Categories

File upload bypass using MIME-type

There are many methods web developers incorporate in their applications in order to allow only certain file types to be uploaded. In the case of a slideshow of a photo booth web application, developers mostly check for a correct file extension (.jpg , .png , etc.) as well as its mime-type Content-type: image/jpeg in order to ensure that the file uploaded is indeed allowed and only an image.

Bypassing the file extension to upload a payload is straightforward and easy. We just change the file extension from payload.php to payload.php.gif

The mime-type check bypass is again relatively simple but most penetration testers tend to make it seem more complicated than it really is. A good example of that is when we try to incorporate a PHP script in a regular image, which in most cases is very difficult to achieve, and it doesn’t guarantee that the payload will indeed work. This happens because in some cases the server does not recognize the file to contain executable code and it simply tries to display it as an image.

The easy way is to trick the mime-type security check in order to think that the file we’ve uploaded is an image but in reality the web server is going to recognize it as a PHP script file.

To do so we only need to add one line at the start of our script: GIF89a;

GIF89a is a GIF file header. When the file gets reviewed by mime_content_type("myfile"); it gets fooled in order to think that it is an image instead of a PHP shell.

GIF89a;
<?php
  system('whoami'); # shellcode goes here
?>
Networked

Leave a Reply

Your email address will not be published. Required fields are marked *