Bypassing pathinfo() or getimagesize() php shell upload

[ONiel]

Hi!

 

I've got some more questions about file-upload bypassing techniques.

I know how to bypass $_FILES["myfile"]["type"] by modifying 'content-type' in Burpsuite.

 

But I don't know how to bypass pathinfo() or getimagesize();

In this example code:

<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
   $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
   if($check !== false) {
       echo "File is an image - " . $check["mime"] . ".";
       $uploadOk = 1;
   } else {
       echo "File is not an image.";
       $uploadOk = 0;
   }
}
?>

 

Is it possible to bypass the two, or just one of the two? So to upload a basic PHP-shell.

 

Just to get a basic system() shell.

 

Thanks!

[Teabot 5000]

As far as I remember, pathinfo() can be bypassed using a a null byte and a correct image extension (i.e. myshell.php%00.jpg). As for getimagesize(), I'm not sure if this actually checks the file extension or verifies that the file is an image file.

[digip]

getimagesize() checks the size and dimensions of an image, so it would(should) have to pass that at a minimum.

http://php.net/manual/en/function.getimagesize.php

 

You might be able to fake it with something like a Gif89a file of 1x1 pixel and append the php file at the end though. This will upload as a gif, but not execute, so you'd have to find a way to move and rename it if possible, or edit afterwards. Gif files are widely used in php shell files for bypassing weak settings and mis configured apache mime settings and htaccess rules, but depends on the web server and combination of settings in place. Properly sanitized php files should prevent most attacks other than some proxy attacks like using burp and curl

pathinfo() will return the last extension seen, but not sure how secure it is. It's also common to upload things like "somefile.php.jpg" and still having them run as php, but all depends on security of web servers settings, if not explicitly filtered in PHP itself.

There are a number of file upload attacks used in the CTF's on Vulnhub. Browsing the walkthroughs will give you some ideas on the ways others have done it and you can try those against the above script to test on your own VM setup with a webserver and PHP. There is often more than one way to do the same thing as well.