Jump to content

Bypassing pathinfo() or getimagesize() php shell upload


ONiel
 Share

Recommended Posts

Hi!

 

I've got some more questions about file-upload bypassing techniques.

I know how to bypass $_FILES["myfile"]["type"] by modifying 'content-type' in Burpsuite.

 

But I don't know how to bypass pathinfo() or getimagesize();

In this example code:

<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
   $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
   if($check !== false) {
       echo "File is an image - " . $check["mime"] . ".";
       $uploadOk = 1;
   } else {
       echo "File is not an image.";
       $uploadOk = 0;
   }
}
?>

 

Is it possible to bypass the two, or just one of the two? So to upload a basic PHP-shell.

 

Just to get a basic system() shell.

 

Thanks!

Link to comment
Share on other sites

getimagesize() checks the size and dimensions of an image, so it would(should) have to pass that at a minimum.

http://php.net/manual/en/function.getimagesize.php

 

You might be able to fake it with something like a Gif89a file of 1x1 pixel and append the php file at the end though. This will upload as a gif, but not execute, so you'd have to find a way to move and rename it if possible, or edit afterwards. Gif files are widely used in php shell files for bypassing weak settings and mis configured apache mime settings and htaccess rules, but depends on the web server and combination of settings in place. Properly sanitized php files should prevent most attacks other than some proxy attacks like using burp and curl

pathinfo() will return the last extension seen, but not sure how secure it is. It's also common to upload things like "somefile.php.jpg" and still having them run as php, but all depends on security of web servers settings, if not explicitly filtered in PHP itself.

There are a number of file upload attacks used in the CTF's on Vulnhub. Browsing the walkthroughs will give you some ideas on the ways others have done it and you can try those against the above script to test on your own VM setup with a webserver and PHP. There is often more than one way to do the same thing as well.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...