7.1 File Upload Vulnerability
Last updated
Last updated
File Upload Vulnerability also know as Arbitrary File Upload is a type of security flaw in web app that allows an attacker to upload and execute malicious files on a web server.
In this case an attacker identifies the file upload functionality in the target app and attempts to upload a malicious file (malicious code, scripts, shell, malware).
As the same, the vulnerability arises when the app fails to validate and secure the uploaded files, not restricting the scope of files extensions permitted.
This can have a dangerous impact, including unauthorized access to sensitive data, server compromise and complete system control.
To start we need to find a file upload functionality in a web app page, we can use tools such as: dirboster, gobuster, wefuzz, etc..
If there's a file upload function we can try to upload a file, and capture request using burp suite to understand very well the process.
Of course if we can upload 'malicious' file to obtain access (e.g. php file) we've just win, but if a web app as a minimum of security design there's an extension filters condition to prevent upload of undesidered file extensions.
in this case we can only to upload JPG, PNG and BMP file extensions, then we can upload a .php file and capture request via Burp Suite.
Of course, we received again an upload error, but via Burp Suite we can change this request parameter: filename="shell.php" to "shell.jpg" and keep unaltered the Content-Type (that contains php) and forward request.
With this solution in a bad web app we can bypass file upload extension filters.
To execute file uploaded we need to indicate into URL the original file name with the .jpg extension, and consequently add / with file with .php extension (shell.jpg/shell.php)
It's possible that an upload form permit you to upload a .php file but interpretate it as data file without execution of php code, infact if we try to open it browser will display php code).
In this case, we can investigate with Burp Suite capturing the upload POST request and we see that there's X-Powered-By: PHP/5.5.9-lubuntu4.25
Then, we can solve this matter uploading a different file php, checking on this website
Remember, that in Kali Linux there're PHP webshells ready for use usally into location /usr/share/webshells/php and we can upload simple-backdoor.php and get remote code execution via browser
or use a reverse shell via php-reverse-shell.php file and modify the content change attacker IP and attacker port in listening with netcat.
In addition, we can use Burp Suite Intruder to brute force file extensions and nderstand which extensions are allowed or not.
When there's a website that use a cms as WordPress, we can try to analyze it using wpscan: wpscan --url <website>
if in the scan result we discover a plugin called: wpstorecart.
In some versions of wpStoreCart (2.5.27-2.5.29), there might be an insecure implementation of file upload features. This can happen if the plugin does not properly validate or sanitize the files being uploaded by users.
Using this exploit we can upload arbitrary malicious file (backdoor, reverse shell, etc).
In the case of reverse shell it's possible to use netcat or another great tool called: weevely, following these steps:
Generate new agent -> weevely generate password ~/Desktop/login.php
(login.php is the same filename present into script)
Execute exploit -> php -f exploit.php
Take in listening -> weevely <website url>
Execute login on the upload page clicking on /wp-content/uploads/wpstorecart/login.php
We obtain shell session on weevely
In alternative, we can upload it using curl -F "Filedata=@./test.php" <website url /wp-content/uploads/wpstorecart/login.php
and execute weevely.