Exercise : Scanning #2 Malicious file upload BiluBox Penetration Test

Hi Everyone,

Welcome back to my post about penetration testing exercise with Bilubox provided by vulnhub.com.

Continuing the last exploitation that is local file inclusion that lead us to find a very important credential that enable us to login to the box with SSH using root access. This is very direct attack vector due to some combination of mistake configured by the admin then we can escalate to the highest priviledge in the box

As I have promissed in the early stage that I got the feeling that the upload function might also have a bug that we can exploit. Let examine the upload function

Upload file function would become the effective target of an attacker to upload malicious file that lead to backdooring the system. If the developer do not the perfect file checking then this could be bypassed with certain techniques.

in the panel.php i found the upload function validation as the code snippet below

if(isset($_POST['upload']))
{

	$name=mysqli_real_escape_string($conn,$_POST['name']);
	$address=mysqli_real_escape_string($co<span 				data-mce-type="bookmark" 				id="mce_SELREST_end" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			></span>nn,$_POST['address']);
	$id=mysqli_real_escape_string($conn,$_POST['id']);

	if(!empty($_FILES['image']['name']))
	{
		$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
	$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
	$image=array('jpeg','jpg','gif','png');
	if(in_array($r,$image))
	{
		$finfo = @new finfo(FILEINFO_MIME);
	$filetype = @$finfo->file($_FILES['image']['tmp_name']);
		if(preg_match('/image\/jpeg/',$filetype )  || preg_match('/image\/png/',$filetype ) || preg_match('/image\/gif/',$filetype ))
				{
					if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
							 {
							  echo "Uploaded successfully ";
							  $update='insert into users(name,address,image,id) values(\''.$name.'\',\''.$address.'\',\''.$iname.'\', \''.$id.'\')';
							 mysqli_query($conn, $update);

							}
				}
			else
			{
				echo "
i told you dear, only png,jpg and gif file are allowed";
			}
	}
	else
	{
		echo "
only png,jpg and gif file are allowed";

	}
}

The above code is to validate the user picture file upload. There are two important function involve in the validation pathinfo and finfo

To summarize the the logic of the above code is

  1. it check the file uploaded should have the extention of ‘jpeg’,’jpg’,’gif’,’png’ 
  2. it check the file hex signature should be contain jpeg, png and gif
  3. if both condition above then file will be saved into uploaded_images directory

pathinfo

Syntax:

pathinfo(path, options)
Parameters Used:
The pathinfo() function in PHP accepts two parameters.

path : It is a mandatory parameter which specifies the path of the file.

options : It is an optional parameter which can used to restrict the elements returned by the pathinfo() function. By deafult it returns all the possible values which are directory name, basename, extension. Possible values can be restricted using :

PATHINFO_DIRNAME – return only dirname
PATHINFO_BASENAME – return only basename
PATHINFO_EXTENSION – return only extension

finfo


finfo = finfo_open(FILEINFO_MIME_TYPE);
echo finfo_file($finfo, "path/to/image_dir/image.gif");
finfo_close($finfo);

OUTPUT :
image/gif

lets simulate the code in our console. As you know that php can be executed in the console by installing the php-cli module so that we can create a script and execute it in bash

#!/usr/bin/php
?php // myScript.php $finfo = @new finfo(FILEINFO_MIME); $filetype = @$finfo->file('/root/Documents/Hack/bilu/php/Test.png');
$r=pathinfo('/root/Documents/Hack/bilu/php/Test.png',PATHINFO_EXTENSION);
echo $filetype.PHP_EOL;
echo $r.PHP_EOL;
?>

output

image/png; charset=binary
png

lets try it

finfo with option FILEINFO_MIME function is most likely function file in the linux. it will determine the file signature based on the hex magic number pattern in the file.

You can find the complete file signature https://en.wikipedia.org/wiki/List_of_file_signatures

File signature can be manipulated by using the function xxd in the linux


xxd -r -p -o 0 && (echo FILE_SIGNATURE) TARGET_FILE

lets change our Test.png signature file to rar (signature = 5261 7221 1A07 0000)


xxd -r -p -o 0 && (echo 5261 7221 1A07 0000) Test.png

then lets try to execute our php script again and see what is the output

as we can see the output change, the file is now recognized as rar file instead of png file. Look at this mechanism then we can manipulate the logic of upload image for the second condition that check file signature. We can upload malicious file such as php file to the server. To meet the succesfull upload condition, we can change the php file extention to .png and change the signature of php file to png.

how to deffend it ?, the easiest way to deffend the file upload is to add another validation to the validation condition. We need to add getimagesize, if the function does not return any value than you should reject the uploaded file because it could be malicious.

here is the sampel php code

list($width, $height, $type, $attr) = getimagesize('/root/Documents/Hack/bilu/php/Test.png');

 

but the hardening method above is only for image validation, You should develop your own validation method for another file types.

I would post the way I upload the backdoor to the server in the another post.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s