Learn various techniques to find file upload vulnerabilities by bypassing filters
First time visited this website? Check out our awesome free labs of account takeover(Based on Real Scenarios) and explore various ways hackers are using to hack thousands on account. Lab1 Lab2 Lab3 Lab4 Lab5 Lab6
Hi everyone! Hope you all are doing good. In the previous article, we have discussed some basics about file uploads and how we can abuse file upload vulnerability to perform cross site scripting. Many application uses various kind of filters to prevent the hacker to upload malicious files. However, sometimes the security implementation can be bypassed.
In this article, we are going to learn how to bypass some of the common filters used by the developers to protect file upload functionality.
First of all, Let us try to understand some of the security implementation used by developers to prevent file upload vulnerabilities.
Announcement: If you want to learn how hackers hack millions of accounts on a website, Then check out this beginner friendly course which will teach you how to perform account takeovers in real world websites that will boost your bug bounty hunting skills from basics to advance level.
TYPES OF FILTERS
Let us try to understand whitelist by taking a simple example. Suppose there is a developer who wants to create a file upload functionality that will allow the users to upload profile pictures on the website. The developer is aware that hackers can abuse this functionality to perform malicious action so he comes with a solution i.e he will only allows those files which have extension of image file types(Like jpg, png, gif etc). Now if the attacker tries to upload a malicious file (Like a php file), The server will return error.
Whitelist filters are said to be most secure but it can be bypassed if not implemented correctly. Let us discuss some of the ways to bypass it.
WHITELIST BYPASS TECHNIQUES
Suppose there is a file upload functionality that is allowing jpg file to be uploaded. In this case, you can use the following bypass techniques below:
file.jpg.php file.php.jpg file.php.blah123jpg file.php%00.jpg file.php%00 file.php%20 file.php\x00 file.php%0d%0a.jpg file.php..... file.php/ file.php.\ file.php#.png file. .html
Let us consider the same scenario again but this time the developer thought “Why not just block all the dangerous file extensions like php,html,svg,asp,js etc?” So, he create a list of all those dangerous file extensions and blacklisted it. Again, if the hacker tries to upload any malicious file then the server will return an error. Now you guys might be thinking “It is very similar to the previous filter technique“. If you have this same thought then let me tell you YOU ARE WRONG!
See, Whitelist basically restricts you to upload anything else from apart from the allowed extension whereas the Blacklist allows you to upload anything apart from the disallowed extensions. For example, If we try to upload a txt file in an application which is using whitelist as described above it will prevent us to do so. But in the blacklist scenario, it will allow us. It is because txt extension has not been listed in the blacklist filter(In the example)
Now, there are various ways to bypass blacklist filter. Let us discuss some of them.
BLACKLIST BYPASS TECHNIQUES
Below are some various payloads for bypassing blacklist filters
**PHP** → .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc **ASP** → asp, .aspx, .cer, .asa **Jsp** → .jsp, .jspx, .jsw, .jsv, .jspf **Coldfusion** → .cfm, .cfml, .cfc, .dbm **Using random capitalization** → .pHp, .pHP5, .PhAr
I hope that you have understood some of the ways to bypass file upload filters. In the next article, we will further discuss some more ways to bypass security implementation on file uploads. If you have any doubts or issues then please let me know in the comment section.
Join our telegram channel over here
Subscribe to our YouTube Channel over here.
If you want to learn windows hacking in depth then i recommend you to check out this amazing beginner friendly course on “Hacking Windows With Python From Scratch(2022)” in which you will learn:
- Creating Undetectable Payload
- Execute shell commands, download and upload files and access webcam.
- Hack any windows based machine and get full access.
- Bind payload with any files.
- How black hat hackers get unauthorized access to windows machine.
Click here to visit the course.