File Upload Bypass Checklist

File Upload Testing Check List

https://www.aptive.co.uk/blog/unrestricted-file-upload-testing/

Discovery:

• Identify File Upload Points

Windows IIS Server Black List File Upload Bypass:

• Upload a file with the semi colon after the black listed extension, such as: shell.asp;.jpg

• Upload a directory with the .asp extension, then name the script within the directory with a permitted file extension, example: folder.asp\file.txt

• When serving PHP via IIS > < and . get converted back to ? * .

• Use characters that can replace files, example << can replace web.config

• Try using spaces or dots after characters, example: foo.asp..... .. . . .

• Attempt to disclose information in an error message by uploading a file with forbidden characters within the filename such as: | > < * ?"

Apache Windows Black List Bypass:

• Windows 8.3 feature allows short names to replace existing files, example: web.config could be replaced by web~config.con or .htaccess could be replaced by HTACCE~1

• Attempt to upload a . file, if the upload function root is /www/uploads/ it will create a file called uploads in the directory above.

General Black List Bypass:

• Identify what characters are being filtered – use burp intruder to assess the insert points with a meta character list

• Ensure your list contains uncommon file extension types such as .php5,.php3,.phtml

• Test for flaws in the protection mechanism, if it’s stripping file names can this be abused? Example: shell.p.phpp if the app strips .php it could rename the extension back to .php

• Try a null byte %00 at various places within the file name, example: shell.php%00.jpg, shell.php%0delete0.jpg – observe how the application responds

• Double extensions: if the application is stripping or renaming the extension – What happens if you give it two extensions? Example: shell.php.php or 4 extentions shell.txt.jpg.png.asp

• Try long file names, example, supermassivelongfileeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeename.php apply other filter bypass techniques used in conjunction with long file names

• Try test.asp\, test.asp.\

• Can you upload the flash XSS payload, that is named as a .jpg

• Try the previous technique but use PDF or Silverlight instead

• Same again but attempt to abuse crossdomain.xml or clientaccesspolicy.xml files

• Try using encoding to bypass blacklist filters, try URL, HTML, Unicode and double encoding

• Combine all of the above bypass techniques

• Try using an alternative HTTP Verb, try using POST instead of PUT or GET (or vice versa), you can enumerate the options using Burp Intruder and the HTTP Verbs payload list

• Additionally, ensure all input points are fuzzed for various input validation failures such as, XSS, Command Injection, XPath, SQLi, LDAPi, SSJI

Bypassing File Size Upload Checks:

• Use EXIF image file technique

• Inject shell directly after image data within Burp request

Techniques for Executing Uploaded Shells:

• Apache MIME Types: Attempt to upload a renamed file e.g. shell.php.jpg or shell.asp;.jpg and assess if the web server process the file by exploiting weak Apache MIME types

• Null Byte: Try a null byte %00 at the end of the file name or within such as: shell.php%0delete0.jpg– observe how the application responds

• Can you upload dot files, if so can you upload a .htaccess file an abuse AddType: AddType application/x-httpd-php .foo

• Be mindful of any processing to upload files – Example: Could command injection be used within a file name that will later be processed by a backend backup script?

• Be mindful of any processing to upload files – If compressed files are permitted, does the application extract them or vice versa?

---