CONTENT-TYPE VALIDATION : Content-Type validation is when the server validate the content of the file by checking the MIME type of the file, which can be shown in the http request.
CONTENT-TYPE BYPASS: This type of validation can be bypassed by keeping the file name for example to “shell.php” or “shell.aspx” but changing the “Content-Type” parameter as “image/ *” Content-Type. Such as “image/png”, “image/jpeg”, and “image/gif”.
Lab 2
Exploiting flawed validation of file uploads
Web shell upload via Content-Type restriction bypass
“One way that websites may attempt to validate file uploads is to check that this input-specific Content-Type header matches an expected MIME type. If the server is only expecting image files, for example, it may only allow types like image/jpeg and image/png. Problems can arise when the value of this header is implicitly trusted by the server. If no further validation is performed to check whether the contents of the file actually match the supposed MIME type, this defense can be easily bypassed using tools like Burp Repeater.”
Lab Description
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.You can log in to your own account using the following credentials: wiener:peter
Steps:
- Access the lab
- Log in to the application using the credentials wiener: peter
- You can see that there is an image upload functionality
4. Click on Browse Button and use the webshell from the previous lab.
Or create one simply by opening text editor and typing
<?php echo file_get_contents(‘/home/carlos/secret’); ?>5. Open Burp Suite and turn the intercept on {proxy — intercept on}
6. After turning on the intercept go to the web application click on browse and choose webshell.php
7. click on the Upload button
8. The request will be intercepted in the Burp suite
9. Send it to Repeater
10. Now if you forward the request in repeater it will show 403 forbidden. The web application is validating the content-type and is not accepting PHP type files
11. Try changing the Content-Type to image/jpeg or similar extensions like image/png which are usually accepted.
For more common used content types have a look at
Possible values for HTTP “Content-Type” header
Here, you can see that even when the extension of the file is PHP, it is still getting uploaded after changing the content-type to image/jpeg. It indicates that the web application is only validating the Content-Type Parameter.
12. in the proxy->Intecept tab make the changes similar to step 11 and forward the request
13. Turn the Intercept off, click on “Back to My Account” and view the page source code.
14. Click on the <img src> link, retrieve the secret, and finally submit it.
I hope you enjoyed reading this article!
