Exploiting PHP Upload forms with CVE-2015-2348
4:06 AM
Today I would like to post about a recent bug I have found in PHP, CVE-2015-2348.
This bug is fairly severe. (considering the amount of developers affected).
This bug is fairly severe. (considering the amount of developers affected).
I have to admit checking the file extension and saying a file is safe can still cause many
other security issues. However, checking for this exact vulnerability in your code is pretty
unrealistic, considering it can pass the Content-Type, Extension, Mime type, size checks...
etc won't save you from this.
other security issues. However, checking for this exact vulnerability in your code is pretty
unrealistic, considering it can pass the Content-Type, Extension, Mime type, size checks...
etc won't save you from this.
The issue occurs in the very popular move_uploaded_files php function that is used to handle
uploaded files most of the time. This function checks to ensure that the file designated by
filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload
mechanism). If the file is valid, it will be moved to the filename given by destination.
uploaded files most of the time. This function checks to ensure that the file designated by
filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload
mechanism). If the file is valid, it will be moved to the filename given by destination.
Example:
move_uploaded_file ( string $filename , string $destination )
The problem with it is that there is a way to insert null-bytes (fixed multiple times before,
i.e: CVE-2006-7243). Using null-bytes an attacker can convince an upload box to ignore
extension checks and that the file is fairly safe and valid and upload malicious files that
can cause RCE. using the character \x00
i.e: CVE-2006-7243). Using null-bytes an attacker can convince an upload box to ignore
extension checks and that the file is fairly safe and valid and upload malicious files that
can cause RCE. using the character \x00
I am going to take DVWA for an example here. DVWA's highest level is meant to be unbroken
for number of issues. the high upload box is meant to teach developers the safe way of handling
a safe upload. Lets just exploit that.
Here is the code snippet from https://github.com/RandomStorm/DVWA/blob/master/
vulnerabilities/upload/source/high.php:
for number of issues. the high upload box is meant to teach developers the safe way of handling
a safe upload. Lets just exploit that.
Here is the code snippet from https://github.com/RandomStorm/DVWA/blob/master/
vulnerabilities/upload/source/high.php:
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" ||
$uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
$uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
$html .= '';
$html .= 'Your image was not uploaded.';
$html .= ''; }
else {
$html .= $target_path . ' succesfully uploaded!';
.
.
This is yes vulnerable to number of exploits (like XSCH, XSS and more), but not RCE.
Because since PHP 5.3.1 Null bytes are deprecated.
Because since PHP 5.3.1 Null bytes are deprecated.
The problem with DVWA is that its passing user provided name to the move_uploaded_file()
Expected behavior for PHP to create:
move_uploaded_file($_FILES['name']['tmp_name'],"/file.php\x00.jpg")
That file should have created the file "file.php\x00.jpg"
Reality creates: file.php
This clearly bypasses the extension check. It has been proven many times the GD libraries
can also be defeated ( getimagesize(), imagecreatefromjpeg()... ),
read this by @secgeek for example.
can also be defeated ( getimagesize(), imagecreatefromjpeg()... ),
read this by @secgeek for example.
Now even if you have had done multiple checks for this, it will be highly unlikely you blacklisted
the char \x00 so most upload forms running PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x
before 5.6.7 are vulnerable for this particular attack.
the char \x00 so most upload forms running PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x
before 5.6.7 are vulnerable for this particular attack.
Conclusion:
If you are on a vulnerable server, update homie!
50 comments
Great finding (y)
ReplyDeleteThanks! :)
Deleteexcellent writeup !!
ReplyDeleteThank you! :D
Delete~(0)~ HAts off
ReplyDeleteThank you
DeleteThis comment has been removed by a blog administrator.
ReplyDeletewhy my comment removed it really doesn't work on php 5.5.14 ! you only want hats off and nice job ? what environment did you test on ?
DeleteHey sorry.
DeleteI didn't mean to remove your comment, sorry I taught you were trolling. I haven't tried this null byte injection in Mac. I know for a fact this won't work on windows because windows can't create filenames with \ in them to begin with. Anyway, I have tested it and looks like you were right. the $_FILES['uploaded']['name'] truncates the null bytes. that isn't meant to happen. My point was indicating move_uploaded_files(). That is probably another bug $_FILES['uploaded']['name'] is also swallowing nullbytes, but could be intentional.
I wonder how can you exploit it on dvwa ??? (test on php 5.3.3)
ReplyDeleteOn variable $_FILES['uploaded']['name'], null byte was truncated, so the variable $uploaded_ext will be ".php", unable to pass through the first "if" statement.
refer to the reply before yours!
DeleteI need wu bug in ghana and money gram payment to Ghana i can pick it up and send your share via bit coin
ReplyDeletei forgot to add my email is jeffblis@yahoo.com we can also do other business if you're interested im in Ghana there is a lot we ca do i will never fail to give you your money after each deal.
ReplyDeleteHello I was try it on Metasploitable 2, when uploading file named shadow.php\x00.jpg process succes, but the file saved as x00.jpg not shadow.php
ReplyDeletewhat should I do?
This comment has been removed by the author.
DeleteNice post! it was helpful!
ReplyDeleteon php 5.3.5 and works fine & thanks for sharing.
ReplyDeleteLatest Govt Bank Jobs 2016
ReplyDeleteThanks for providing valuable information in this article by author....................
This comment has been removed by the author.
ReplyDeleteNice article you might have carried out below. My business is truly happy to see that. This is the incredibly helpful matter. keep that you're selected it up.Support Page
ReplyDeletephysical therapy centreville va I am very happy to find this site. I wanted to thank you for this immense read!! I absolutely enjoying every petite bit of it and I have you bookmarked to test out new substance you post.
ReplyDeleteGreat post with excellent applications for your business with affordable rates website designs service
ReplyDeleteThe share your really gives us excitement. Thanks for your sharing. If you feel tired at work or study try to participate in our games to bring the most exciting feeling. Thank you!
ReplyDeleteswords sand souls | ninjago games | hola launcher | subway surfers | cooking fever | red ball 4 | goodgame big farm | hola launcher apk | paradise bay king | | subway surfers game | red ball | big farm | strike force kitty 2
PHP is the best language to develop data driven websites. PHP is used by majority of the ecommerce websites. Learning PHP can give you a great future for sure.
ReplyDeletePHP training in Chennai | PHP course in Chennai | PHP training institute in Chennai
Dot net is a Microsoft product so it is the best language to develop applications for windows and it is supported well on the windows platform. Dot net is prefferd globally and a renowned platform with lots of job opportunities.
ReplyDeleteDot net training in Chennai | .NET training in Chennai | Dot net course in Chennai
Excellant content. If you are interested in studying and knowing the details of SAS course visit this website. SAS is an analytical tool which is created by SAS system for the data storage and analytical purpose. It is an integrated software system that is used for data entry, retrieval and management of data.
ReplyDeleteSAS Training in Chennai | SAS Course in Chennai
Mobile Locksmith in Brisbane H.A. REED offers mobile locksmith in Brisbane solutions with their efficient professionals. They have high-end computerized technological system that enables their representatives to pass the urgent request of their customer to the concern technician who is closer to the customer location.
ReplyDeleteNice concept. I like your blog. Thanks for sharing.
ReplyDeleteWordpress development services in chennai
nice post.
ReplyDeletewebsphere-message-broker training in chennai
nice post.
ReplyDeleteoracle training in chennai
Nice post! it was helpful!
ReplyDeletemicrostrategy training in chennai
• Good article! There is a great need for more in-depth reviews of certain products and technologies. Your tips are really helpful for anybody who wants to create reviews of any type. Great job. Thanks.
ReplyDeleteios training in chennai
Big Data is just a thought which empowers dealing with a generous measure of data sets. Hadoop has been just a singular structure out of numerous instruments. Hadoop is on a very basic level used for bunch to get ready.
ReplyDeleteRegards,
Hadoop Training in Chennai | Hadoop course in Chennai | Hadoop Training institutes in Chennai
This comment has been removed by the author.
ReplyDeleteGreat article. This is very useful. Thanks for sharing.
ReplyDeletedigital marketing training
Thanks for posting a helpful post. it really helped me for my website.
ReplyDeleteBuy Facebook Likes
Thanks for sharing , very insightful
ReplyDeletered hat linux training in chennai | rhce courses in chennai | red hat training in chennai |red hat courses in chennai
I was working on the responsive design and this article provided me the lot of information about designing of website. Using this information i can create the look and feel websites.
ReplyDeletePHP Training in Chennai | PHP Course in Chennai
Great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...
ReplyDeleteAndroid Training in Velachery
ios Training in Velachery
Nice article you might have carried out below. My business is truly happy to see that. This is the incredibly helpful matter.want to build your website.
ReplyDeleteWhite Label Website Builder
Wow!!!..Wonderful Blog..Thanks for sharing..
ReplyDeleteCCNA Training Center in Chennai | CCNA Training in Chennai | Best CCNA Training in Velachery | Online CCNA Training in Chennai
Thanks for posting a helpful post. it really helped me for my website. I am going to share it on social media. Get the christmas crackers in chennai.
ReplyDeleteThis information is very impressive; I am inspired with your blog writing style & how continuously you describe this topic. Thanks for taking the time to discuss this. No.1 CCNA Training in Chennai | No.1 CCNP Training in Chennai | Six Sigma Training in Chennai
ReplyDelete"I very much enjoyed this article.Nice article thanks for given this information. i hope it useful to many pepole.php jobs in hyderabad.
ReplyDelete"
Thanks for sharing this informative news with us. Keep updating.
ReplyDeletephp training institute in chennai
"Great blog created by you. I read your blog, its best and useful information. You have done a great work. Super blogging and keep it up.php jobs in hyderabad.
ReplyDelete"
Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.
ReplyDeleteJava Training in Bangalore
Thank you for the writing a good article and it helps me a lot. Buy the Cold Pressed Oil in India.
ReplyDeleteYou have provided really awesome blog for learners. Then check it once through Devops Online Training Bangalore for more information.
ReplyDeleteExcellent Write Up......Salesforce Training Online
ReplyDeleteNote: Only a member of this blog may post a comment.