# Intro - Many web applications only rely on front-end JavaScript code to validate the selected file format before it is uploaded and would not upload it if the file is not in the required format such as not an image - To bypass these protections, we can either modify the upload request to the back-end server, or we can manipulate the front-end code to disable these type validations # Back-end Request Manipulation - With this example, we use `burp` to capture the HTTP quest - It's a POST request that appears to be sending a standard HTTP upload request to `/upload.php` ![[images/Pasted image 20251223191919.png]] - This way, we can now modify this request to meet our needs without having the front-end type validation restrictions - If the back-end server does not validate the uploaded file type, then we should theoretically be able to send any file type/content, and it would be uploaded to the server - Continuing with this example, the two most important parts of the request include  `filename="HTB.png"` and the file content at the end of the request - If we modify the `filename` to `shell.php` and modify the content to the web shell we used in the previous section; we would be uploading a `PHP` web shell instead of an image ![[images/Pasted image 20251223192115.png]] # Disabling Front-end Validation - Another method to bypass client-side validations is through manipulating the front-end code - As these functions are being completely processed within our web browser, we have complete control over them - So, we can modify these scripts or disable them entirely - Start by pressing [CRTL+SHIFT+C] to toggle's the browser's page inspector then clicking on the profile image to view the associated front-end code ![[images/Pasted image 20251223192252.png]] - As we see below, the file input specifies (`.jpg,.jpeg,.png`) as the allowed file types within the file selection dialog - However, we can easily modify this and select `All Files` as we did before by modifying `accept` to simply read `accept=""` ```html <input type="file" name="uploadFile" id="uploadFile" onchange="checkFile(this)" accept=".jpg,.jpeg,.png"> ``` - The more interesting part is `onchange="checkFile(this)"`, which appears to run a JavaScript code whenever we select a file, which appears to be doing the file type validation - To get the details of this function, we can go to the browser's `Console` by clicking [CTRL+SHIFT+K], and then we can type the function's name (`checkFile`) to get its details ```javascript function checkFile(File) { ...SNIP... if (extension !== 'jpg' && extension !== 'jpeg' && extension !== 'png') { $('#error_message').text("Only images are allowed!"); File.form.reset(); $("#submit").attr("disabled", true); ...SNIP... } } ``` - To disable `checkFile`, we simply modify to `onchange` to read `onchange=""` # Using the webshell - Once we upload our web shell using either of the above methods and then refresh the page, we can use the `Page Inspector` once more with [`CTRL+SHIFT+C`], click on the profile image, and we should see the URL of our uploaded web shell ```html <img src="/profile_images/shell.php" class="profile-image" id="profile-image"> ``` - We can either click on the link in the above source code or navigate to the associated URL and enter a command by appending `&cmd=id` ![[images/Pasted image 20251223192952.png]] # Mitigations - It is always recommended to implement all security-related controls on the back-end server, where attackers cannot directly manipulate it like here # Exercise - `ping` test![[images/Pasted image 20251223193150.png]] - `nmap` scan![[images/Pasted image 20251223193156.png]] - visit page ![[images/Pasted image 20251223193121.png]]![[images/Pasted image 20251223193132.png]] - Open up inspector with [CTRL+SHIFT+C] and click on profile pic ![[images/Pasted image 20251223193339.png]] ```html <input type="file" name="uploadFile" id="uploadFile" onchange="showImage()" accept=".jpg,.jpeg,.png"> ``` - Update to remove extension from accept ![[images/Pasted image 20251223193535.png]] - Upload `shell.php` - Getting a message that only images are allowed ![[images/Pasted image 20251223193642.png]] - We see an error being thrown by the `validate function` ![[images/Pasted image 20251223194530.png]] - When we click on `validate`, we see the below javascript code for the `validate` function in the `debugger` tab ![[images/Pasted image 20251223194745.png]] - The `validate` function function is looking for only three extension types - Disable the `validate` function by it removing from `onsubmit` event without disturbing `upload` ![[images/Pasted image 20251223195226.png]] - Navigate to below URL - The HTML source code gave away the `/profile_images` location ```url http://83.136.253.144:56577/profile_images/shell.php?cmd=id ``` - Success! On a blinding white bg ![[images/Pasted image 20251223195032.png]] - Read `/flag.txt` with below URL or using `burp` repeater ```url http://83.136.253.144:56577/profile_images/shell.php?cmd=cat%20/flag.txt ``` ![[images/Pasted image 20251223195437.png]]