How To Bypass Website File Upload Restrictions
HTML-код
- Опубликовано: 10 июл 2024
- j-h.io/snyk || Special Thank You to Snyk for sponsoring this video! Get started with Snyk FOR FREE ➡ j-h.io/snyk
00:00 NahamConCTF Byepass
01:46 NahamConCTF 2022
02:53 Challenge Begin
08:10 Source Code
12:34 Alh4zr3d's Tweet
12:44 Byepassing the deny list
19:16 Final Thoughts
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
The actual flaw in the source is that the developer missed the upload going to a seperate folder, placing the uploads in the root allowing for the .htaccess overwrite. If the developer made the uploads go to the correct folder, this vulnerability would not work. Great video!!
the .htaccess file would've still worked even in a subfolder
would not work with nnginx
@@rebane2001 The Dockerfile in the provided source code 7z says the image is php:7.2.12-apache. The default Apache config is "AllowOverride None" such that only .htaccess in the root is respected. One would need to configure AllowOverride All in the Apache config for .htaccess in uploads to be respected for other files uploaded to that folder.
I've tested this using XAMPP with prolly PHP 7.x, quite the same as the one in the video. Yes, htaccess does work even in subfolder. Matter of fact, the htaccess in subfolder will overrule any htaccess on the parents' folder if you tell it to (something with RewriteEngine and/or IndexIgnore, can't remember).
Wow, this is crazy, I missed this tip from Alh4zr3d. Thanks John for bringing this live with the CTF challenge.
I solved this using a null byte (evil.php%00.jpg)
Damn that's a really simple thing
Wait is that an actual null byte or just a '%00' string? If it’s a null byte then how do you put it in a filename?
@@brighthades5968 it's the url encoding of a null byte so it's gonna be url-decoded server-side and what's after it will be ignored so your php malicious file gets executed
@@j133X so you just upload whatever.php%00.whatever?
@@brighthades5968 yup
And here I thought you were going to sneak something into an image file! But the trick with the .htaccess was unexpected and interesting anyway. Thank you for uploading!
Well, thanks! You just saved me. I checked my apps and in one of them I forgot to make allow list for uploads. Luckily frontend saved me and no one tried to upload some disallowed stuff :D
Dude your content and production quality just get better and better! Excited for the video.
This is very good, thanks.
Learning every day with your channel. Keep up with the good work ✌️
I've seen this on a Ippsec video a few months ago too. Great content as always! 🙌
Thank you! Appreciate everything you share!
Nice learning, thank you for sharing and putting this together!
That was pretty slick, nice job John!
awesome video, love this type of content as i am aspiring to be a Web App PenTester and it was cool seeing this and beign able to understand what ws going on
As soon as you mentioned changing the configuration, I thought of htaccess. A project I worked on was using it to redirect certain requests to a cdn, to avoid changing the JavaScript code
One of my favorite RUclips channels all time!
Thanks for that! I'll keep that in mind!
When I watch these very interesting videos, I am "ecstatic" to see how logic, interpretation, deduction is so accessible for solving these problems... and I noticed that some problems are brilliant, very well but, but in the end all problems solved.
Nice trick ! Incredible video and explanation, thanks for yet another very useful upload.
John I just wanted to take a moment to tell you how much I admire your technical skills and intelligence. You are truly a standout in your field and have a natural talent for understanding complex systems and finding innovative solutions.
I think though he should make more videos of solving it live you know? Like everytime i watch it i feel so slow but then i realise hes already solved the challenge and is so much quicker
Thank you teacher ❤
That was an impressive presentation. I like that gimmick, appreciate the walkthrough.
Thank you for the great content. your the best ever jhon
This is a great challenge! I love thinking about ways to exploit file upload!
Very interesting, thanks
The videos you have been posting lately have been really interesting keep it up John!
Except the intel ones and I’m saying that as a Intel shareholder
@@izrailas what was wrong with the ROP video? :(
Its already there in Portswigger Labs . Loved the way john explains stuff.
This same technique was showcased in one of my HTB boxes called "Seventeen"
good workk
To anyone wondering : you can use Wappalyzer extension to get which tools are used to build a website.
Thanks for the content, is this technique only available on apache servers or also Nginx ? And also is the technique working because the htaccess file is dropped in the root directory right ?
thanks
Nice trick!!!
well... okay, subscribed =)
Amazing
6:00 are you referring wappalyzer ??
yes
I wonder if it possible to hijacking the API from the storage site and to use with their API to upload multi files via this bypass..
Hah! I caught on to the flaw before you explained the solution! I have never used PHP either :P
14:30 I think it's funny that you accidentally saved the .htaccess file a directory above where it was supposed to go. That's the exact mistake the server makes which you are exploiting.
.htaccess is suppose to be in the root directory right?
have anyone used an IMAGE to bypass that and if so is there any writeups ?
Please help i need to have bank statements uploaded to the snappt portal for an apt appoval . How can i bypass and get he doc's approved... please please please help.
i thought you could make an html file and cat the filesystem using href or something. would that be possible?
this is only applicable if the upload location is in the root folder (html) right?
Old but gold
what if files are being uploaded to a specific directory, how would you handle htaccess file
one question : how did you brought up search menu in file explorer
What if you can only upload .gif files? What do i do then
Well now I need to learn what powershells are and how to use them
What about if the PHP list of allowed file types is inclusive instead of exclusive. Can imagine most websites will only allow PNG/JPG file types and call it a day
Right, an allowlist would make this impossible, because the actor wouldn't be allowed to upload .htaccess file. Allowlists are almost always better than denylists :)
Exactly.. even the most basic image upload code on w3schools has a allowlist for image extensions.
Looking at the code you didn't need to upload a htaccess at all you could have put your webshell into a html file and uploaded that because html isn't even on the blocklist -_-
@@BryanLu0 yea sorry..my bad I mixed up html running within PHP files and forgot that html would be served but php wouldn't be processed. Then I signed up to the ctf and tried playing around on the challenge, I was quite sure that a double extension or null byte file extension would work but they didn't either so now I'm confused..I'm pretty sure I faced a upload bypass challenge previously where I used a much simpler trick like a double extension if someone can let me know what I've forgotten or missed out it would be a great help..thanks
Nice, why u not create playlist of hacking tips and tricks? Maybe that will be good
what if they insert .htacces on the blacklist
Can you bypass max number of file uploads at once?
Why so complicated? basically you just need to specify the whitelist of allowed file upload extensions, instead of blacklist or deny list as seen in the video, right?
like $allowedExts = ["jpg", "gif", "bmp", "png"]
IF $fileExt is in the array then proceed to upload, else rejects it.
Whitelist would have prevented this entirely, yea!
What do i do if it only allows the upload of .gif file types/extention. I want to create a reverse shell but .gif are the only files i can upload
@@zius2140 the point is to secure the web app upload function and prevent the attacks.
@@novianindy887 yes sorry for the random question, but how can i manually activate a reverse shell payload that's disguised as a .gif file type? I have successfully uploaded a .gif file containing a reverse shell payload, but it won't activate when i access the file from the browser
@@zius2140 I wish hacking worked like that. Just ask on a public forum for the solution to get in somewhere that's intentionally keeping you out. It kinda does but don't tell people you are uploading payloads to a server. Do the due diligence and find a tutorial or vulnerability for your specific case. Or AI exists now, risk being banned from talking to the AI by asking it what to do.
I wonder what other solutions have been used for this.
input exclusion?
Damn that's a very creative solution
How’s it going John
At first, my guess was that the file extension was only verified in clientside code. (But it later became clear that I was incorrect.)
Cool! I thought you are going to upload a .htm or .html upload because those values where not present in the $ext_denylist array. Then perhaps you could get the flag file just using html (a href) or with javascript (for the io functions). Thanks again for the video.
Just my thought too.
I don't think it will help. As it was PHP server and you can't access files in linux system trough html/js etc.
@@jaromir_hodanI agree.
But I do remember .htm and .html files be interpreted as .php files by default years ago.
Could have been my service provider at the time, though. With some default htaccess action going on.
@@jaromir_hodan html can run php
well we can upload the web shell by using the null %00 value specific for this source code
me looking at this ..I don't spot *.html in the forbidden list
Does the htaccess file need to be at root of web folder or it could be anywhere?
every folder can have its own htaccess file to configure settings for the specific folder
@@robbirobson7330yeah, the whole part in this challenge regarding the uploads folder doesn’t really matter here
wow well done. actually i learned html with the help of your videos.🙂 thanks for sharing the knowledge.
also i have some web projects ideas but i have no one to work with me. i mean i need a team who has some creativity, but everyone wants some money today. if any one wants to invest in future, let me know.✌️
What if the apache server configuration had an "AllowOverride None" directive on it, would it still work?
Bruh has better ui design than 80% percent of ui desgners i've met ngl 💀
you may want to be careful about allowing people to upload to your actual site because it could be abused to post illegal image files.
i hope for the sake of safety you are creating the upload directory on the local machine rather than your site or are deleting the files immediately or only going through the motions of upload.
in the list you specify php2 what if you was able to rename the file to php20 would that upload and execute?
It's not a live website, just a docker container created on demand. I don't believe php20 would work, but might be worth experimenting!
That's why we no longer use Apache in production. Besides, it's 2022. Nginx exists, it's faster, lightweight, less resource-consuming and htaccess is not enabled there out-of-the-box :)
Network topic for developer tools upload
But for this payload to work, the web application has to upload the files directly in the web root right ?
Or you might be able to find some vulnerability that allows you to upload directly to root, maybe?
Like if you have a zip slip vuln in something that takes a zip and unzips it.
use whitelist is beeter for security.
only allow jpg,png,jpeg ... etc
can anyone help me download a file?
Hm wondering if you could run a web shell written in HTML could that work?
No, if you are referring to the JavaScript code within the html then yes
Couldn't you just control this on the front end by limiting the "accept" to image files? Trying to limit file types on the server seems like overkill when the client can already do it
Never ever a good idea!
Attacker is in full control of the client-side code. You put a JS filter on it, attacker goes into dev tools and removes it. It is a convenience feature, but not a security feature. And exactly the type of vulnerability script kiddies like myself would exploit all day.
If you make it any more complicated client-side, an attacker would just go to the network tab, figure out how the requests are formed and sent and craft their own bypassing all your frontend-only checks altogether.
*Any* request coming to your server should be treated as unsafe. You block access to admin area on the frontend? Better make sure the requests are validated and users are not bypassing those checks.
Song at the start?
It's a song from Storyblocks (website for royalty free music for content creators). Idk the name. Will see if I can find an upload of it when I get to my computer.
6:01 does anyone know what he’s talking about? To find out what app was built with?
wappalyzer
why didn't You just upload html file with php code in? In file blacklist there wasn't any html file forbiden.
Would it work if you change the php to capital letters. Could it bypass the web file upload restriction?
The extension is ran through a function to turn the letters into lower case, so it would still catch it.
Can see this around 10:35
@@nordgaren2358 yeahh I see haha I would of failed this ctf 😂
Php?
Aplod CTF moor explain
Using .PHP instead of .php wouldn't have worked?
This technique hardly works in real life scenarios now 😕 saying that because I also posted a similar video on it bypassing shell upload via .htaccess , and other stuffs in my shell uploading playlist.
website doesn't work !
10:16 why "phps" included twice?
probably just a copypaste leftover
i think it will only be possible when someone upload something to the root directory.
Solved it while recording and still, 13:37 on the clock left.
Saving the uploaded file with its original name given by the client is bad practice anyway because of file name collisions. You don't want one user to replace the upload of another user. Sadly such mistakes do happen.
Alt title: How to get banned from file upload services
Please don't delete this video. 🤣😉 I might need to refer this video some later time.
12:43 zist
What if those upload restrictions are whitelisted other than blacklisting😅
And this is why I haven't used PHP for over 10 years, it's a complete mess
This isn't a PHP flaw. Also: If you haven't used PHP in ten years, you have no idea how it looks now.
Oh damn ITS PHP AGAIN
sneaky
Why not just have an allow list and not use php to begin with…
1 of the reasons why i dont use php
whitelist better than blacklist
First red flag. Using open source webserver.
Second red flag. Using php.
i am saddened that there was in fact not a rickroll:(
This doesn't bypass file upload restrictions at all.
Actually, this can bypass with file .htaccess 0byte
Don't write anything syntax on .htaccess, just upload .php file
Because, old .htaccess on server was replace with new .htaccess
Thanks.
@Omest Dian that's new knowledge. Thank you for this. I will also try this technique on applications made in different framework.
Risky. The htaccess file can cause an error. Then you can lose access to the site completely.
0203 exe Google docs malware killed me next round I killed it XD