3 minute read

The last few weeks have been busy with some non-hacking stuff, but there are still some interesting bits and pieces worth noting.

File Uploads

I completed the Hack The Box Academy module on File Upload attacks. These are particularly effective when the uploaded file can be executed as code. For example, if a file can be uploaded to a server running PHP, and then directly accessed and executed as PHP code. This, of course, leads directly to RCE on the server.

That said, there are other interesting ways that file upload vulnerabilities may be useful as well.

First, there is the possibility of Cross-Site Scripting (XSS). For example, if the site allows image uploads and then later displays any EXIF data from the uploaded image without proper escaping.

Second, there may be some interesting things you can do with specific file types. For example, SVG files have some interesting attack vectors. They are XML-based files, which means that XXE attacks may be possible, leading to arbitrary file reads or even RCE. Also, SVG files generally support Javascript code, which may be used for Stored XSS.

And finally, as mentioned, there are numerous ways that uploads can be used to achieve RCE. Often the files are validated to ensure that they are the correct format, but there can be several ways to bypass these checks.

Client-Side Validation

It should go without saying, but client-side validation of files is not adequate protection. It is trivial for an attacker to bypass this validation in a number of ways, for example by using a proxy such as Burp Suite to upload unsupported files without the client-side checks being done.

File Extension Checks

One method of validation is to check the filename extension, and ensure it is only a supported extension. However, care is required to ensure that the extension checks are adequate.

  • If using a block-list, ALL dangerous extensions must be included. For example, for PHP, this may include unusual extensions such as .phps or .phar which may be executed by the web server.
  • It is also possible to bypass the file extension check with a filename that the web server will still execute. for example, if an Apache server is configured to execute files with a directive such as <FilesMatch ".+.ph(ar|p|tml)"> then an extension such as .phar.jpg will be executed since the .phar extension does not need to appear at the end of the filename.
  • Depending on the web server software and the codebase, other characters such as spaces, newlines, slashes, or dots may be used to bypass checks while still uploading files that the web server will execute.

MIME Type Checks

Another way to validate uploaded files is to check their MIME type. This may be done using the MIME type given by the browser, or by examining the file contents.

The MIME type given by the browser can be easily spoofed. The upload will typically look something like this:

POST /upload.php HTTP/1.1
<SNIP>

------WebKitFormBoundary1234
Content-Disposition: form-data; name="uploadFile"; filename="headshot.jpg"
Content-Type: image/jpeg

<SNIP>

However, an attacker may simply upload any content they want, while sending a Content-Type of image/jpeg. In short, the content type coming from the browser should be considered user input, and must not be trusted.

Examining the contents of the file isn’t much better. Most code to do this will simply look at the header of the file, ignoring most of the other content. Meaning that an attacker may upload a file with the JPEG file header, followed by arbitrary PHP code.

SSRF

This is a type of vulnerability that I was already pretty familiar with, but learned a couple of interesting tricks in this module.

First, using something like ffuf or another fuzzer is a great way to do enumeration of internal resources. For example, finding open ports and web endpoints on internal servers that are not meant to be accessed from the outside.

I also learned a bit about the gopher protocol, which can, in some cases, be used to send arbitrary bytes to a non-http socket via an SSRF vulnerability. This may be used to interact with services such as MySQL, SMTP, and others. Tools like Gopherus make it easier to generate the payloads that may be used for this type of attack.

Server-Side Template Injection (SSTI)

Another vulnerability I was pretty familiar with, but I was introduced to a nice looking tool called SSTImap which can find these vulnerabilities and exploit them, including figuring out which templating language is being used by the server. This is important for setting up a correct exploit.

I’ll be much more focused on coursework and practice over the next few weeks, so there will be more posts coming soon!

Updated:

You May Also Enjoy

HTB Machine - Nocturnal Writeup

12 minute read

The Nocturnal machine on Hack The Box has a rating of “easy” and is a Linux server. Although it wasn’t too difficult, I definitely got stuck in a couple of p...

My First Certification

3 minute read

Today I got my first cybersecurity certification: the Hack The Box Certified Bug Bounty Hunter (CBBH)!

Hack The Box – Underpass Writeup

7 minute read

I’ve been doing some Hack The Box machines, and recently tackled Underpass. It is listed as “Easy”, but it helped to reinforce some basic skills.