Before starting with this lab you should be familiar with some bypass techniques
* Double Extension
* Null Character
* multibyte Unicode characters
* Magic numbers
What are Null Characters:
Let take a string , char a[10] = “Hello”This is how it will be stored in the memory:
h | e | l | l | o | \0| | | | | — arrayhere \0 represent a null character which is used to indicate the end of the string.if any function wants to go through the array on reaching the \0 it will know that the string has ended and it will not traverse any further.if we dont have the null character present there is a high chance of going into the memory that we are not allowed to access.if now we do this: a[5] = !here we have overwritten the \0 to !now there is no way to know when the string is ending.use %9s ⇒ it will take only the 1st 9 character and else will be ignored.Similarly in Hex null character is 00
“Using control characters such as null character (0x00) after a forbidden extension and before a permitted one may lead to a bypass. In this method, all the strings after the Null character will be discarded when saving the files. Both URL-encoded and decoded versions of the null character should be tried in a file upload request for a thorough test.” ~OWASP unrestricted file upload”
Starting with the Lab:
Lab 5
Obfuscating file extensions
Web shell upload via obfuscated file extension
Lab Description:
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.You can log in to your own account using the following credentials: wiener:peter
Steps:
- Access the lab
- Log into the application using the credentials wiener: peter
- You can see that there is an image upload functionality
4. Try to upload a basic web shell in PHP.
[In Burp : intercept the request → send to repeater ]
You can see that that web application doesn’t accept a php file and only accepts a jpeg or png.
5. As the server is Apace, which allows a double extension, upload a file with extensions like:
webshell.php.jpeg || webshell.php.png
these file gets uploaded successfully which is also indicated by the 200OK status code.
6. let’s try introducing a null character after a forbidden extension and before a permitted one.
there are 2 methods
first, insert A after PHP as hex value of A is 41 so that it is easy to locate in hex view, in the hex view change value of A from 41 to 00 and forward the request.
Or second, simply put %00 after PHP and forward the request:
First Method:
Second Method:
7. Turn the intercept off, in the browser window following message will be shown.
8. Click on “Back to My Account”, view the page source, and check out the <img src link>
9. After clicking the link, an error will be shown as the URL takes us to webshell.php.%00png while the uploaded image was just webshell.php
See the image of the 7th Step.
10. remove the extra part in the URL and retrieve the secret.
Hope you enjoyed Reading!
