Exploiting Unrestricted File Upload Vulnerabilities

Introduction:

File Upload: The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.

Example: Consider a website “testsite.com” that has a feature where users can upload their profile pictures. Once the image was uploaded, that is processed by the website and then the image is rendered on the user profile. The uploaded image gets saved in folder i.e. /images(testsite.com/images/profile.jpeg) and clicking on the image can get the URL of the uploaded image. An attacker tries to upload a malicious file such as web shells. The content of the web shell looks like this.

<?php system($_GET[‘command’]);?>

Note: Shell is an interactive interface that helps the attacker to perform malicious tasks on the server.

The attacker saves this web shell as “profile.php” and then uploads this on “testsite.com” as a profile photo. Since there is no validation on the uploaded files, the “profile.php”, uploaded successfully. Attacker clicks on the uploaded shell and copied URL looks like this:

http://somesite.com/images/profile.php?command=<any command here>

By using URL, the attacker can now execute the commands on the server.

Exploit Scenario on live website:

There are multiple ways to bypass file upload vulnerability here I am explaining double…