1

I need to test a website and I found a vulnerable file upload. It is only checked whether or not the file extension is .jpg, .png or .pdf. I can bypass this by uploading a file named script.php.jpg. I know that uploaded files are stored in /uploads.

How can I execute that script? When typing http://example.com/uploads/script.php.jpg in my browser, the script is not executed. I know that the server can execute php code and that the server has said file vulnerability.

Anders
  • 64,406
  • 24
  • 178
  • 215
hm1912
  • 121
  • 4

2 Answers2

4

Unless the server is severely misconfigured, it will never execute .jpg files as .php files. The last segment after a . is the relevant one when determining file extensions, which means that you are uploading files that the server will correctly treat as jpg files.

So being able to upload script.php.jpg by itself is not a vulnerability.

If you for example had an LFI vulnerability somewhere, you could include the uploaded file, and then it would execute (regardless of file extension). Or if you could upload server config files (eg .htaccess in apache), you could reconfigure the server to execute .jpg files as .php files.

But those would be the vulnerabilities, not the ability to upload the .php.jpg file. It would be possible to check the mimetype on upload as defense-in-depth. But that can be bypassed, so I wouldn't consider not having such a check a vulnerability (even though checking is recommended).

tim
  • 29,018
  • 7
  • 95
  • 119
0

The server is reading the jpg extension, therefore sends it to your browser as it was an image and not interpreting it as a php file.

To use the uploaded file you should leverage another vulnerability like LFI as @tim said

Another thing you could try is to mess with the filename filters so the .jpg is not appended. For example, you could set the filename to something like script.php\0.jpg, if the filter is not properly implemented it may read the .jpg at the end - interpreting it as a valid file -, but when it's saved it may be saved as script.php because \0 is not a valid character for a filename

Also, note that checking file types by extensions is a Windows thing. File types in unix-like systems are checked by the magic numbers, and executable scripts - like .php files - may indicate how to be interpreted through shebangs. If the underlying system is unix-like it may be worth a try to add a shebang to the uploaded script if it's not already there

Mr. E
  • 1,954
  • 9
  • 18
  • 1
    While you're mostly correct about the extensions in the last part, the web server will still try to serve it as an image if the file extension represents an image. There is usually a MIME-type mapping for file extension to HTTP content type. Also, I don't think the shebang will matter in this case. If the extension matches an allowed one, it will be passed to the PHP interpreter or process manager, and the file isn't quite executed directly like in classic CGI. – multithr3at3d Jun 24 '18 at 15:58