File Uploads and Bypass.

File Uploads

Uploading a Jpeg , png, text or PDF file seems a common and daily life process ….But there are more file formats like PHP, so have you ever seen some website allowing you to upload a PHP file ??(silly question i know)….why would i need to upload a PHP file when all i am asked to upload is my resume right?.

well that’s not the way a Hacker thinks. In a hacker mind there is always a war going with the Security of websites,andriods,systems, IOT devices as how to defy their security, how to exploit it, how to make it safer than it was (White hats) what the function will do if it is used in this way . and belive me it doesn’t have to be related to computers always. Hacker is not a term it’s a mentality. mentality of challenging problems in order to make things better or safer. At some point of time everyone must have been a Hacker. For example when you were playing Candy Crush and all the 5 lives you had you lost…..But you still wanted to play so you figured out a way that if we change the time and date it let’s us play again with 5 lives ….Bingooo!!! you are a Hacker.

Okk lets get Back to the topic so while you Upload your Files in a specific format how doest it validate it’s the right Format that was required??….So let’s talk about that.

There a a few ways in which the File type is validated and then processed to the server.

1- Extension based detection

this is the simplest way of checking the file type where the simle the extension is looked to find out what kind of file it is . for example Headphone.jpg is a jpg file type and Earphone.jpeg is is JPEG file.

2- Magic bytes detection

Before we discuss Magic Bytes lets have a look at the structure of files in short.

every file has a structure. different file types are simply chunks of bytes that follow a predefined structure.

• A header of a JPEG image looks like this:(Credit goes to Vickie Li)

typedef struct _JFIFHeader
{
  BYTE SOI[2];          /* 00h  Start of Image Marker     */
  BYTE APP0[2];         /* 02h  Application Use Marker    */
  BYTE Length[2];       /* 04h  Length of APP0 Field      */
  BYTE Identifier[5];   /* 06h  "JFIF" (zero terminated) Id */
  BYTE Version[2];      /* 07h  JFIF Format Revision      */
  BYTE Units;           /* 09h  Units used for Resolution */
  BYTE Xdensity[2];     /* 0Ah  Horizontal Resolution     */
  BYTE Ydensity[2];     /* 0Ch  Vertical Resolution       */
  BYTE XThumbnail;      /* 0Eh  Horizontal Pixel Count    */
  BYTE YThumbnail;      /* 0Fh  Vertical Pixel Count      */
} JF

JPEG files start with a “Start of Image (SOI)” marker which contains the bytes FF D8.

• The application marker APP0 contains the bytes FF E0 .
• The length field is the size of the image.
• The identifier field contains “JFIF” with a trailing NULL byte.
• The version field specifies the JFIF specification version.
• And finally, JPEG files end with an “End of Image (EOI)” marker, FF D9.

Now coming Back to Magic Byte detection of file type , there are magic bytes at the start of the file that indicates that the file is of a certain format.

for example: JPEG files begin with FF D8 and end with FF D9 .

• PDF files start with “%PDF” (hex 25 50 44 46).

But the Magic byte detection method can also be bypaased (given below how) so some websites uses a more complex method to verify the file type and that is

3-File signature validation.

This process is more complex and checks for multiple things as they might check every header of a file type.

#Bypassing File Uploads

Suppose you have a limitation that you can only upload in a few formats like PDF, JPEG, JPG, ….But what if you can upload a PHP file by defying the Upload mechnism and validation of file type check. let me tell you if someone can upload a PHP file then its game over for the website as he will upload a php shell and can easily perform an RCE , or Worst will simply gain a reverse shell on the server.

How does Bypass work

Well it depends on which kind of validation the system is using …it is just verfying the extension ?? if its just doing that then it becomes very easy to bypass and upload a PHP file or something malicious. suppose we have to upload a JPG file so the extension must be something.jpg

1-Bypassing Normal extension

now what we can do is we can upload a file which looks like this something.php.jpg or somethings.jpg.php.

2- Bypassing the magic Byte validation.

For this method we use polygots. Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.

so while we have to upload a JPEG file type we actaully can upload a PHAR-JPEG file which will appear to be a JPEg file type to the server while validating. the reason is the file PHAR-JPEg file has both the JPEG header and the PHP file also. so while uploading it didn’t get detected and later after processing the PHP file can be used to exploit.

And at last Uploading a shell to some random websites for fun is not really cool so don’t ever try untill unless you have the permission to test.

HAPPY HACKING.