Level 4: MIME content type verification bypass

Let’s move on to Level 4. 

In this section, if we try to upload our previous file, we receive the following error, which means, we can only upload the .gif file extension.

Every document or file has a valid MIME type, which is an identifier consisting of two parts, a type, and a subtype, separated by a forward slash. Web developers, at times, rely on the MIME type of the uploaded file to verify whether it's a safe file or not. For an image upload application, the allowed MIME types can be image/jpeg, image/gif, and image/png. 

The following PHP code only allows GIF files by verifying the file's MIME type during the upload process:

<?php

if($_FILES['uploadedfile']['type'] != "image/gif") {

if(isset($_FILES['uploadedfile'])){echo "Sorry, GIF only!";}

  exit;

}

$uploaddir = 'uploads/';

  $uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']);

if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) {

  echo "File is valid, and was successfully uploaded.\n";

  } else {

echo "File uploading failed.\n";

}

?>

<?php 

if($uploadfile!= '') { echo "<a href=\"$uploadfile\">Uploaded</a>"; } 

?>

Let’s try to upload this file(phpinfo.php) after changing its file extension to gif. 

Now, let’s try to upload it again. 

As you can notice, the upload was successful. 

Let’s try to open this link. 

The upload was successful, but the uploaded file not running as a PHP file, as the file acts as a gif file. We can bypass this check by simply changing the MIME type through an intercepting Proxy. 

Launch Burp Suite from the application menu.

Tap on the Proxy tab, and turn on intercepting mode. 

Now, go back to the Firefox browser and change the proxy setting to Burp suite using the Foxy Proxy extension.

Now, let's try to upload the gif file again. Once, we click on the upload button, we will automatically intercept HTTP headers.

Here, we will have to change the file name to .php extension. 

If you have noticed, the MIME-type is an image and the subtype is a gif. 

Once we forward the headers, we will receive a successful upload message. Since, this time, the MIME type matches one of the image file's MIME types, we successfully bypassed this check and uploaded the file to the server.

As you can notice, we have received the successful upload message. Once uploaded, open the UPLOADED link in another tab.

Look at that! Our PHP code ran on the server successfully. This payload was benign and only intended for testing.