RCE in .tgz file upload
Cre: Machevalia’s Blog
-I will collect some methods
- RCE occurs after a file upload it is due to either
- A lack of filtering in the file types that can be uploaded
2.Error in that filtering process for the web form where the file is being uploaded
- Many web applications filter file uploads by extension and by MIME-type , often seen in web forms as “content-type”. Exp: I have bypasswd file uploads filters in the past by appending “;.php” to the expected file ext
- Changing the content type to the expected such as from “application/x-php” to “image/jpeg”
For this specific RCE, the server expected a.tgz file
I attempted a few of my favorite file extension and MIME type changes without success.
- The server was not doing a simple check on extensions or MIME type and I guessed that since it was expecting a .tgz archize it was unpacking the archive
- I create a .tgz archive with a PHP web shell.
- With properly formatted files within a .tgz archive in hand . I unzipped the archive , added a web shell to the archive , repacked it , and then sent it off to the server.
- BAck to the drawing board , I unpacked the archive once more, replaced one of the expected files with a web shell with the same name but the .php file extension
- This time the server threw the upload error agin after a short wait .
- Knownig that the application expected files with certainn names and extensions and that it would frop any additional files somewhere long the way I combined techniques and did this : I unpacked the archive adin , added a PHP webshell
- ++As an exp: I would have changed “filename123.pdf” to “filename123.pdf.php” The application’s logic would hopefully see the first extension and expected name and approve the file for processing while ther server would ignore the first enstion and only pay attenstion to my .php extension. It worked :))