اللهم صل وسلم وبارك على نبينا محمد

اللهم اعز الاسلام والمسلمين

Hi, I'm Kareem, a Security Researcher.

Introduction

During my security testing, I identified a vulnerability in a file upload functionality that could potentially lead to arbitrary file upload and server-side code execution.

The application allowed users to upload files, but it enforced restrictions on certain extensions — notably blocking .php files. However, the validation mechanism was not properly implemented, which made it possible to bypass these restrictions using alternative techniques.

Vulnerability Overview

The upload functionality relied on weak file extension validation and did not properly inspect file content. While direct .php uploads were blocked, other executable formats like .phar were not restricted.

Additionally, the server accepted files based on magic bytes rather than strictly validating file structure.

Reproduction Steps

1. Navigate to the file upload functionality.
2. Attempt to upload a .php file — it gets rejected.
3. Rename the file extension to .phar.
4. Prepare a payload that includes valid magic bytes to bypass file type validation.

payload:

GIF8<?php system($_GET['cmd']); ?>

Why This Works

• GIF8 acts as a magic header, tricking the server into recognizing the file as a valid image.
• The .phar extension bypasses restrictions applied only to .php.
• The server does not properly sanitize or restrict execution of uploaded files.

Exploitation

Once the file is successfully uploaded, it can be accessed via its public path:

https://target.com/uploads/shell.phar?cmd=id

This allows execution of arbitrary system commands.

Result

• The upload is accepted despite containing PHP code.
• The server executes the embedded PHP payload.
• Full command execution is achieved.

Impact

This vulnerability can lead to:

• Remote Code Execution (RCE)
• Full server compromise
• Data exfiltration
• Privilege escalation