Hi Everyone,
Welcome back to my post about penetration testing exercise with Bilubox provided by vulnhub.com.
Continuing the last exploitation that is local file inclusion that lead us to find a very important credential that enable us to login to the box with SSH using root access. This is very direct attack vector due to some combination of mistake configured by the admin then we can escalate to the highest priviledge in the box
As I have promissed in the early stage that I got the feeling that the upload function might also have a bug that we can exploit. Let examine the upload function
Upload file function would become the effective target of an attacker to upload malicious file that lead to backdooring the system. If the developer do not the perfect file checking then this could be bypassed with certain techniques.
in the panel.php i found the upload function validation as the code snippet below
if(isset($_POST['upload']))
{
$name=mysqli_real_escape_string($conn,$_POST['name']);
$address=mysqli_real_escape_string($co<span data-mce-type="bookmark" id="mce_SELREST_end" data-mce-style="overflow:hidden;line-height:0" style="overflow:hidden;line-height:0" ></span>nn,$_POST['address']);
$id=mysqli_real_escape_string($conn,$_POST['id']);
if(!empty($_FILES['image']['name']))
{
$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
$image=array('jpeg','jpg','gif','png');
if(in_array($r,$image))
{
$finfo = @new finfo(FILEINFO_MIME);
$filetype = @$finfo->file($_FILES['image']['tmp_name']);
if(preg_match('/image\/jpeg/',$filetype ) || preg_match('/image\/png/',$filetype ) || preg_match('/image\/gif/',$filetype ))
{
if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
{
echo "Uploaded successfully ";
$update='insert into users(name,address,image,id) values(\''.$name.'\',\''.$address.'\',\''.$iname.'\', \''.$id.'\')';
mysqli_query($conn, $update);
}
}
else
{
echo "
i told you dear, only png,jpg and gif file are allowed";
}
}
else
{
echo "
only png,jpg and gif file are allowed";
}
}
The above code is to validate the user picture file upload. There are two important function involve in the validation pathinfo and finfo
To summarize the the logic of the above code is
- it check the file uploaded should have the extention of ‘jpeg’,’jpg’,’gif’,’png’
- it check the file hex signature should be contain jpeg, png and gif
- if both condition above then file will be saved into uploaded_images directory
pathinfo
Syntax:
pathinfo(path, options)
Parameters Used:
The pathinfo() function in PHP accepts two parameters.
path : It is a mandatory parameter which specifies the path of the file.
options : It is an optional parameter which can used to restrict the elements returned by the pathinfo() function. By deafult it returns all the possible values which are directory name, basename, extension. Possible values can be restricted using :
PATHINFO_DIRNAME – return only dirname
PATHINFO_BASENAME – return only basename
PATHINFO_EXTENSION – return only extension
finfo
finfo = finfo_open(FILEINFO_MIME_TYPE); echo finfo_file($finfo, "path/to/image_dir/image.gif"); finfo_close($finfo);
OUTPUT :
image/gif
lets simulate the code in our console. As you know that php can be executed in the console by installing the php-cli module so that we can create a script and execute it in bash
#!/usr/bin/php
?php // myScript.php $finfo = @new finfo(FILEINFO_MIME); $filetype = @$finfo->file('/root/Documents/Hack/bilu/php/Test.png');
$r=pathinfo('/root/Documents/Hack/bilu/php/Test.png',PATHINFO_EXTENSION);
echo $filetype.PHP_EOL;
echo $r.PHP_EOL;
?>
output
image/png; charset=binary
png
lets try it
finfo with option FILEINFO_MIME function is most likely function file in the linux. it will determine the file signature based on the hex magic number pattern in the file.
You can find the complete file signature https://en.wikipedia.org/wiki/List_of_file_signatures
File signature can be manipulated by using the function xxd in the linux
xxd -r -p -o 0 && (echo FILE_SIGNATURE) TARGET_FILE
lets change our Test.png signature file to rar (signature = 5261 7221 1A07 0000)
xxd -r -p -o 0 && (echo 5261 7221 1A07 0000) Test.png
then lets try to execute our php script again and see what is the output
as we can see the output change, the file is now recognized as rar file instead of png file. Look at this mechanism then we can manipulate the logic of upload image for the second condition that check file signature. We can upload malicious file such as php file to the server. To meet the succesfull upload condition, we can change the php file extention to .png and change the signature of php file to png.
how to deffend it ?, the easiest way to deffend the file upload is to add another validation to the validation condition. We need to add getimagesize, if the function does not return any value than you should reject the uploaded file because it could be malicious.
here is the sampel php code
list($width, $height, $type, $attr) = getimagesize('/root/Documents/Hack/bilu/php/Test.png');
but the hardening method above is only for image validation, You should develop your own validation method for another file types.
I would post the way I upload the backdoor to the server in the another post.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 
One comment