Bypassing extension check

[ayu]

Anyone have any suggestion on how to bypass this file extension check?

Code: Select all

if(preg_match('/\.(php|php5|php4|php3|phtml|pl|py|cgi|asp|js)$/i', $file_ext))

I have tried all sorts of things but can't really find a way around it so far

[maboroshi]

Is that regex asking that those extensions be at the last dot or just that the file contains one of those extensions?

[ayu]

Is that regex asking that those extensions be at the last dot or just that the file contains one of those extensions?

The regex matches .ext at the end of a filename

[reparto]

Aren't the regex functions in PHP essentially acting as a wrapper for the c standard library? If so then I don't think there is anything you can do

EDIT:
You could try putting a null byte in the filename (i.e. filename.php\0.ext) not sure if the file will upload properly

[ayu]

Aren't the regex functions in PHP essentially acting as a wrapper for the c standard library? If so then I don't think there is anything you can do

EDIT:
You could try putting a null byte in the filename (i.e. filename.php\0.ext) not sure if the file will upload properly

Yeah I have no doubt that the regex works properly, but there might be some "trick" to going around it ^^.
Yeah already tried with null byte : ( ... didn't work.

[scatter]

did u try using an extension not recognized by regex , well I understand well php but not regex what I mean is the following trick

file.php.blablablah , apache doesn t recognize .blablablah extension so it will move away in the name looking for an extension that he knows , not sure if this help, hope it will or at least give another idea

[ayu]

did u try using an extension not recognized by regex , well I understand well php but not regex what I mean is the following trick

file.php.blablablah , apache doesn t recognize .blablablah extension so it will move away in the name looking for an extension that he knows , not sure if this help, hope it will or at least give another idea

hmm not sure
I have tried another random extension though, and it just treated it as text.
But yeah, one option I have been considered a lot is the possibility of an alternative extension that they missed.
Although I think they actually covered it all unfortunately : P

[reparto]

Can you use a .shtml with server side includes?

[ayu]

Can you use a .shtml with server side includes?

Yeah I actually tried that, but haven't managed to get it to work so far on a default installation.

[scatter]

not meaning to interrupt but what is .shtml with a server side include ?

[reparto]

On Apache servers (and possibly others, I am not sure how widely adopted it is) there is a scripting language available known as server side includes, its commonly used as an alternative to:

Code: Select all

<?php include('somefile.ext');?>

It also has other functions such as providing some access to a command line (same permission level as the server i think) and you can print system variables and run CGI scripts. Obviously this can leave a gaping security hole and I wouldn't be surprised if most server have it turned off since I can't see why you would use it.

See Apache docs: https://httpd.apache.org/docs/2.2/howto/ssi.html" onclick="window.open(this.href);return false;

[bad_brain]

any idea what PHP version it is? if earlier than 5.3.4 a null byte injection could work....

[ayu]

any idea what PHP version it is? if earlier than 5.3.4 a null byte injection could work....

Core PHP Version => 5.4.18

As far as I know SSI is not enabled by default.
Would phpinfo show if it's enabled, or would the only reliable way to find out be to test it?

[bad_brain]

Would phpinfo show if it's enabled

it would show up by the mod_include module...

[scatter]

I just remembered I asked about .shtml here but now I came up with a new question. What do you think of SSI (server side include). on google I found many think its a rare vuln but by talking to some people they said they encountered it many times so what do u think about it?