Mime Type Exploiting
By: e_D
Website: http://penguin-skills.com

Introduction
I will not lie to the reader of this article. This is a somewhat advanced exploiting method I will be discussing here and will require some programming knowledge. If you have no programming experience I reccomend you either learn C++ or Microsoft Visual Basic. I would also reccomend you have a vast knowledge of PHP or asp and their functions for file uploading. If you would like to learn how PHP File Uploading works click here. If you already have a knowledge of this please continue reading this article on mime type exploiting, aka file uploading exploiting.

Basic Understanding of File Uploading
I will do a brief overview of file uploading in php since that is the server side language I will be using for examples throughout this article. On a webpage when you have an option to upload a file of any type you also have a script on the server's side which reads certain information about the file and can determin if it should be uploaded to the server or not. I will only cover the file type scripting because that is all we will be using for this exploiting method, but this type of exploiting can apply to other fields of file uploading. Now an example php script that would use mime types to decide if a file should be uploaded would appear to be somthing like this:
<?php
if ($_FILES['fileload']['type']=='audio/mpeg') {
upload file code
} else {
die("You cannot upload this type of file.");
}
Now this would be the example source code of a file that would only allow a user to upload movies and sound files to the server through its php script. The audio/mpeg is the mime type of movies and audio files that is sent by the browser to the server to give details on the file.

Understanding How To Exploit Mimes
Now in the last section I told you that the mime type is sent to the server by the browser so that the script on the server can determine if it is the correct type of file or not. This is a simple solution many webmasters use to determine if it is the right filetype because litteraly looking at the file names extension and determining if it matched all known file types for mp3's or movies would take quite a while to code due to the fact that you would first have to find all known extensions that are used to play mp3's and videos such as:
avi
mpg
mpeg
asf
mp3
wmv
wav
You can see how this list could be enourmous and take quite a while to compile by a coder not to mention to code that checks the file's extension to see if it matches any of them. This is where sloppy coding can cause a major security hole in web applications that allow you to upload a file from your web browser. Now you must remember that any information sent can easily be read by using a packet sniffer (There is a great one, analogx, available from Analog X called Packetmon) and that internet explorer is not the only web browser that exists, you must also remember when exploiting anything that Microsoft does NOT own the internet or its protocols. Now if you sniff the packets while uploading a file you will notice that the mime type (audio/mpeg from the above example) is provided in the data sent, otherwise how would the server's script be able to read it. The problem with this is, since I can easily sniff the packets and learn how the protocol works, I could easily write my own program to upload a file using a websites script. Here in lies our security issue, a mime type can be faked. Lets assume that I built a simple program that would allow me to set my own mime type and upload any file by just providing the mime type I wanted to use and the link to the webservers php script, I could easily upload a html file or php file or asp file and fake the mime type by setting it to audio/mpeg or whatever the mime type is for the file types they allow you to upload. The script on the server would simply check the mime type field which would be audio/mpeg and it would see that the file mime type is correct and upload the file I selected whether it be an html file, and exe file, a zip file, or any other type of file that could be used to harm a server. I have yet to look but I am sure there are many sources available that will allow you to upload files using a websites file upload script, and with a few modifications to allow you to set your own mime type when uploading the file you can easily turn this into an exploiting tool. Now, you can upload a file, but it is not really of much use because you want to actually get inside the server! Keep reading and I will explain how this can be done.

After Mime Exploiting, What Can Be Done?
Well this part of the article not only applies to mime exploiting, it also applies to any situation where you can remotley upload any type of file you want, such as when you exploit Microsoft Frontpage Extensions. First thing is you will need to create a php file that will do your dirty work for you. If you look into some functions at php.net you can find many different things that would be usefull in this situation. Your first php file you would want to upload would probably need to contain phpinfo();. This function can be used to display all the information about the php settings on the server and figure out which functions you can use in your php script and which functions you cannot. If you are lucky you will find a server which will allow you to use exec(); or somthing of the sort to either run commands on the server or execute programs. Now that you have found the functions you need and checked to see if they are allowed on the server you can write your php script to do whatever you would like and upload it using a fake mime type and go to it in your web browser. Some of you may be wondering how you can run a program on the server, well this requires two steps:
1. Upload the exe you wish to run on the server using fake mime types.
2. Create a php script to execute the exe on the server.
Thats it! You can also use other things like fwrite or fopen or some directory functions in php to browse the entire server or do whatever you like. If you want to really get into it you can make one large script to allow you to modify files or whatnot in any way and allow you to browse the entire server, which would actually not be too difficult to create.

Conclusion
In conclusion I really have nothing to say except for I think this is a huge security issue that many php coders overlook when making a file upload. File uploads are used in everything from forum avatars to free web hosts and I am sure many many of these scripts contain this flaw. To protect your scripts from this type of attack there is no way around it but to check the file extension instead of using the mime type. Enjoy.