Techniques

Techniques

Fuxploider is able to use the following techniques in order to bypass server-side file type checks :

• Double extension : fuxploider sends the payload using several extensions joined by a dot. Can be used to bypass poor filename parsing codes, checking for extensions to accept or refuse.
• Mime type tampering : fuxploider sends different mime types along with the file to check for poor validation based on the supposed mime type of the file.
• Null byte poisoning and variants : fuxploider sends files using an url encoded null byte (%00) as a delimiter between the extension expected by the server and the malicious one. Example : "filename.jpeg%00.php". Other variants exists for IIS6 servers, using a colon and a semi-colon.
• Case sensitive checks : fuxploider sends files with case modified extensions like "pHp" or "pHP" to bypass poor black/white listing of extensions.
• Alternative extensions : fuxploider sends files using different extensions that could be forgotten when building lists of forbidden extensions. For instance, blacklisting php extension is not enough, even blacklisting any case combination of it, as servers interpret as php any of the following extensions : php1,php2,php3,php4,php5,phtml,pht and others.
• getimagesize() bypass : fuxploiders tries to upload gif and jpeg files along with malicious code in the comment section of the file to send both valid image and payload at once, beating getimagesize like functions.
• Any combination of the previous : This is where fuxploider becomes interesting. It actually tests the entire set of combinations of any of the previous techniques.