting this between a banned and an authorized extension can result in a bypass:
payload.php%00.jpg OR payload.php\x00.jpg
If a whitelist only permits pictures, it may also accept gif files. By adding GIF89a; to the very top of your shell, you may be able to get around the limit and run the shell.
GIF89a; <?php system($_GET['cmd']); ?>
Exif Data, ExifTool, and Bypass
The following approach for avoiding file upload limits makes advantage of the Exif data in any photograph, such as the location, name, camera used, and much more. When the picture is posted, the web app may run a comment containing a reverse shell payload.
You may add your payload with a tool such as exiftool.
Inserting a brief command shell as information into your image may look like this:
$ exiftool -DocumentName="<h1>chiara<br><?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '</pre>';} __halt_compiler();?></h1>" pwtoken.jpeg
Exiftool may be used to look for the newly added comment in your photo.
$ exiftool pwtoken.jpeg
Then, once on the web app server, just add a shell extension to make it an executable file:
$ mv catphoto.jpg catphoto.php\x00.jpg
Use this in conjunction with the procedures provided at the start of this article to avoid any or both blacklists and whitelists.
Remediation
Limit the file kinds that can be uploaded by checking the file extension and only allowing specific files to be posted. Instead of a blacklist, use a whitelist. Double extensions, such as.php.png, should be avoided. Look for files that don’t have a filename, such as.htaccess (on ASP.NET, check for configuration files like web.config). Change the upload folder’s permissions so that the files within are not executable. If possible, rename the uploaded files.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.