Unrestricted File Uploads

Uploading is the transmission of a file from one computer system to another, usually a larger computer system.

For instance, a job portal would allow a user to upload a resume and certificates whereas a banking website would allow a user to upload supporting documentation such as identity, address, and income proof.


What is Unrestricted File Upload?

If the File Upload functionality is not properly designed, this might bring up the danger.
An attacker can take advantage of this functionality and upload executable codes in file formats such as PHP file, JavaScript, and exe, which could attack client machines or the network by uploading viruses, worms, or trojan horses. This is what is known as file upload vulnerability.

Types of File Upload Vulnerability :

Local file upload vulnerability -
A local file upload vulnerability is a vulnerability where an application allows a user to upload a malicious file directly which is then executed.

Remote file upload vulnerability -
A remote file upload vulnerability is a vulnerability where an application uses user input to fetch a remote file from a site on the Internet and store it locally. This file is then executed by an attacker.

〰〰〰

File upload test scenarios:

1. Upload malicious/executable file
When the application allows the user to upload executable files, such as EXE, JAR, MSI, BAT etc. files that may contain malicious code.

EXE, MSI, BAT, PHP, JAR, etc.



Since it is an executable file, it can be executed on the client-side (ie on the victim's system) as well as on the server-side.

2.  XSS via image file upload - 
The image by itself will not do any attack, but the image file does not come alone; it includes a file name, metadata, comment, and actual content of that image.

2.1 File content 
The first method is to upload an image file embedded with javascript payload.


This is an example of a SVG file. The SVG file is basically an XML-based image file. Which uses content type as image / svg + xml. If we notice, this is the XSS payload in the file contents. , Which should show an alert box on execution..

2.2 File name 
  • The second method is quite simple. All we need to do is upload a valid image with malicious file name.
  • Ex - "><svg onload=alert(document.cookie)>.jpeg





3. XSS via HTML file upload
  • HTML is a client-side programming language but it can be malicious and can be used to attack file upload functionality.
  • This attack technique uses an HTML file embedded with a javascript payload.



4. SQL injection
  • File uploads can be used to exploit SQL injection.
How is it possible?
  • Well, the exploitation technique is the same as XSS via an image file upload.
  • Upload the file using SQL command ‘sleep(10).jpg 
The images have metadata, after you uploaded the image, the metadata was extracted and put into the database so you may achieve SQL injection if the input was not correctly sanitized.

5. No file size limit - DoS attack
  • When the application doesn’t check/validate the uploaded file size. it can be used to perform a DoS attack by uploading large files.
  • When the webserver and web application software do not validate the number, size, and frequency of file uploads it is possible to fill the drive space of the webserver to the point so that the application is not available to the legitimate user. 

6. Web shell 

  • Web Shell offers a Convenient way to maintain access and run further commands on the system. Web Shells are an uploaded web application that allows a  penetration tester to run commands on an infected System.

〰〰〰

Types of filters :

Here are some common filters used by the developers
  • Blacklisting
  • Whitelisting
  • Content-type validation
  • Content length validation

1. Blacklisting : 
  • Not allowing malicious file types.
  • It’s not possible to blacklist all malicious/executable file extensions. It can be easily bypassed by using unknown/unpopular file extensions.
  • Example : pht,HTA , VBS,  phpt, phtml, php3,php4,php5,php6 etc.

2. Whitelisting Bypass:
  • Only allowing specific file formats/extensions. It can be bypassed by uploading a file with some tricks such as NULL byte character and double extension. 
  • Null byte injection  - shell.php%00.png
  • Double extension - shell.jpg.php
Also with advanced techniques, it is possible to inject malicious code in any file type including pdfs, image, or CSV, etc.

3. Content-type Validation
  • As the name implies it validates the content type of the uploaded file.
When a web browser uploads a file, 2 pieces of information are generated by the browser. First, the extension of the file name “.jpg” for example. Second, the browser will typically set a “Content-Type:” HTTP Header indicating the type of file contents being uploaded such as “image/jpeg” for a JPEG image file.
  • This type of validation can be bypassed by changing the file extension but keeping the same content type as expected by the application.
  • For example, if the allowed file type is an image, this can be bypassed by uploading a PHP file attack.html” but keeping the Content-Type” parameter as “image/ *” Content-Type. Such as“image/png”, “image/jpeg”, and “image/gif”.


4. Content length Validation:
  • The application validates the file size. It can be bypass using a small length payload.
  • PHP shell: (<?=`$_GET[x]`?>)
〰〰〰

According to OWASP, the following list can be used by penetration testers in order to bypass a variety of protections.
 
a) Content-Type —>Change the parameter in the request header using Burp, ZAP, etc.

b) Put server executable extensions like file.php5, file.shtml, file.asa, file.cert.

c) Changing letters to capital form file.aSp or file.PHp3

d) Using trailing spaces and/or dots at the end of the filename like a file.asp… … . . .. .. , file.asp, file.asp.

e) Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior)

f) Upload a file with 2 extensions—> file.php.jpg

g) Use of null character—> file.asp%00.jpg

h) Create a file with a forbidden extension —> file.asp:.jpg or file.asp::$data

i) Combination of the above

〰〰〰

Impact of Unrestricted File Upload :

The consequences of this file upload vulnerability vary with every different web application, as it depends on what the application does with the uploaded file and especially where it is stored.

1. Server-side attacks: The web server can be compromised by uploading and executing a web shell that can run commands, browse system files, browse local resources, attack other servers, or exploit the local vulnerabilities, and so forth.

2. Client-side attacks: Uploading malicious files can make the website vulnerable to client-side attacks such as XSS or Cross-site Content Hijacking.

3. Uploaded files can be abused to exploit other vulnerable sections of an application when a file on the same or a trusted server is needed (can again lead to client-side or server-side attacks)

4. A malicious file such as a Unix shell script, a windows virus, an Excel file with a dangerous formula, or a reverse shell can be uploaded on the server in order to execute code by an administrator or webmaster later – on the victim’s machine.

5. An attacker might be able to put a phishing page into the website or deface the website.

6. Take over the victim’s complete system with server-side attacks.

7. Injects files with malicious paths which can thus overwrite existing critical files as he can include the “.htaccess” file to execute specific scripts.

〰〰〰

Recommendations :

  • Use a whitelist approach. Ensure the application allows only a set of file types, which, depending on the situation could be pdf, txt, images, etc.
  • Check the filetype (bypassable but still one more measure)
  • Store uploaded files in internal folders not exposed to the public (using non-enumerative IDs)
  • Set up a low-grade permission to the folder that will contain the uploaded files as well as the uploaded files.
  • Block web access using the .htaccess file sometimes leads to directory traversal attacks.
  • Random file name implementation (prevent attacker knowing the file name of the uploaded file)
  • Evaluate the implementation of server-side antivirus to scan the uploaded files for any malicious content as viruses, worms, trojan horses, etc.
〰〰〰

Thanks for reading ๐Ÿ˜Š

Keep Learning, Keep growing ๐Ÿ˜Š


Comments

Post a Comment

Popular posts from this blog

SQL Injection – “Let’s dump the database”

Image
  What is SQL injection? ✔ SQL injection is a code injection technique that uses malicious SQL code to access information/data that was not intended to be displayed. It can be used to obtain unauthorized access to the underlying data, structure, and DBMS.  ✔ SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization lists injections in their OWASP Top 10 2017 document as the number 1 threat to web application security.  ✔ SQL injection vulnerability occurs when the application sends user input to the interpreter without sanitizing it and user input can be used to query database. SQL queries are used to execute commands, such as data retrieval, updates, and record removal. Types Of SQL Injection Attacks : SQL Injection can be classified into three major categories In-band SQL Injection Inferential SQL Injection Out-of-band SQL Injection 1) In-band SQL Injections When the attacker uses the same communication c
Read more

DirtyCred : CVE-2022-2588

Image
  A vulnerability in the Linux kernel that allows data to be overwritten in arbitrary read-only files. Since unprivileged processes can inject code into parent processes, this vulnerability can lead to privilege escalation.  DirtyCred is a kernel exploit concept that exploits the heap memory reuse mechanism to obtain high privilege. This vulnerability is similar to the DirtyPipe  vulnerability ( CVE-2022-0847 ) impacting Linux kernel versions 5.8 and later. The attack includes 3 steps: 1.  Free an in-use unprivileged credential 2. Allocate privileged credentials in the free memory slot by triggering a privileged userspace process such as su, mount, or sshd 3. Operate as a privileged user Exploit in action: 1.      Login to the vulnerable machine and check the kernel version “ uname -a ” {The exploit works on most Centos 8 kernels higher than linux-4.18.0-305.el8 and most ubuntu 20 kernels higher than 5.4.0-87.98 and 5.11.0-37.41} 2.      Check the current user id and /etc/p
Read more