Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Malicious file upload in .JPG or GIF format

from [H D Moore] Network Security [Permanent Link]
Subject: Re: Malicious file upload in .JPG or GIF format
Date: Wed, 20 Feb 2008 15:17:04 -0600 
The usual trick is to upload an ASP, ASPX, PHP, JSP, or other dynamic web 
page to the server. If the applications allows you to set the extension 
and the upload directory supports that scripting language, your job is 
done. 

If the server changes the extension to .JPG/.GIF (or only allows those 
extensions), then you need to be more creative. On Apache, you can name a 
file something.php.jpg, and Apache will still treat it as PHP. 

Another option you can try is by sending an upload request (with a tool or 
a HTTP request editor) that embeds a NULL byte before the .JPG extension. 
ASP scripts tend to be vulnerable to this -- the script will see the 
entire file name, but the underlying file operation will truncate the 
name of the file after the NULL byte. So something.asp%00.jpg would 
become something.asp.

Finally, one trick that might help, is to upload a HTML document, with a 
JPG extension, and see whether the browser treats it as HTML or an image 
when you browse to it. Some browsers handle this different, sometimes 
ignoring the mime type in favor of the file magic (not sure if this works 
with images in IE 7). 

What this allows you to do is upload arbitrary HTML content to the server, 
which can contain javascript, which in turn can read the domain-specific 
credentials of users visiting that page. This still requires the ability 
to send users to your not-really-a-jpeg HTML page (for example, by 
emailing them a link).

Good luck,

-HD

On Wednesday 20 February 2008, whitehat wrote:

I'm doing Web Application Pen-Testing. In one of the pages there is an
option to upload an image(.JPG or .GIF).
How a hacker can exploit it and what are the chances of uploading a
malicious .exe file (virus kind of stuff) in .JPG or .GIF format by
changing its extension.




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Malicious file upload in .JPG or GIF format, whitehat
Next by Date:  RE: Malicious file upload in .JPG or GIF format, Erin Carroll
Previous by Thread:  Malicious file upload in .JPG or GIF format, whitehat
Next by Thread:  RE: Malicious file upload in .JPG or GIF format, Erin Carroll
Indexes:  [Date] [Thread] [Top] [All Lists]