.png)
3 weeks ago
27 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Hackers, Today in this write-up I am going to tell you how I am able to bypass file upload restrictions to upload php or any files and found malicious file download vulnerability in one of the bugcrowd program. And after finding this vulnerability how you can chain this vulnerability to RCE (Remote Code Execution).
So let’s get started:
For security Reasons I am not going to disclose company name so let’s called it as target.com. Now user can upload their avatar to their profile picture and now this feature you all know very well to test for upload vulnerability now as always I start with upload very simple php file but as always it give me this error:
now I upload simple png file and then fire-up my burp intercept and see the request which looks like this:
POST /api/upload/?_xyz=17275&js_session=xyz HTTP/2Host: www.3rd_party_app.com
Cookie: session_dialog=cookie
User-Agent: xyz
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Content-Type: multipart/form-data; boundary=---------------------------346708504232334186901693690011
Content-Length: 10770
Origin: https://abc.xyz.com
Referer: https://abc.xyz.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Priority: u=0
Te: trailers
-----------------------------346708504232334186901693690011
Content-Disposition: form-data; name="fileUpload"; filename="upload.png"
Content-Type: image/png
‰PNG
Note that this application uses other service to upload the picture it’s structure looks something like this:
user upload photo which is handled by 3rd party application (means above post request is made by 3rd party application)now when you check the response of above post request it stores the image in particular path and give response of that path where the image is stored.Note: This 3rd party app stored this image in one of the subdomain of the target site. which looks like : image.target.com/path_for_image
3. Now after storing the image now user clicks on save changes button and then the main application makes put request and in the data section add the above parth to save that particular image.
4. Now here I am able to find blind ssrf also and I tried to do port scanning with it but nothing happen so I don’t go with this, I also tried with path traversal, xss but none of them work so I want your suggestion in this case what type of bugs we can find if the application uses direct url to upload any image in their database or specific path? I am happy to here from you guys also in comment section.
5. So our request looks like this:
PUT /api/users/1xx?text_format=html,markdown HTTP/2Host: www.target.com
Cookie: cookie
User-Agent: xyz
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
X-Csrf-Token: tU7vZxyz
Content-Length: 230
Origin: https://www.target.com
Referer: https://www.target.com/username
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
{"user":{"about_me":"xyz","photo_url":"https://image.target.com/path_for_image"}}
6. Now after sending the request we got 200 ok response and our png image was successfully uploaded and thus the application behaves.
Note: Here I think if you found this type of functionality always check for blind ssrf and I am sure that you will get that bcz server will make the request to fetch the photo which url you send. And you can also find open redirect, path traversal, self xss to reflected xss you might be chain it, and if anything I am missing your suggestions are valuable.
This video might be helpful for path traversal to see sensitive files not exact this type of case but yes same logic:- https://www.youtube.com/watch?v=MBQJJ3jfJ8k
Now let’s come back to our topic how I bypass restriction of uploading php files and how you will able to chain this to RCE. Let’s go step wise again.
As you know I am not able to upload php file via client-side so I analyze the how 3rd party check whether the file should be uploaded to target.com or not? so my suggestion you to see the first post request with the Host: www.3rd_party_app.com.There is a parameter called js_session=xyz actually this parameter contains lost of not showing thigs so change the value and make it xyz but this parameter also contains secret of uploading functionality like which file should be uploaded and which should not.{"mimetypes":["image/jpeg","image/png","image/gif","image/webp","application/x-httpd-php"],"persist":false,"version":"v2","storeLocation":"S3","storePath":"path_for_storing/name_of_image"}3. there are still lots of things but this are important so here you can see that here only jpeg, png, gif and webp types are allowed so I simply add application/x-httpd-php to upload mimetypes and also change the file name as poc.php something like this:
{"mimetypes":["image/jpeg","image/png","image/gif","image/webp","application/x-httpd-php"],"persist":false,"version":"v2","storeLocation":"S3","storePath":"path_for_storing/poc.php"}4. I also add simple php code in place of png and make this type of change in body part:
5. I know you might be thinking here filename is upload.png but remember we already change name as poc.php in our js_session parameter as above so it doesn’t matter. Our final file name is poc.php.
6. Now simply send the request and as always we got 200 ok response with the full url looks like this: https://image.target.com/path/poc.php
7. And here after we simply clicks on save button and our php file was successfully uploaded. This time my reaction was like 😱 I am very close to find my first RCE 🎉 but this things are not for long time.
8. Now I right click on avatar and click on open image in new tab and guess what my file was downloaded as it is rather than executing. I don’t know why this is happening?
Firstly, I thought that application was using express-js rather than php so I tried to execute using .js file but no luck but I am not satisfy with this I want to find RCE so I research about it but sadly that time I am not able to create more impact and I submitted this as it is and according to Bugcrowd vrt this bug goes as P5 sadly 😥. So as always they closed my report as P5.
After fixing this bug I talked with one of my friend about this bug and told him how malicious files are downloaded as it is rather than executing so he told me about .htaccess magic.
Portswigger lab for .htaccess solution:https://ckevingalvan.medium.com/web-shell-upload-via-extension-blacklist-bypass-712c7c27097d
And also told me how he was find same vulnerability and he got RCE their so I also research about it and after researching and reading some write-ups I stumbled upon this Portswigger writeup that how you can find RCE using .htaccess. I feel very bad when I see this because I underestimate the power of Portswigger labs if I found this write-up or at least solve labs properly then might be I also found my first RCE 😶. After knowing things I quickly open the target and try to do this things but as I said this bug is no longer exists.
Anyways guys, I hope you learnt lot from this piece. I am not going to forget my mistake ever and I suggest you to solve portswigger labs and if you found any vulnerability at least research on portswigger labs might be you find way to escalate to more impactful who knows?
So, that’s it for today, everyone. I look forward to seeing you in the next exciting article. Thank you for reading. If you enjoyed it, please consider giving it a clap — it truly motivates me to create more awesome content.
Follow me :- https://linktr.ee/dishantmodi
#BugBounty #Cybersecurity #EthicalHacking #VulnerabilityResearch #InfoSec #WebSecurity #HackerCommunity #LearningJourney #BugHuntingTips #BugHuntingMethodology #RCE #VDP #Vulnerability #malicious #UploadFileVulnerability
Bengali (Bangladesh) · 
English (United States) ·