Hello everyone,
I am Nitin yadav(KD) back again with another write-up
The hunt for file upload has begun.
I have heard rumors that it may have been locked up inside some dark and quiet corner of one of the many caverns under the Internet. It's probably got a secret route and tons of keys that don't let others in.
Searching for a file upload in your database is time-consuming and error-prone. I've faced this problem countless times while working on a file upload functionality.
File upload vulnerabilities have gained a lot of attention lately with the number of high-profile breaches caused by them.
Why?
In today's world, companies are storing more and more user-uploaded data that can be accessed by an attacker from anywhere in the world.
In fact, over 85% of all data breaches involved some kind of improper handling of files.
So let's dive deep into it and how you as a security researcher can find them.
Tips to find vulneriblity?
Tip 1:
XSS: For IIS you can use these extensions:
HTML:
htm
hxt
XML:
dtd
vml
xsf
mno
wsdl
xslt
disco
exe.config
dll.config
For Apache HTTPd you can use:
HTML:
html.de
html.XXX
XML:
rdf
mathml
Commonly you can use:
HTML:
htm
html
shtml
XML:
xml
xsl
svg
svgz
xht
xhtml
xsd
Tip 2:
Filter bypass
Use Double extensions like .jpg.php, .php.jpg
Windows dots like cyberhacks.php.........
Switch Case like .pHp, .PhP
Slash suffixes like cyberhacks.php/ or cyberhacks.php.\
Windows NTFS ADS like cyberhacks.aspx:.jpg
Empty extension or filename like cyberhacks. or .php
Null bytes, spaces, new lines like cyberhacks .php, cyberhacks.png\%00.php, cyberhacks.php\%00.php, cyberhacks.png\%0d\%0a.php
The magic byte at the beginning like GIF89a....
Allowed Mime Type + disallowed extension
Disallowed Mime Type + allowed extension
Remove Content-type
Tip 3:
Hide the shell or XSS payload in image metadata
Tip 4:
Hide the shell or XSS payload in the image binary data
Tip 5:
Line Termination Trick
Tip 6:
Content-Disposition Overflow
Tip 7:
Filename Overflow
Tip 8:
Duplicate Line
Conclusion
It turns out that, even though the browsers block nearly all file upload vulnerabilities, hackers can find multiple ways around the problem.
If you want to avoid publicly available exploits and prevent your site from being compromised, you must go beyond what a vulnerability scanner can do. I discovered several vulnerabilities relating to file upload which a scanner will not be able to find out.
In closing, I hope that the tips I've listed above will not only help you in security research but also raise awareness about the need to take file upload vulnerabilities seriously.
If you learn something new from this blog please leave a comment below.
I hope you enjoyed this one and I see you next time :)
Take care and stay safe!
Comments