ONiel Posted January 15, 2017 Share Posted January 15, 2017 Hi! I've got some more questions about file-upload bypassing techniques. I know how to bypass $_FILES["myfile"]["type"] by modifying 'content-type' in Burpsuite. But I don't know how to bypass pathinfo() or getimagesize(); In this example code: <?php $target_dir = "uploads/"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); $uploadOk = 1; $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION); // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]); if($check !== false) { echo "File is an image - " . $check["mime"] . "."; $uploadOk = 1; } else { echo "File is not an image."; $uploadOk = 0; } } ?> Is it possible to bypass the two, or just one of the two? So to upload a basic PHP-shell. Just to get a basic system() shell. Thanks! Quote Link to comment Share on other sites More sharing options...
Teabot 5000 Posted January 15, 2017 Share Posted January 15, 2017 As far as I remember, pathinfo() can be bypassed using a a null byte and a correct image extension (i.e. myshell.php%00.jpg). As for getimagesize(), I'm not sure if this actually checks the file extension or verifies that the file is an image file. Quote Link to comment Share on other sites More sharing options...
digip Posted January 15, 2017 Share Posted January 15, 2017 getimagesize() checks the size and dimensions of an image, so it would(should) have to pass that at a minimum. http://php.net/manual/en/function.getimagesize.php You might be able to fake it with something like a Gif89a file of 1x1 pixel and append the php file at the end though. This will upload as a gif, but not execute, so you'd have to find a way to move and rename it if possible, or edit afterwards. Gif files are widely used in php shell files for bypassing weak settings and mis configured apache mime settings and htaccess rules, but depends on the web server and combination of settings in place. Properly sanitized php files should prevent most attacks other than some proxy attacks like using burp and curl pathinfo() will return the last extension seen, but not sure how secure it is. It's also common to upload things like "somefile.php.jpg" and still having them run as php, but all depends on security of web servers settings, if not explicitly filtered in PHP itself. There are a number of file upload attacks used in the CTF's on Vulnhub. Browsing the walkthroughs will give you some ideas on the ways others have done it and you can try those against the above script to test on your own VM setup with a webserver and PHP. There is often more than one way to do the same thing as well. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.