How to Fix File Upload Vulnerability

Was this post useful?


  • Total voters
    2

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
12
Points
3
Hi everybody, hope to you are all good! It is the first tutorial in Hackking borders.
In this post, I will show you How to Fix File Upload Vulnerability. It will be series, I will post threads about other vulnerabilities and protection too.

There are lots of upload forms of modern websites and applications. You can upload images, documents, medias and various files by these forms. But generally, some file types are forbidden in these upload forms, like php*, pl, py, sh, htaccess, html and more... Because, attackers can exploit some functions in those file formats, in those languages. So, blocking some file formats may be useful. Also, another method, mime type check, you know. How to check mime type?
Attacker have a file == xxx.php
If attacker try to upload this file, the system will block his request and print "You can only upload image!" error. Because, system is checking mime type of uploaded file. A little example:

phpmime.PNG
➡
phpmime2.PNG

But attacker can change content-type option and upload the file easily. So, I will not show mime-type check in this post. There are various methods to bypass protections and upload file.
I have just wrote a script to upload file securely:
PHP:
<h1>Upload Image</h1>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="fileinput">
<input name="submitname" type="submit" value=">>">
</form>

<?php

function findExt($name){
$extension = end(explode('.', $name));
return $extension;
}

$filename = $_FILES['fileinput']['name'];
$path = $_FILES['fileinput']['tmp_name'];
$ext = strtolower(findExt($filename));
$allowed = array("jpg", "png", "gif");

if($_POST){
if(in_array($ext, $allowed, true)){
@copy($path, time().".".$ext);
echo 'Success!';
}else{
echo "Failed!";
}
}
Let me explain you codes.
Line 1-5: HTML part

Line 9-12: Defined a function to get latest extension of file

Line 14-15: Get the file and temporary path
Line 16: Find the extension of file
Line 17: Allowed file extensions, you can edit here

Line 19: If condition, if user sent a post request, do this bla bla...
Line 20: Compare the extension of file and allowed extensions and if uploaded file's extension same with allowed one (returns true), do this bla bla...
Line 21: Rename the file as unique timestamp, you can use another functions like rand(), md() etc, if you dont want to disclose uploaded time and UPLOAD the file
Line 22: Print success message
Line 23: If an error occur, print failed message.

Now let us try to upload a webshell:
re1.PNG

Failed because file format is .php, now let us try to upload a .jpg file:

re2.PNG

Let me check the file is uploaded or not:
ftpc.PNG
The file has renamed and uploaded successfully. Or alternatively, if you want a single file extension, like only jpg, use this code instead of line 21:
@copy($path, time().".jpg");
This code will rename all the file and force the extension change as .jpg.

So, you can block malicious files by their file extensions. I dont need extra protections and I am using this script in my projects.

Could you see any issue or misconfiguration in the script? Is it bypassable? And, how you can improve the code?

// end of the post.
 
Last edited:
Top