File Uploading Vulnerability

how uploading files get verified

There are three parts that can verify uploading files 1:

  1. client side by using JSP, which usually examine extension name only
  2. server side, which normally includes content-type in header, file content header check (GIF89a), extension blacklist, extension whitelist, and customized rules.
  3. WAF, this depends on policies applied and vendor specific

Bypass verification

client side

capture and modify packets to bypass. For example, we can rename a asp/php/jsp trojan to jpg/gif file to bypass the client side verification, and use burpsuite to capture and modify the extension back to upload it.1

server side

file type

capture and modify the content-type 12

file header

capture and add file header 1

extension blacklist & whitelist

  1. upload a file, whose extension is not blacklisted, with malicious content. Then use a second file to include the first file for execution.1
  2. upload invalid filename on certain OS (like Windows), in which invalid part is automatically truncated; for linux, change extension to upper is a try 1
  3. 0x00 truncate. characters behind 0x00 in filename or path will be automatically ignored

WAF

  1. prepend junk data. some WAF only check a certain amount data for each packet
  2. WAF security vulnerabilities.

Security Suggestions

  • use extension whitelist on server side
  • check file content on server side
  • rename uploaded files
  • hide uploaded file path

  1. [[文件上传漏洞(绕过姿势) | nmask’s Blog]] ↩︎

  2. [[记一次绕过后缀名限制的文件上传 | nmask’s Blog]] ↩︎