File Upload - Server-Side Validation – Using Magic Numbers - THM Labs

 

For this blog I am using the lab provided by TryHackMe. TryHackMe provides many different labs for understanding security concepts. I am using these labs to cover my OSCP basics.

 

What is a Magic Number?

A magic number is a number that is embedded at or near the beginning of the file which indicates that the file is of the desired format. The number is not visible to us. Every file has a number that represents the name of the file types which is in hexadecimal format.

For example: PDF file: 25 50 44 46

                         JPG file: FF D8 FF

                         GIF file :  47 49 46 38 37 61

In the example provided below we are going to try this method; we are trying to change the initial signatures of the file that is provided and try to upload a shell file. Let’s consider the below provided application.

1. In the application that is provided below we are able upload only gif files on the application.

2. When we upload a valid gif file, we get the below response from the application.

            

3. We had also run Gobuster to brute force the files that we can try to access on the application. And from the results we were able to see that the /graphics and /assets were the folders that are present on the server.

4. Now we try to get the PHP shell file and change the IP address to the IP address of the system where we need our reverse shell session. As in my case the IP is 10.10.109.115. Please click on the link to download the shell file.

5. Verify the file type of the shell and we can see that it is an file ASCII text file.

6. Now use a tool such as hexedit to edit the initial file signature, as provided in the screenshot below.

Note: While making these changes, please make sure that there are no changes made to the PHP shell code. The Magic number for gif is 47 49 46 38 37 61

7. After we edit the file, verify if the file is still an ASCII text file or is it changed to the GIF file.

8. Now we upload this file on the application and check if it gets uploaded. Make sure that the uploaded file is PHP file.

    

9. Before accessing the file, we need to initiate the netcat session and start listening on the provided port in my case the port that I have provided in the shell file is 1234.

10. Now we can access the file on the browser with the file path provided (<URL>/graphics/<filename>). Now we can see that the reverse shell connection is provided to us and we were able to access the flag by changing the directory to var/www.

    

Finally, we have it here.

Thanks for going through the whole blog!!!

Click on the links to read my previous blogs on file upload
  

    1. Client-Side Validation Bypass

    2. Server-Side Validation Bypass (Bypass the Blacklisting)