FINDING FILE UPLOAD VULNERABILITIES WITH RACE CONDITION | 2023

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] thank you hey everyone I hope you all are doing good and having a wonderful day in this video we are going to see another way of how we can bypass file upload restrictions to upload malicious file on the web application so before going into this video as always if you haven't checked out my previous one in which I have shown you that how we can bypass file uploads using null byte injection technique then go ahead and check it out the link is given in the description as well as you can see it on the right side of the screen and now with that being said let's get started so for this demonstration I have created another lab which I'm just going to start right now just to open my command prompt right over here just go to file uploads and it is I think it's already running yes good so let's visit this lab in our browser let's see how we can bypass right so we have this lab at localhost here it is the file upload Challenge and now our main goal over here is to upload a file which is not an image file right so for the demonstration I am going to upload a txt file instead of the PNG or any malicious file right so normally this application is allowing us to upload only PNG files and we are going to see that how they can upload a some other files apart from PNG file in this video so let me just open up website over here this should wait for a few seconds started out now cancel there it is let me just turn off turn on the intercept and let's play with the request for a while to understand if we can bypass it support this let's send this to repeater let's power this and as you can see it is showing that the file has been uploaded without a doubt and let's check it out there's this particular request right so let's try to do T txt for example and let's see whether it is allowing us to upload a txt file or not so as you can see showing that try again let's try to do something like this dot PNG dot txt let's try to see if it is allowing us to do that so again is Flowing try again let's try to do some basic bypasses so we have content type in a JPEG so uh as you can see over here so it is checking the extension file right because the file type is the content of the file is an image file right so this is a PNG file over here but since it is not allowing us to upload in files which means that it is looking for the last txt file right since this extension is txt it is not allowing us to upload the file so what we can do in this type of cases right so we are going to use a technique known as race condition to upload a malicious file and for example we are going to upload the txt file using the race condition technique right let's try to understand how we can do that so let's uh create a new text file so let me just open my command prompt right we know that only PNG files are allowed to upload right so let's try to let's go to desktop let's create a new file let's say this one side with this all right now let's try to create a file touch testing dot or let's say demo.txt right and in this file let's type anything for example uh this is be practicals right now let's try to upload this file first to see if it is getting uploaded by the application not once again so let's do this let's go to the locations computer let's go to home desktop export of test not this one test and let's upload this let's try to intercept the request click on upload there it is as you can see this is a text file send this to repeater power this as you can see right over here it is saying that try again right so obviously for obvious reason it is not allowing us to upload a text file right yes let's try to see how we can bypass it using the race condition technique right so sometimes it may happen that the application is actually uploading this file right and after uploading the file it is checking for the extension type right in that case the file will be there on the server for a very little amount right and in that time if we were able to hit on that particular endpoint where it is getting saved we will be able to upload the file or access the uploaded file right in that case it is a txt file so if the application is vulnerable to raise condition will never take then we may be able to do or hit that endpoint if we try for a million times right so if you're if you're heading for the end point for let's say a million times then we will be able to get the one request on which the application will be able to uh visit or an application will be able to render the file for us right so let's try to see how we can do that so for that I am going to create an uh program basically but first of all let's try to understand where this file lives line right so let's try to upload this over here so let's try to change this to right let's upload it and as you can see it's showing uploaded let's try to go to uploads and let's see if I ask dot PNG and as you can see here it is right so we have this uh right over here let's go back and now we know that where is the upload files are going right where the upload files are going on so now we have the end point right so if the application allows uh to uh upload the pxe file then it will be stored in something like this right test.txt finally as you can see there is nothing over here right so let's see how we can do the rate limit technique so for that I'm going to create a Python program let's say s dot py or let's say demo.py right let's import request which will handle the request and response which will communicate to the server right let me create a function and let's import trading as well before creating right so we are going to run the request parallely so let's get a quick function that will just send the request to the loaded file say localhost we know that the file is getting uploaded in the uploads endpoint right so our file name will be since we're uploading uh what we're uploading is we're uploading demo.txte I'm gonna go with demo.txt right then we are going to print the response dot content or let's go responsible text right that's it that's all we're going to do and now what we can do right over here is we can create an infinite Loop right in that infinite Loop I am going to declare a list I'm going to say L1 close to an empty list and in that list I'm going to append uh trading dot thread so I'm basically starting a new thread and in each thread this function will get called right that's it that's all we are going to do so basically what this code is doing so this is the function and this function will do nothing it will just send the request to this particular endpoint and it will capture the response and it will print out the response for us right using the Sprint responsible text I have created a list in which I am going to store all the threads and I will start those threads so all these states will keep hitting the localhost uploads at demo.txt and once we upload the file so if the file is actually getting uploaded so before the server deletes that file we will accept that file through this particular program right let's see whether it is working save it right over here all right and let's store the uh output in some file so I'm going to run this Python 3 demo.py right we're gonna use pipe so we can redirect all the output and we're gonna go over T minus a and let's say output dot txt right let's hit enter and let's see what happens as you can see we are getting that cannot get upload samo.txt right let's try to see if we upload this file right now what will happen so we have demo.txt then this as you can see it is showing try again let's send this multiple times so we are going to do this few times and that's it right we have done this let's stop this for now and now here it is here's the output.txt file you can just add the output.txt right as you can see we have a lot of data over here I have a bunch of data right over here but how we can identify whether the file we were able to access that demo.txt or not right because from here you may be thinking that the file was not uploaded right let's try to see how we can do it so we know that the demo.tfc contained uh let me just demo.txt it content this is B practical right let's try to find this string in this output.txt so if this string is present in output.txt which means that you are able to access that file on the server right let's try to see this cat output.txt minus a and let's paste it off right let's hit enter and as you can see right over here you are successfully able to hit that particular endpoint and was successfully able to get the the response right which means that this proves that this file is actually getting saved on the server for a very little amount of time and we were able to find it right so since it is a txt file so it doesn't hold any much impact but think of it that if you are if you have uploaded a PHP file right so we may be able to get the internal configuration of let's say Etc password right you may be able to get some sensitive information using that particular file so even if we got the end point if even if we had hit the endpoint only once even if the file got deleted after hitting the endpoint once we still be able to do a bunch more impactful and danger stuffs on that server right so this is an example of how we can look for file upload vulnerabilities through race condition vulnerabilities I hope that you have understood now let's try to see that what is the vulnerable Port what is the malicious code that is actually allowing us to do this right right let me just maximize it let's do index.js this is the file over here uh this is the code right over here from this line right so we have this post request on the uploads and upload endpoint as you can see we are hitting the upload right so see it is checking for the file it is doing all the stuffs right if it's checking if the length is less than equal to 2 and if the extension includes PNG right if it is then it is sending the response that uploaded otherwise what it is doing it is saying try again and then it is going to delete the file right as you can see over here so the file got deleted but since even if the uh and even if the extension is in the black Blacklist right still this uh method of this function is actually uploading the file on that particular server right so the file is getting uploaded after that it is going to be checked whether the extension content dot PNG or not if it contains it then it is going to allow the file to stay on the server otherwise it is delayed in the file right so from here see the file is getting uploaded right over here and it is deleting at this line right so we have a quite amount of time on which we can continuously you know send the request and if we got the request if we got 200 okay which means we were able to bypass them right so this is there's a very small duration of time over this upload and this delete which allowed us to do the risk condition volume right I hope that you have understood it feel free to let me know if you have any doubts any issues I'll be happy to help you out so if you like the video then make sure to hit the like button right if you have any doubts feel free to let me know your doubts in the comment section if you are interested in cyber security as well as web development then go ahead and join our telegram channel in which we will discuss a lot of cool stuff related to cyber security and web development right so go ahead and find out the link is showing right over here as well as you can click on the link given in the description and also if you like the way I teach then I am connected running two courses the first one is hacking windows with python in which you are going to learn that how hackers create their own custom malware that can be used to bypass any antivirus that can execute system commands and that can do a bunch of cool stuffs right and the second course which I am continuing is plug bounding the ultimate guide and accountable was where you are going to learn that how we can find web applications misconfiguration that will allow us to take over any one account because of the website misconfirations we are going to break the logic of applications so both of these scores are fully practical demonstrated so you can go ahead and check it out the link is also given in the description so I hope that once again you have understood it please let me know doubts and now with that being said keep learning and thanks for watching
Info
Channel: BePractical
Views: 6,048
Rating: undefined out of 5
Keywords:
Id: GdWZPCJ4Smw
Channel Id: undefined
Length: 15min 14sec (914 seconds)
Published: Sun Jun 11 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.