RCE in .tgz file upload

  • RCE occurs after a file upload it is due to either
  1. A lack of filtering in the file types that can be uploaded
  • Many web applications filter file uploads by extension and by MIME-type , often seen in web forms as “content-type”. Exp: I have bypasswd file uploads filters in the past by appending “;.php” to the expected file ext
  • Changing the content type to the expected such as from “application/x-php” to “image/jpeg”
Original request
  • The server was not doing a simple check on extensions or MIME type and I guessed that since it was expecting a .tgz archize it was unpacking the archive
  • I create a .tgz archive with a PHP web shell.
  • With properly formatted files within a .tgz archive in hand . I unzipped the archive , added a web shell to the archive , repacked it , and then sent it off to the server.
  • BAck to the drawing board , I unpacked the archive once more, replaced one of the expected files with a web shell with the same name but the .php file extension
  • This time the server threw the upload error agin after a short wait .
  • Knownig that the application expected files with certainn names and extensions and that it would frop any additional files somewhere long the way I combined techniques and did this : I unpacked the archive adin , added a PHP webshell
  • ++As an exp: I would have changed “filename123.pdf” to “filename123.pdf.php” The application’s logic would hopefully see the first extension and expected name and approve the file for processing while ther server would ignore the first enstion and only pay attenstion to my .php extension. It worked :))




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Error Handling in GraphQL-Ruby using Union & Interface types

PetSpot — Portfolio Project

Getting started with SonarQube (java, maven and docker 🐬)

Managing and Configuring Clusters within Azure Databricks

How to use HTTP and MWCMQS for MimbleWimbleCoin

Memory monitoring

Dependency Injection Lifetime in .NET

Kubernetes PV and PVC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Business Logic Bug| Email Existing Bypass | Running 2 accounts with a single email

How I found High-Priority PII leak through web archive

Tìm những bug trên Symfony

Bug Bounty: Open Xmlrpc.php vulnerability on WordPress site.