How to Exploit File Upload Vulnerability (Double Extension)?

(Double Extension-Content Type- Null Byte Injection)Vulnerability

What do I Need to Know?

  • To begin with, what is File Upload Vulnerability?
    • Examples of web applications attacks:

The purpose of these examples intends to give an insight into the types of files used for the sake of knowing how different they could be:

  • A file of extension .jsp could get uploaded into a web tree. It’s execution then occurs as the web user.
  • A file of extension .gif could be uploaded and further get resized. The exploit in this case targets image library flaw.
  • A file of extension .rar and when a software antivirus runs, the execution occurs on the server where such antivirus works.
  • Huge files could be uploaded leading to a denial of service incident.
  • Malicious name or path could be used for an uploaded file, resulting in a critical file getting overwritten.
  • Personal data could be uploaded as a text file accessed by all users, which raises another security issue on the other hand.
  • “Tags” could be contained in a file and then uploaded. The execution then occurs as part of being “included” in a web page.
  • Kali Linux
    • What is the Burp Suite?
      • It is basically an integrated platform designed for the sake of performing security testing of web applications
      • It depends on its tools to perform an entire testing procedure from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

 

How to Perform a Double Extension File Upload?

Since there are some web applications which only allow for some certain types of extensions to get uploaded. Files of extension .jpeg and .png are only allowed in those web applications with a medium security level. In other words, uploading files is restricted to these sorts of extensions; otherwise, they will not be able to get uploaded on the web server. Bypassing a malicious file needs a bit of trick in this case.

In this regard, multiple extensions will get inserted with the file name in order for this to deceive the utilized parameters of security. “img1.php.png” will seem as if it is of the .pnp format having some data, it will execute the .php file leading to an application.

  1. The security level of the website should be set low when clicking DVWA Security.
    Vulnerability
  2. Kali Linux should be opened now and a PHP backdoor should be created with the following command.
    Vulnerability
  3. In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP and PNG extension as img1.php.png
    Vulnerability
  4. Type msfconsole to get Metasploit Framework which then should be loaded. The multi handler should be started now.
  5. Visit the vulnerability menu inside DVWA lab to select “File Upload”.
  6. Press “Browse” and choose the prepare for the img1.php.png to get uploaded on the webserver.
    Vulnerability
  7. Now the burp suite is to be opened. Under “Proxy” tab, an intercept should be made on.
  8. Manual proxy of the used browser should be set. Press “Upload” now to upload the file.
  9. The sent request of the post method will be fetched by the intercept when uploading. Inside the data you will get, php.png should be transformed into img1.php.
    VulnerabilityVulnerability
  10. Press “Forward” to get the .php file uploaded into the directory at this moment.
  11. The directory’s path to the uploaded file will be shown after the upload is successfully done. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
    Vulnerability
  12. In Metasploit, the following command then will result in showing Meterpreter session 2 of victim PC.
    Vulnerability
    Vulnerability

How to Perform a Content Type File Upload?

For this kind of restrictions, the internal media type of the message content is checked through “Content-Type” entity in the header of the request. For some web applications, a “Content-Type” of “text/plain” is only allowed. Bypassing a malicious file will then require this entity to get edited through a web proxy.

  1. Kali Linux should be opened now and a PHP backdoor should be created with the following command.
    Vulnerability
  2. In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP extension as img2.php
    Vulnerability
  3. Type msfconsole to get Metasploit Framework which then should be loaded. The multi handler should be started now.
  4. Visit the vulnerability menu inside DVWA lab to select “File Upload”.
  5. Press “Browse” and choose the img2.php to get prepared for getting uploaded on the webserver.
    Vulnerability
  6. Now the burp suite is to be opened. Under “Proxy” tab, an intercept should be made on.
  7. Manual proxy of the used browser should be set. Press “Upload” now to upload the file.
  8. The sent request of the post method will be fetched by the intercept when uploading. Inside the data you will get, the content of img2.php should be transformed from “application/x-php” into “image/png”
    VulnerabilityVulnerability
  9. Press “Forward” to get the .php file uploaded into the directory at this moment.
  10. The directory’s path to the uploaded file will be shown after the upload is successfully done. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
    Vulnerability
  11. In Metasploit, the following command then will result in showing Meterpreter session 3 of victim PC.
    Vulnerability
    Vulnerability

How to Perform a Null Byte Injection?

A smart way to upload the malicious files is to make use of URL-encoded null byte characters (i.e. %00, or 0x00 in hex). Unauthorized access to the system files could be yielded through such injection of a null byte resulting in a blank space in the ASCII translation.

Inserting a null byte will lead a web application, using C/C++ libraries when checking for the file name or its content, to get deceived as it is the end of the string and it should cease reading at this step.

  1. Kali Linux should be opened now and a PHP backdoor should be created with the following command.
    Vulnerability
  2. In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP and JPG extensions as img3.php.jpg
    Vulnerability
  3. Type msfconsole to get Metasploit Framework which then should be loaded. The multi handler should be started now.
  4. Visit the vulnerability menu inside DVWA lab to select “File Upload”.
  5. Press “Browse” and choose to get img3.php prepared to get uploaded on the webserver.
    Vulnerability
  6. Now the burp suite is to be opened. Under “Proxy” tab, an intercept should be made on.
  7. Manual proxy of the used browser should be set. Press “Upload” now to upload the file.
    Vulnerability
  8. The sent request of the post method will be fetched by the intercept when uploading.
    Inside the data you will get, the img3.php.jpg should be transformed into img3.phpD.jpg for example or any other text is valid as well.

    Vulnerability
  9. Now get the inserted string decoded into hex format. Our used “D” translates into 0x44
    Vulnerability
  10. Under the “Intercept” tab, press “Hex”. Look for the 44 of the D and replace it with a 00 instead.
    VulnerabilityVulnerability
  11. When viewing the fetched data again the D will have changed into 0
    Vulnerability
  12. Press “Forward” to get the file uploaded into the directory at this moment.
  13. The directory’s path to the uploaded file will be shown after the upload is successfully done. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
    Vulnerability
  14. Running the path will result in a reverse connection on Metasploit to open Meterpreter session 4.
    Vulnerability

References

http://www.hackingarticles.in/5-ways-file-upload-vulnerability-exploitation/

https://en.wikipedia.org/wiki/Kali_Linux

https://www.kali.org/

https://tools.kali.org/web-applications/burpsuite

Finally, here’s another of my articles on How to Inspect Process Hallowing.

Vulnerability

This post was written by Joseph McCray

Leave a Reply

Your email address will not be published. Required fields are marked *