FILE UPLOAD ATTACKS - Type Filters

Hi everyone,

I have complete bypass Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters and uploaded the shell. When I access to shell (as image extension phar.png) to execute OS command I get a error. So Can help me to understand what is error and why?

Thank you so much.

2 Likes

Its giving you error because the file is png type. First check using burp intruder which extension are whitelisted. then write a hello world php program. and try with the white list extensions. you will get it.

1 Like

Hey all,

I need a helpful nudge on this one, I get that same error with .gif, .jpg, and .jpeg files as well. I am trying to use whitelisting as well, but it seems like the files are just getting dropped. When I curl the files that give me the error message above, I see the contents.

So I am thinking that my issue really lies in the whitelisting process, any helpful thoughts on whitelisting for this challenge?

Thanks in advance,
-onthesauce

@sk7698277 , I don’t think the error is the png type. I just got the flag with a png file. This error seems to appear because the server is expecting an image, but receives php code. If this is done right it won’t be expecting an image. This error will appear even if you upload:
shell.phar.jpg
shell.phar.gif
etc…
Its not the extension on the end. However you are right about the whitelisting.

To anyone else that finds themselves in this place getting that same error, remember that you have successfully uploaded a file to the server, meaning that you have bypassed everything but the whitelisting. If you went through what I went through, then you have probably suffered 4+ hours of frustration haha.

So I recommend another look at the Whitelist Filters section and do note that there are three methods. I spent 4 hours trying just one and ignored the others lol.

Feel free to DM me for a helpful push in the right direction.
-onthesauce

5 Likes

I have this error too. Help please!

Perhaps it would be helpful to see the PHP code. The module describes a way to get the code.

I may have been long winded in my explanation above, but it should be a whitelisting issue. The fact you are getting the file onto the server is great, but it is not executing because you need to bypass one more thing.

Its has been a while since I did that exercise, but you should give the Whitelisting section another read and try all three methods. ***Edit: wrote skill assessment meant, exercise.
-onthesauce

3 Likes

I tried reverse double extension, double extension, char inject, different variation of .php, but I didn 't get the results.

Think about the possibility that XML offers you

Do you already found the hiden page and read it tier source code?
If you don’t, you need found this hiden page and read it tier source code, to know how actually works the filters in the server.

Good evening,

Could you help me with this one? I am having the same issue.
I have tried the mime type and content type techniques, as well as the character injection and the double extensions. Nothing worked…

Thanks in advance,
Best regards

Hello,

I also need some help with this exercise:
My current strategy is to find the right combination of file-extension, content-type and MIME-type that would trigger a successful upload and execution of the PHP code.

My first approach was to find a set of file extensions that would not be blacklisted (no message: “file type not allowed”) with help of the known bash script (double extension, reverse double extension and character injection).

I found around 50 extensions that would result in a different response “only images allowed” (no blacklist, but whitelist still active) and use them together with combinations of image/ non-image content type and different MIME types.

The module says:

For example, we can try using an Allowed MIME type with a disallowed Content-Type , an Allowed MIME/Content-Type with a disallowed extension , or a Disallowed MIME/Content-Type with an allowed extension , and so on. Similarly, we can attempt other combinations and permutations to try to confuse the web server

Endless possibilities… But so far, I was not able to get a successful upload response from the server.

Am I still missing something? Trying all permutations is not realistic with the community version of Burpsuite. Is there still another way to find the relevant edge cases?

Many thanks!

You seem to be on the right track, the error messages are the key to letting you know what is getting through the filters.

I found that saving the blacklist/whitelist filters for last was easier. Use a regular image name like shell.jpg or shell.png and then fuzz the content-type, mime-types first. Once you get an upload with the right mime-type and content-types, then work on the extensions.

Feel free to DM me with a screen shot of your burp request so I can see where you are at.
-onthesauce

Hey I’m stuck on File upload attacks Type Filters

I got the file uploaded with this setup on Burp

Content-Disposition: form-data; name="uploadFile"; filename="flag.phar.png"
Content-Type: image/png

GIF8
<?php system($_REQUEST['cmd']); ?>

But when I go to visit the file and run ?cmd=id it shows a black screen. I am missing something here?

1 Like

Try using different extensions, in different places. I don’t remember exactly how i did it, but i do remember the fix for 99% of the issues on this part was either wrong extension, or right extension in the wrong place. Also make sure you are using the same word list on in the module.

hey mate on burp repeater for me it says file uploaded successfully but in the browser “only images allowed”. I am beyond frustrated been stuck for a week now any help appreciated

sorry its taken be so long to get back with you, i work 2 jobs and am a single father so sometimes my schedule is super busy and hacking isn’t always a priority,
are you still having issues?

Hey I’m stuck on File Upload attacks Type Filters,

I got the file uploaded with the combination of the following item:

Content-type (allowed): image/gif, image/jpeg, image.png
File-extensions (allowed): phtml, phar, pgif, phtml, phtm
Magic-Byte: GIF8

The majority of the uploaded files produce an error when I try to retrieve it, a very few of them produce a white page like no command has been provided in the url

can I get some helps, it’s been a week since I’m stuck, and I retry any day, I m getting mad xD

i do not remember exactly what i did but i do remember i only used one content-type “image/gif”

Have you tried that?

1 Like

Yes, I use Burp Intruder to combine any possible triad composed by (Content-Type, File-Extensions, Magic Bytes)

and I upload all the files that have one of the three content-type above, but most of the uploaded file raise an error, and that it’s fair, maybe some server-side mechanism are in place, but a very few files uploaded generate an empty blank page.

I try even without magic-byte but no files were uploaded, that let me think that GIF magic-byte are mandatory in order to avoid upload failure.

EDIT: I FINALLY MADE IT

1 Like