Exploiting File Upload using Null byte

In my previous blog related to FILE upload, I already discussed some basic techniques to bypass whitelisting of file extensions. Now in this blog I am explaining other techniques here like MIME type, NULL byte injection.

MIME type:

Aim: Our aim is to upload PHP code and retrieve password in the file “.passwd”.

there are three tabs in the web application

· defaced

· upload

· pirate

From upload tab, I can upload an image .

Now to check the validation application is using I will try to upload a file which is not an image file.

· First I try to upload PHP shell i.e. “fupload.php”, we check corresponding request on burp.

In above screen shot please check yellow color highlighted portion. Which indicates application is checking content type of uploaded image. Without changing content type of uploaded the file, I forwarded the request. After forwarding the same request, i got “wrong file type” on User Interface.

Again I am trying to upload same file but this time I will changed Content-Type to “image/png” and then check is file upload possible or not. “fupload.php” contain PHP shell, which helps us to retrieve password. The code inside the “fupload.php” shown below:

Intercepting the request and updating its content type, request will look like:

After forwarding the request, I checked on UI where it shows me “File uploaded” message.

Now using LFI technique in the URL “/fUpload.php” where file, is uploaded we got the password (described in my previous blog of FLI bypassing techniques)

So updated URL:

By implementing LFI technique on stored URL, I got the Credentials by uploading a PHP shell.

NULL BYTE

This is another technique to bypass file upload functionality. In it we try to inject null byte character which is basically reserved character to signify the end of the string, Typically it known as “null-terminated string”.

Sometimes direct null character or sometimes its encoded form (%00) It depends on, how we are going to bypass it. Generally null byte injected with user supplied data.

Aim: Our aim is to upload PHP code and hack photo gallery and retrieve .passwd.

There are four tabs in the web application,

· upload

· Hackin9

· MISC

· Phrack

Now we try to upload PHP code in upload tab. I uploaded the same file of double extension, which I used in my previous blog of file upload i.e. “fupload.php.jpg”. After uploading, I checked its request on burp.

From highlighted portion, it is clear for png file content type is correct. Now I try to modify filename and content type in intercepted request:

Please check highlighted portion, after removing “.png” extension and giving corresponding content-type, it shows “Wrong file type” in response tab.

Now I try it with null byte injection on the same uploaded file.

After uploading, I injected “%00” before “.png” extension. So updated file name becomes filename=”fUpload.php%00.png”. When I forwarded the request, file with null byte injection uploaded on the server.

So when implement null byte in file name fUpload.php%00.png, it will remove .png extension from checking. By injecting a null byte, the extension rule won’t be enforced because everything after the null byte will be ignored. Now application only checking file name as fUpload.php

Please check below screen shot yellow color highlighted portion.

Here we also got the URL where our PHP shell uploaded. After opening that location till PHP extension we got the credentials. So our aim to fetch credentials by uploading a PHP code fulfilled.

And after implementing null byte we able to bypass file upload functionality.