RCE in .tgz file upload

  • RCE occurs after a file upload it is due to either
  1. A lack of filtering in the file types that can be uploaded
  • Many web applications filter file uploads by extension and by MIME-type , often seen in web forms as “content-type”. Exp: I have bypasswd file uploads filters in the past by appending “;.php” to the expected file ext
  • Changing the content type to the expected such as from “application/x-php” to “image/jpeg”
Original request
Changed
  • The server was not doing a simple check on extensions or MIME type and I guessed that since it was expecting a .tgz archize it was unpacking the archive
  • I create a .tgz archive with a PHP web shell.
  • With properly formatted files within a .tgz archive in hand . I unzipped the archive , added a web shell to the archive , repacked it , and then sent it off to the server.
  • BAck to the drawing board , I unpacked the archive once more, replaced one of the expected files with a web shell with the same name but the .php file extension
  • This time the server threw the upload error agin after a short wait .
  • Knownig that the application expected files with certainn names and extensions and that it would frop any additional files somewhere long the way I combined techniques and did this : I unpacked the archive adin , added a PHP webshell
  • ++As an exp: I would have changed “filename123.pdf” to “filename123.pdf.php” The application’s logic would hopefully see the first extension and expected name and approve the file for processing while ther server would ignore the first enstion and only pay attenstion to my .php extension. It worked :))

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How To Determine The Right Size For Your Project Team — Tentamen Software Testing Blog

DevFest CZ 2017 will rock!

Prometheus Alert Manager with k8s secret

Keeping An Eye on Your Systems

KUBERNETES AND ITS INDUSTRIAL USE CASES

Cinematography in Unity

Free Air Drops :-

Moving from Loggly to Application Insights

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
rei_hunt

rei_hunt

More from Medium

Tìm những bug trên Symfony

How I found High-Priority PII leak through web archive

Hashing the Favicon.ico

CVE-2021–38314 Leads to Sensitive Information Disclosure