| Author |
File Upload Attacks |
Ntvu
Banned
Posts: 30
Location:
Joined: 28.07.08
Rank: Active User
Warn Level: 100
|
|
I performed several Google searches for file upload attacks and I didn't get any meaningful results back. I need a list of file upload attacks because I have a file storage website and I need to make it as secure as possible.
I know that there are file upload vulnerabilities such as arbitrary shell upload attack, which is where you upload a PHP file to a server, then access it and it will execute the code. I also know that there's another type of file upload attack called null file upload attacks, or something along those lines.
However, I was not able to find any information about that either. It would be nice if someone could point me to a website or article that discusses these types of attacks in detail and how to guard against them. |
|
| Author |
RE: File Upload Attacks |
S1L3NTKn1GhT
Member
Posts: 468
Location: XXXX
Joined: 03.06.06
Rank: God
Warn Level: 10
|
|
You mean like uploading shells through bypassing the upload filter? or inputing malicouse code in image files etc? Just google that right there and you should get alot of info.
root@wtf.org#su - dumbass
Dude you're AWESOME!
-SystemMeltdown(MSN)
|
|
| Author |
RE: File Upload Attacks |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
okay, here is my thoughts as I have a site that i run that will have upload when I get time to fix it (too many projects too little time)...
Anyways, here are the bits that will trouble you.
Remote Upload scblockedript Attack: \
Problem: With this the attacker creates a scblockedript that will upload a set file unlimited times.
Fix: Enable a good strong CAPTCHA system that will not allow backwards resubmits.
File Header Spoofing Attack:
Problem: With this attack the person will create a harmful scblockedript that can cause many problems and spoof something like a false gif header information to enable it to bypass the filters.
Fix: Scan both the extension and the Header information, this will take care of some of the problems, you will also need to filter the body of the file to remove anything that may be harmful.
File Extension Change:
Problem: Attacker simply changed the file extension to trick your filters.
Fix: Scan and ensure the header matches the extension type.
I am sure I can think of more but this is what I have for now. I hope it helps.
|
  
|
| Author |
RE: File Upload Attacks |
S1L3NTKn1GhT
Member
Posts: 468
Location: XXXX
Joined: 03.06.06
Rank: God
Warn Level: 10
|
|
|
AldarHawk wrote:
okay, here is my thoughts as I have a site that i run that will have upload when I get time to fix it (too many projects too little time)...
Anyways, here are the bits that will trouble you.
Remote Upload scblockedript Attack: \
Problem: With this the attacker creates a scblockedript that will upload a set file unlimited times.
Fix: Enable a good strong CAPTCHA system that will not allow backwards resubmits.
File Header Spoofing Attack:
Problem: With this attack the person will create a harmful scblockedript that can cause many problems and spoof something like a false gif header information to enable it to bypass the filters.
Fix: Scan both the extension and the Header information, this will take care of some of the problems, you will also need to filter the body of the file to remove anything that may be harmful.
File Extension Change:
Problem: Attacker simply changed the file extension to trick your filters.
Fix: Scan and ensure the header matches the extension type.
I am sure I can think of more but this is what I have for now. I hope it helps.
aldarkhawk covered it quite nicely. 
root@wtf.org#su - dumbass
Dude you're AWESOME!
-SystemMeltdown(MSN)
|
|
|
| Author |
RE: File Upload Attacks |
SySTeM
-=[TheOutlaw]=-
Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank: The Overlord |
|
|
Ntvu wrote:
I think that checking the file extension is more reliable than checking the content type because content type headers can be spoofed, or at least I think so. On my file storage site users were able to change the content type header somehow.
And one more question - how do you upload null files? Do you have to use Tamper Data to alter the post data?
That's why I suggested doing both checks 
|
|
|
| Author |
RE: File Upload Attacks |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
Does the header necessarily provide all info you need to make sure the extension is not changed?
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: File Upload Attacks |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
Again, that is why you need to do three checks. You can spoof the header and change the extension and insert code with ease...You need to check on all three to get a systems that is fairly secure.
I am sure there are other steps but I am not in the mood to think about that ATM.
|
|
|
| Author |
RE: File Upload Attacks |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
But can't everything be spoofed?
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: File Upload Attacks |
S1L3NTKn1GhT
Member
Posts: 468
Location: XXXX
Joined: 03.06.06
Rank: God
Warn Level: 10
|
|
|
ranma wrote:
But can't everything be spoofed?
how do you spoof code?  , you can spoof the header and extension, but the contents of the file none the less will be the malicious code.
root@wtf.org#su - dumbass
Dude you're AWESOME!
-SystemMeltdown(MSN)
|
|
|
| Author |
RE: File Upload Attacks |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
Well, you could have this in a, let's say, malicious.php:
<?php
/*
And now, for some code that when analyzed, will seem like an image:
e,���RY��
�XWK6k<1J8�2g�C FumվL"��Y,��-���� � nK9TIw3.ȾL�NC�3�qG2�Db2@&}:(L���`"o�'�ڹם9;ޕ�]=m0;&�er�ڀfU�I g�C~~莙d=`C%.Q:9GZ
2x x*{Eum�˴$:ʡ4ejʠU)M;��mՇ�K�cq}3dH�]_@g0i�SaY˼U
̃��O�=G�r^IY�O�~N%Ɉ*X ,�]%o:,|.(jhI>uISC5%�R,.ղ"a0փ8,@
-�y�y�7x7>i2$n�w�ܚm9�wr̠qI^#̮
*F&$��`��@Ӈ*>g2�#6s�F[ sb]�r*��
&�t
䎈�j!T�Sĭ&jNĐ8ŁKqO{�e�d���b�x$�#ndsF�EYk�o�rd
�óѼ>}/ L:�3�m5˝ŴMؽ<k!�.Ro1�ʰ_ I+R�==V�\@g[a)u5U�0kݺ<t��se�8HnER�mm
+4mMbC<�{�� �ge,�yq2�@l| +&f>[Ey!�8�* ܄rX}Ks�ȑ11p�9@
1�i*C3�pC{X۴Rpd!?U��t�n8Kh&��0;W|r7aߨC{w\,g�tI�lql*�6�Q\eu[ XqXc�C7�U-&PAn^gNk�l
Ga � =Uۻ �C � # g+2�EyI0 3\^aHn7L?�B&)�4{%\ZbПԊ103Ǻ�O{Ve[A^Xrg�et";�.[P|dTM�AK��zbU2"=ӶЖ&z�S}���w:<RB]�*��:G�dbfNo,6F[��kfD<.U,C]P��]rquӁ;�ƴl
��,H�G�w2�ޯ}�
�y]3`g�t,~ߛ�~~ߧ��^�2��Ce@!B�(ؗb8eYMz't�.��46f�d67gu;1s�Vrvz9ڊL F3cF
}:u>"��rֵvk�ʯNn��yn0!qd5F��B�юK�41K7<t�z�C7{aOgn~p妰oXW~駸B�"�q7(2��#q5yՌp`̧ךh�䍹9ͅ�N�*_5ƕUc5EnIs!.M qx)� $/W`uO@�S$�]&ow)�Ez;hYf-��>s�4YeRǴB�Eyxd`9��l.�U���'W[�{Ƕ?m(؊s{X5mw�b(Rڔ0jDEӝs'[X4e4
!H/sܶ͠Yܙ>�a
�2��b2}cV9Ʌ+=?)Xk^bym
,So��J3qJ;\M"c�o�wۯ9wW��}�f[;�%6�>�ޟ~wP۾H,38E�I̖v�-`��3�@�?_^E6!�*3L�BTʖZ\Lq /^U�OY�Eafh} ?��ktaZI�+�YXK��nLbhwuf��D�Ĵ{nsNp&�r_Its�ܐ/�-U�V8D7TCWI?3Q�$ (wG� B D?`O*�
/x�sk),�M9d'�a�l�Of�V䕃`Pxᾶ"c�#J�Τw.�f
Next follows the actual code:
*/
$handle=fopen('../index.php','wb');
$write=fwrite($handle, 'PWN4G3!!');
?>
Or would the cleanup function use strstr() to find php code?
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: File Upload Attacks |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
ranma wrote:
Well, you could have this in a, let's say, malicious.php:
<?php
/*
And now, for some code that when analyzed, will seem like an image:
e,���RY��
�XWK6k<1J8�2g�C FumվL"��Y,��-���� � nK9TIw3.ȾL�NC�3�qG2�Db2@&}:(L���`"o�'�ڹם9;ޕ�]=m0;&�er�ڀfU�I g�C~~莙d=`C%.Q:9GZ
2x x*{Eum�˴$:ʡ4ejʠU)M;��mՇ�K�cq}3dH�]_@g0i�SaY˼U
̃��O�=G�r^IY�O�~N%Ɉ*X ,�]%o:,|.(jhI>uISC5%�R,.ղ"a0փ8,@
-�y�y�7x7>i2$n�w�ܚm9�wr̠qI^#̮
*F&$��`��@Ӈ*>g2�#6s�F[ sb]�r*��
&�t
䎈�j!T�Sĭ&jNĐ8ŁKqO{�e�d���b�x$�#ndsF�EYk�o�rd
�óѼ>}/ L:�3�m5˝ŴMؽ<k!�.Ro1�ʰ_ I+R�==V�\@g[a)u5U�0kݺ<t��se�8HnER�mm
+4mMbC<�{�� �ge,�yq2�@l| +&f>[Ey!�8�* ܄rX}Ks�ȑ11p�9@
1�i*C3�pC{X۴Rpd!?U��t�n8Kh&��0;W|r7aߨC{w\,g�tI�lql*�6�Q\eu[ XqXc�C7�U-&PAn^gNk�l
Ga � =Uۻ �C � # g+2�EyI0 3\^aHn7L?�B&)�4{%\ZbПԊ103Ǻ�O{Ve[A^Xrg�et";�.[P|dTM�AK��zbU2"=ӶЖ&z�S}���w:<RB]�*��:G�dbfNo,6F[��kfD<.U,C]P��]rquӁ;�ƴl
��,H�G�w2�ޯ}�
�y]3`g�t,~ߛ�~~ߧ��^�2��Ce@!B�(ؗb8eYMz't�.��46f�d67gu;1s�Vrvz9ڊL F3cF
}:u>"��rֵvk�ʯNn��yn0!qd5F��B�юK�41K7<t�z�C7{aOgn~p妰oXW~駸B�"�q7(2��#q5yՌp`̧ךh�䍹9ͅ�N�*_5ƕUc5EnIs!.M qx)� $/W`uO@�S$�]&ow)�Ez;hYf-��>s�4YeRǴB�Eyxd`9��l.�U���'W[�{Ƕ?m(؊s{X5mw�b(Rڔ0jDEӝs'[X4e4
!H/sܶ͠Yܙ>�a
�2��b2}cV9Ʌ+=?)Xk^bym
,So��J3qJ;\M"c�o�wۯ9wW��}�f[;�%6�>�ޟ~wP۾H,38E�I̖v�-`��3�@�?_^E6!�*3L�BTʖZ\Lq /^U�OY�Eafh} ?��ktaZI�+�YXK��nLbhwuf��D�Ĵ{nsNp&�r_Its�ܐ/�-U�V8D7TCWI?3Q�$ (wG� B D?`O*�
/x�sk),�M9d'�a�l�Of�V䕃`Pxᾶ"c�#J�Τw.�f
Next follows the actual code:
*/
$handle=fopen('../index.php','wb');
$write=fwrite($handle, 'PWN4G3!!');
?>
Or would the cleanup function use strstr() to find php code?
Well first off, allowing .php files to be uploaded is just plain stupid. also a custom filter would be made to remove the <?php simple enough. That code would not work but good try :)
|
|
|
| Author |
RE: File Upload Attacks |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
I meant to type malicious.gif, but yes, I see your point.
Wisdom spared is wisdom squared. |
|
|
Main:
