This post focuses on bypassing file upload filters to exploit vulnerabilities in web applications. It demonstrates techniques to handle both client-side and server-side filtering, specifically addressing scenarios involving file extensions and magic numbers. This video is a walkthrough for Upload Vulnerabilities TryHackMe room.

OSCP Study Notes

Web Hacking & Pentesting Study Notes

Overview

  • Objective: Bypass file upload filters to successfully upload malicious files (e.g., PHP reverse shells).
  • Tasks Covered:
    1. Task 7: Bypass file extension filters.
    2. Task 9: Bypass magic number-based filters.

Introduction to File Upload Vulnerabilities

The ability to upload files to a server has become an integral part of how we interact with web applications. Be it a profile picture for a social media website, a report being uploaded to cloud storage, or saving a project on Github; the applications for file upload features are limitless.

Unfortunately, when handled badly, file uploads can also open up severe vulnerabilities in the server. This can lead to anything from relatively minor, nuisance problems; all the way up to full Remote Code Execution (RCE) if an attacker manages to upload and execute a shell. With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content — up to and including injecting malicious webpages, which lead to further vulnerabilities such as XSS or CSRF. By uploading arbitrary files, an attacker could potentially also use the server to host and/or serve illegal content, or to leak sensitive information. Realistically speaking, an attacker with the ability to upload a file of their choice to your server — with no restrictions — is very dangerous indeed.

File upload vulnerabilities occur when attackers can upload malicious files to a server without proper restrictions.The video is part of a series that walks through file upload techniques, explaining how to bypass both client-side and server-side filters. In this video, the focus is on client-side filtering and insecure sites.

Task 7: Bypassing File Extension Filters

The filter only inspects the file extension superficially, allowing bypass by using variations like .php5.

Understanding File Extension Filtering:

The server-side filter blocks files with specific extensions, such as .php.

Allowed extensions include common formats like .png.

Steps to Bypass:

Initial Attempts:

Uploading a .php file results in rejection.

Example error: “File type is invalid.”

Tricking the Filter:

Modify the file name to include a valid extension (e.g., .php5).

If the filter only checks the last extension, .php5 bypasses the blacklist.

Verification:

Confirm successful upload in the target directory (e.g., /privacy).

Exploitation:

Activate a listener (e.g., nc -lvnp <port>).

Execute the uploaded .php5 file to receive a reverse shell.

Key Takeaway:

The filter only inspects the file extension superficially, allowing bypass by using variations like .php5.

Task 9: Bypassing Magic Number Filters

By altering the file’s magic numbers, the server is deceived into accepting the file while retaining its malicious functionality.

Understanding Magic Numbers:

Magic numbers are unique hexadecimal values at the start of files that identify their type (e.g., GIF, PNG, PHP).

The filter checks these values instead of relying on file extensions.

Steps to Bypass:

Identify Magic Numbers:

Example: Magic number for GIF is 47 49 46 38 37 61.

Use a hex editor (e.g., hexedit) to view and modify magic numbers.

Modify File Magic Numbers:

Change the magic numbers of a .php file to those of a GIF file.

Ensure the rest of the PHP code remains functional.

Verify Changes:

Use file inspection tools (e.g., file command) to confirm the file is detected as a GIF.

Upload the File:

Select the modified file and upload it to the server.

If successful, the server recognizes the file as a GIF but executes it as PHP due to its content.

Trigger the Exploit:

Access the uploaded file via the web application to execute the reverse shell payload.

Key Takeaway:

By altering the file’s magic numbers, the server is deceived into accepting the file while retaining its malicious functionality.

Tools and Techniques Used

Verify file type before and after modification using tools like:

Hex Editors:

Used to modify file headers and change magic numbers.

Example: hexedit.

File Inspection:

file <filename>
  1. Reverse Shell Setup:
    • Payloads generated using tools like msfvenom.
    • Listener activated with nc or similar tools.

Key Points and Tips

  • File Extensions:
    • Bypass extension filters by appending non-blacklisted suffixes (e.g., .php5).
  • Magic Numbers:
    • Use hex editors to change file headers to match accepted formats.
    • Ensure PHP code integrity after modification.
  • Exploitation:
    • Always confirm successful upload and functionality with controlled tests.

Real-World Implications

  • These vulnerabilities can lead to unauthorized file uploads and remote code execution, posing significant security risks.
  • Recommendations for Defense:
    • Validate file types by inspecting both extensions and magic numbers.
    • Implement strict server-side checks to restrict malicious file uploads.

Let me know if you’d like further explanation or examples for any specific part of the process!

Upload Vulnerabilities TryHackMe | Room Answers

What is the flag in /var/www/?

THM{NDllZDQxNjJjOTE0YWNhZGY3YjljNmE2}

What is the flag in /var/www/?

THM{MGEyYzJiYmI3ODIyM2FlNTNkNjZjYjFl}
Grab the flag from /var/www/

THM{MWY5ZGU4NzE0ZDlhNjE1NGM4ZThjZDJh}
Hack the machine and grab the flag from /var/www/

THM{NzRlYTUwNTIzODMwMWZhMzBiY2JlZWU2}

Video Walkthrough

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles