Re: Malicious file upload in .JPG or GIF format

The usual trick is to upload an ASP, ASPX, PHP, JSP, or other dynamic web
page to the server. If the applications allows you to set the extension
and the upload directory supports that scripting language, your job is
done.

If the server changes the extension to .JPG/.GIF (or only allows those
extensions), then you need to be more creative. On Apache, you can name a
file something.php.jpg, and Apache will still treat it as PHP.

Another option you can try is by sending an upload request (with a tool or
a HTTP request editor) that embeds a NULL byte before the .JPG extension.
ASP scripts tend to be vulnerable to this -- the script will see the
entire file name, but the underlying file operation will truncate the
name of the file after the NULL byte. So something.asp%00.jpg would
become something.asp.

Finally, one trick that might help, is to upload a HTML document, with a
JPG extension, and see whether the browser treats it as HTML or an image
when you browse to it. Some browsers handle this different, sometimes
ignoring the mime type in favor of the file magic (not sure if this works
with images in IE 7).

What this allows you to do is upload arbitrary HTML content to the server,
which can contain javascript, which in turn can read the domain-specific
credentials of users visiting that page. This still requires the ability
to send users to your not-really-a-jpeg HTML page (for example, by
emailing them a link).

Good luck,

-HD

On Wednesday 20 February 2008, whitehat wrote:
I'm doing Web Application Pen-Testing. In one of the pages there is an
option to upload an image(.JPG or .GIF).
How a hacker can exploit it and what are the chances of uploading a
malicious .exe file (virus kind of stuff) in .JPG or .GIF format by
changing its extension.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: 3 questions
    ... I assume when the password prompt comes up, you type in the new details and ... Once you're connected to the web server - just select the files from your ... Upload the file with the link to the music file and then upload the music file ... Frontpage creates HTML documents, and a few other formats, but mainly html - your ...
    (microsoft.public.frontpage.client)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... That will also add the .html extension ... You can choose the .html extension when you Publish to the ... The issue was the difference between html and htm on the index folder ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... The issue was the difference between html and htm on the index folder so I ... I also notice that your host says you have to use the .html extension for ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: [Full-disclosure] Bug with .php extension?
    ... server processes it as a php file.. ... This works with any extension that isn't ... >> This can impact upload scripts, ... Testing on Apache 2.0.54 gets the same result. ...
    (Full-Disclosure)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... The issue was the difference between html and htm on the index folder so I ... I also notice that your host says you have to use the .html extension for ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)