handbook/tools/3.Web-Hacking/4.Injection/File-Upload/Notes/Client-Side.md
2024-08-31 01:07:22 +02:00

3.4 KiB

Client Side

  • Tips
  1. Turn off Javascript in your browser
  2. Intercept and modify the file upload (BurpSuite)
  3. Send the file directly to the upload point
curl -X POST -F "submit:<value>" -F "<file-parameter>:@<path-to-file>" <site>
  • Filtering
  1. File Length Filtering (Size of the file, Minimum/Maximum)
  2. File Name Filtering (Same name has other on save server + Special/Unicode characters)
  3. File Content Filtering (Verify MIME and Magic Number)
  4. File Type Filtering (Similar to Extnesion Validation, but more intensive)
  • MIME Example ---> MIME Extension https://quickref.me/mime (PHP = text/x-php)

    # MIME (HERE WHAT TO CHANGE)

    # Here What do do

    As always, we'll take a look at the source code. Here we see a basic Javascript function checking for the MIME type of uploaded files:

    In this instance we can see that the filter is using a whitelist to exclude any MIME type that isn't image/jpeg.

    Our next step is to attempt a file upload -- as expected, if we choose a JPEG, the function accepts it. Anything else and the upload is rejected.

    Having established this, let's start Burpsuite and reload the page. We will see our own request to the site, but what we really want to see is the server's response, so right click on the intercepted data, scroll down to "Do Intercept", then select "Response to this request":

    When we click the "Forward" button at the top of the window, we will then see the server's response to our request. Here we can delete, comment out, or otherwise break the Javascript function before it has a chance to load:

    Having deleted the function, we once again click "Forward" until the site has finished loading, and are now free to upload any kind of file to the website:

    It's worth noting here that Burpsuite will not, by default, intercept any external Javascript files that the web page is loading. If you need to edit a script which is not inside the main page being loaded, you'll need to go to the "Options" tab at the top of the Burpsuite window, then under the "Intercept Client Requests" section, edit the condition of the first line to remove ^js$|:

    We've already bypassed this filter by intercepting and removing it prior to the page being loaded, but let's try doing it by uploading a file with a legitimate extension and MIME type, then intercepting and correcting the upload with Burpsuite.

    Having reloaded the webpage to put the filter back in place, let's take the reverse shell that we used before and rename it to be called "shell.jpg". As the MIME type (based on the file extension) automatically checks out, the Client-Side filter lets our payload through without complaining:

    Once again we'll activate our Burpsuite intercept, then click "Upload" and catch the request:

    Observe that the MIME type of our PHP shell is currently image/jpeg. We'll change this to text/x-php, and the file extension from .jpg to .php, then forward the request to the server: