Server Access: Escalating Privileges through File Upload Bypass (RFU Bypass)

Mohammad Sadra Naderi (ZVitoX)
5 min readJun 18, 2024

--

How are you doing guys,
Hope doing great!

This is ZVitoX and this, is my first post on Medium, and I hope that it would be interesting and educative for you :)

Working during the performing of penetration testing, I came across something pretty nice, and this is how to detect and exploit admin panel, bypassing login functionality and got shell upload in the system for further privilege escalation

Let’s begin ..

Finding the Admin Panel

First, I had to find the administration panel

I utilized the FFUF tool to discover the admin panel, it is more around fuzzing and discovering hidden directories and files. Here’s the command I used:

ffuf -c -u https://targe.com/FUZZ -w /root/Desktop/paths.txt -mc 200-299,300-302,403,500 -r -t 200
FFUF Command Result Screenshot
Admin Panel found Successfuly ...

Here’s a brief explanation of the command:

  • -c: Enables colorized output for better readability
  • -u: Specifies the target URL, with ‘FUZZ’ as the placeholder to be replaced by the wordlist values
  • -w: Points to the wordlist file, in this case, ‘/root/Desktop/paths.txt’
  • -mc: Matches HTTP status codes 200–299 (successful), 300–302 (redirections), 403 (forbidden), and 500 (server errors)
  • -r: Follows redirects, which helps in case the server redirects requests to different URLs
  • -t: Sets the number of concurrent threads, with 200 threads used in this case for faster processing.

By running this command, I successfully discovered the admin panel at https://target.com/administrator, which was a crucial step in my penetration testing process

Taeget Login Page
Target Login Page

Bypassing the Admin Panel Login

The next step was to bypass the login screen. I tested around a bit until I found that the form was vulnerable to SQL Injection

I could just use the simple payload:

' OR '1'='1' #

to bypass the authentication, that means to lie that the SQL query must always return true and is letting me in without valid credentials

That looked like this:

Injection SQLI Payload

And now we are in:

Admin Management System

The File Upload Challenge

Inside the admin panel, we had a area where we was able to set a user profile that had an uploader to upload a file

But it only allowed JPG and PNG files, and I guessed it was using a blacklist for common PHP extensions.

So, turns out this wasn’t as bad as it seemed…

Trying Bypass Methods

I started attempting different bypass techniques.

As this app was implementing black-list to ban some types of files I got inspiration from that.

Here are some of the techniques that I tried:

  1. Adding a Valid Extension before the Execution Extension:
    — file.png.php
    — file.png.Php5
  2. Adding Special Character at the End:
    — file.php%20
    — file.php%0a
  3. Doubling the Extension or Adding Junk Data (Null Bytes) Between Extensions:
    — file.php%00.png
    — file.php\x00.png

After some trail and erorr, I stumbled remember the phar extension

This was a game-changer…!!

What Are PHAR Files?

PHAR files are like ZIP or TAR files but specially for PHP environments

They might bundle PHP code and other resources. That made them an interesting candidate to get around the file upload restrictions

You could read more about phar using this link ..

Remote File Upload Vulnerability

I have used RFU here, it happens when an application is unable to properly validate a uploaded file.

So, this would permit an attacking to upload a malicious file and then execute it

The whitelist approach can be used to replace this blacklist practice for the types of files that shall be permitted for upload

The Breakthrough: Uploading PHAR Shell

Therefore I made a PHAR file, to my surprise, the PHAR file extension bypass the restriction of blacklist.

Successful Upload
.phar File Uploaded Successfully

As shown in the picture above, I attempted to upload a mini uploader

However, using the code provided below, I could create an RCE vulnerability and execute system commands:

<?php echo system($_GET['cmd']); ?>

It was nonetheless unneeded, because I had an uploader already

It was possible for me to directly upload a web shell gain full access to the server

which was extremely dangerous!!

Anyway, I managed to escalate my privileges and accomplished what I was to do…

Key Takeaways

In brief, Here are a few things to keep in mind:

  • Keep on Searching and Researching: Do not refrain from seeking an alternate methodology or information. It may be your way to success.
  • Try Various Methods: Do not get demoralized by failure in the first attempts. Keep trying various methods.
  • Whitelist vs. Blacklist: It is much more secure to have a whitelist of allowed file types than a blacklist of prohibited ones
  • Extensive Documentation: Every step and every finding must find a place in the documentation. It aids the generation of elaborate and useful reports

Conclusion

This case shows: Sometimes penetration testing is a lot of try-hard and out-of-the-box thinking.

Unusual ways are checked, research is done; that’s how vulnerable positions are found

If any questions arise, please do not hesitate to contact me…

Thank you for reading!

--

--

Mohammad Sadra Naderi (ZVitoX)

Penetration Tester and Programmer. I interested in learning about anything, and I research about technology in my free time.