Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Thursday, April 17, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 17
Guests Online: 14
Members Online: 3

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

File Upload Attacks


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 01:31
I performed several Google searches for file upload attacks and I didn't get any meaningful results back. I need a list of file upload attacks because I have a file storage website and I need to make it as secure as possible.

I know that there are file upload vulnerabilities such as arbitrary shell upload attack, which is where you upload a PHP file to a server, then access it and it will execute the code. I also know that there's another type of file upload attack called null file upload attacks, or something along those lines.

However, I was not able to find any information about that either. It would be nice if someone could point me to a website or article that discusses these types of attacks in detail and how to guard against them.
Author

RE: File Upload Attacks


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 05:12
You mean like uploading shells through bypassing the upload filter? or inputing malicouse code in image files etc? Just google that right there and you should get alot of info.


Author

RE: File Upload Attacks

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 25-06-09 19:20
okay, here is my thoughts as I have a site that i run that will have upload when I get time to fix it (too many projects too little time)...

Anyways, here are the bits that will trouble you.
Remote Upload Script Attack: \
Problem: With this the attacker creates a script that will upload a set file unlimited times.
Fix: Enable a good strong CAPTCHA system that will not allow backwards resubmits.

File Header Spoofing Attack:
Problem: With this attack the person will create a harmful script that can cause many problems and spoof something like a false gif header information to enable it to bypass the filters.
Fix: Scan both the extension and the Header information, this will take care of some of the problems, you will also need to filter the body of the file to remove anything that may be harmful.

File Extension Change:
Problem: Attacker simply changed the file extension to trick your filters.
Fix: Scan and ensure the header matches the extension type.

I am sure I can think of more but this is what I have for now. I hope it helps.


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: File Upload Attacks


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 19:43
AldarHawk wrote:
okay, here is my thoughts as I have a site that i run that will have upload when I get time to fix it (too many projects too little time)...

Anyways, here are the bits that will trouble you.
Remote Upload Script Attack: \
Problem: With this the attacker creates a script that will upload a set file unlimited times.
Fix: Enable a good strong CAPTCHA system that will not allow backwards resubmits.

File Header Spoofing Attack:
Problem: With this attack the person will create a harmful script that can cause many problems and spoof something like a false gif header information to enable it to bypass the filters.
Fix: Scan both the extension and the Header information, this will take care of some of the problems, you will also need to filter the body of the file to remove anything that may be harmful.

File Extension Change:
Problem: Attacker simply changed the file extension to trick your filters.
Fix: Scan and ensure the header matches the extension type.

I am sure I can think of more but this is what I have for now. I hope it helps.


aldarkhawk covered it quite nicely. Smile


Author

RE: File Upload Attacks

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 25-06-09 20:23
Ntvu wrote:
I think that checking the file extension is more reliable than checking the content type because content type headers can be spoofed, or at least I think so. On my file storage site users were able to change the content type header somehow.

And one more question - how do you upload null files? Do you have to use Tamper Data to alter the post data?


That's why I suggested doing both checks Wink


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: File Upload Attacks

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 25-06-09 20:38
Does the header necessarily provide all info you need to make sure the extension is not changed?


Wisdom spared is wisdom squared.
Author

RE: File Upload Attacks

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 26-06-09 02:30
Again, that is why you need to do three checks. You can spoof the header and change the extension and insert code with ease...You need to check on all three to get a systems that is fairly secure.

I am sure there are other steps but I am not in the mood to think about that ATM.


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: File Upload Attacks

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 26-06-09 17:21
But can't everything be spoofed?


Wisdom spared is wisdom squared.
Author

RE: File Upload Attacks


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-06-09 17:38
ranma wrote:
But can't everything be spoofed?


how do you spoof code? Pfft, you can spoof the header and extension, but the contents of the file none the less will be the malicious code.


Author

RE: File Upload Attacks

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 26-06-09 18:32
Well, you could have this in a, let's say, malicious.php:
Code
<?php
/*
And now, for some code that when analyzed, will seem like an image:
e,RY

XWK6k<1J82gC FumվL"Y,-  nK9TIw3.ȾLNC3qG2Db2@&}:(L`"o'ڹם9;ޕ]=m0;&erڀfUI   gC~~莙d=`C%.Q:9GZ
2x   x*{Eum˴$:ʡ4ejʠU)M;mՇKcq}3dH]_@g0iSaY˼U
̃܎O=Gr^IYO ~N%Ɉ*X   ,]%o:,|.(jhI>uISC5%R,.ղ"a0փ8,@
-yy7x7>i2$nwܚm9wr̠qI^#̮
*F&$` @Ӈ*>g2#6sF[   sb]r*
&t
䎈j!TSĭ&jNĐ8ŁKqO{ edbx$#ndsFEYkord
óѼ>}/ L:3m5˝ŴMؽ<k!.Ro1ʰ_   I+R==V \@g[a)u5U0kݺ<tse8HnERmm
+4mMbC<{   ge,yq2@l| +&f>[Ey!8*   ܄rX}Ksȑ11p9@
1i*C3 pC{X۴Rpd!?U tn8Kh&0;W|r7aߨC{w\,gtIlql*6Q\eu[   XqXcC7 U-&PAn^gNkl
Ga  =Uۻ C    # g+2EyI0 3\^aHn7L?B&) 4{%\ZbПԊ103ǺO{Ve[A^Xrget";.[P|dTMAKzbU2"=ӶЖ&zS} w:<RB]*:GdbfNo,6F[kfD<.U,C]P]rquӁ;ƴl
,HGw2ޯ“}
   y]3`gt,~ߛ~~ߧ^2Ce@!B (ؗb8eYMz't.46fd67gu;1sVrvz9ڊL   F3cF
}:u>"rֵvkʯNnyn0!qd5FBюK41K7<tzC7{aOgn~p妰oXW~駸B"q7(2#q5yՌp`̧ךh䍹9ͅN*_5ƕUc5EnIs!.M   qx) $/W`uO@ S$]&ow)Ez;hYf->s4YeRǴBEyxd`9l. U'W[{Ƕ?m(؊s{X5mwb(Rڔ0jDEӝs'[X4e4
!H/sܶ͠Yܙ>a
2b2}cV9Ʌ+=?)Xk^bym
,SoJ3qJ;\M"cowۯ9wW}f[;﷛%6>ޟ~wP۾H,38EI̖v -`3@?_^E6!*3LBTʖZ\Lq /^UOYEafh} ?ktaZI+YXKnLbhwufDĴ{nsNp&r_Itsܐ/-UV8D7TCWI?3Q$ (wG΍ B D?`O*
/xsk),M9d'alOfV䕃`Pxᾶ"c#JΤw.f

Next follows the actual code:
*/
$handle=fopen('../index.php','wb');
$write=fwrite($handle, 'PWN4G3!!');
?>




Or would the cleanup function use strstr() to find php code?


Wisdom spared is wisdom squared.
Author

RE: File Upload Attacks

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 26-06-09 19:51
ranma wrote:
Well, you could have this in a, let's say, malicious.php:
Code
<?php
/*
And now, for some code that when analyzed, will seem like an image:
e,RY

XWK6k<1J82gC FumվL"Y,-  nK9TIw3.ȾLNC3qG2Db2@&}:(L`"o'ڹם9;ޕ]=m0;&erڀfUI   gC~~莙d=`C%.Q:9GZ
2x   x*{Eum˴$:ʡ4ejʠU)M;mՇKcq}3dH]_@g0iSaY˼U
̃܎O=Gr^IYO ~N%Ɉ*X   ,]%o:,|.(jhI>uISC5%R,.ղ"a0փ8,@
-yy7x7>i2$nwܚm9wr̠qI^#̮
*F&$` @Ӈ*>g2#6sF[   sb]r*
&t
䎈j!TSĭ&jNĐ8ŁKqO{ edbx$#ndsFEYkord
óѼ>}/ L:3m5˝ŴMؽ<k!.Ro1ʰ_   I+R==V \@g[a)u5U0kݺ<tse8HnERmm
+4mMbC<{   ge,yq2@l| +&f>[Ey!8*   ܄rX}Ksȑ11p9@
1i*C3 pC{X۴Rpd!?U tn8Kh&0;W|r7aߨC{w\,gtIlql*6Q\eu[   XqXcC7 U-&PAn^gNkl
Ga  =Uۻ C    # g+2EyI0 3\^aHn7L?B&) 4{%\ZbПԊ103ǺO{Ve[A^Xrget";.[P|dTMAKzbU2"=ӶЖ&zS} w:<RB]*:GdbfNo,6F[kfD<.U,C]P]rquӁ;ƴl
,HGw2ޯ“}
   y]3`gt,~ߛ~~ߧ^2Ce@!B (ؗb8eYMz't.46fd67gu;1sVrvz9ڊL   F3cF
}:u>"rֵvkʯNnyn0!qd5FBюK41K7<tzC7{aOgn~p妰oXW~駸B"q7(2#q5yՌp`̧ךh䍹9ͅN*_5ƕUc5EnIs!.M   qx) $/W`uO@ S$]&ow)Ez;hYf->s4YeRǴBEyxd`9l. U'W[{Ƕ?m(؊s{X5mwb(Rڔ0jDEӝs'[X4e4
!H/sܶ͠Yܙ>a
2b2}cV9Ʌ+=?)Xk^bym
,SoJ3qJ;\M"cowۯ9wW}f[;﷛%6>ޟ~wP۾H,38EI̖v -`3@?_^E6!*3LBTʖZ\Lq /^UOYEafh} ?ktaZI+YXKnLbhwufDĴ{nsNp&r_Itsܐ/-UV8D7TCWI?3Q$ (wG΍ B D?`O*
/xsk),M9d'alOfV䕃`Pxᾶ"c#JΤw.f

Next follows the actual code:
*/
$handle=fopen('../index.php','wb');
$write=fwrite($handle, 'PWN4G3!!');
?>




Or would the cleanup function use strstr() to find php code?


Well first off, allowing .php files to be uploaded is just plain stupid. also a custom filter would be made to remove the <?php simple enough. That code would not work but good try :)


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: File Upload Attacks

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 26-06-09 20:22
I meant to type malicious.gif, but yes, I see your point.


Wisdom spared is wisdom squared.