Exploiting Unrestricted File Upload Vulnerabilities

Introduction:

File Upload: The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.

Example: Consider a website “testsite.com” that has a feature where users can upload their profile pictures. Once the image was uploaded, that is processed by the website and then the image is rendered on the user profile. The uploaded image gets saved in folder i.e. /images(testsite.com/images/profile.jpeg) and clicking on the image can get the URL of the uploaded image. An attacker tries to upload a malicious file such as web shells. The content of the web shell looks like this.

<?php system($_GET[‘command’]);?>

Note: Shell is an interactive interface that helps the attacker to perform malicious tasks on the server.

The attacker saves this web shell as “profile.php” and then uploads this on “testsite.com” as a profile photo. Since there is no validation on the uploaded files, the “profile.php”, uploaded successfully. Attacker clicks on the uploaded shell and copied URL looks like this:

http://somesite.com/images/profile.php?command=<any command here>

By using URL, the attacker can now execute the commands on the server.

Exploit Scenario on live website:

There are multiple ways to bypass file upload vulnerability here I am explaining double extension functionality to bypass whitelisting of the file extensions.

Aim: Our aim is to upload a PHP shell and try to retrieve passwd file.Here is the main user interface where users can upload the image file that will be rendered on the page.

Image for post
Image for post

I uploaded a file “.png” extension and intercepted the traffic to check which type of validation application is using. It is clear from the following screenshot, that we can only upload .gif, .jpeg, .png extension.

Image for post
Image for post

Upon uploading a file it shows the path of the uploaded file on the next page.

Image for post
Image for post

After intercepting this request, we can see there are file name, content type mentioned in the request.

Image for post
Image for post

Now we try to upload PHP file i.e. “fupload.php” which is a PHP shell

Image for post
Image for post

After uploading PHP extension image, it showed me “Wrong file Extension” on page.

Therefore, above explanation it is clear that we have to upload any file which have “.jpg, .png, .gif “extension but content must be PHP. I try to upload file that has two extensions to bypass file upload vulnerability i.e. “fupload.php.png”.

Double Extension: Generally, a text file and image only have one extension, which comes after “.” symbol .These symbols helps us to recognize type of file. If any file have two symbol like “test.txt.php”, so from last extension, we can recognize type of file.

This file fulfill our two purpose :-

· This file has PHP code, which can easily fetch files with the provided inputs. Code inside this file look like:

<?php

$p = $_GET[‘p’];

$o= shell_exec(‘cat ‘.$p);

echo $o;

?>

· By giving “.png” extension we can able to bypass “wrong file extension“.

Now we try to upload it.

Image for post
Image for post

Now as I checked the request in burp.

Image for post
Image for post

Therefore, after forwarding the request we got the message “File uploaded” with the file path.

Image for post
Image for post

Then I clicked on link, as according to PHP shell I update the link to fetch the credentials

Image for post
Image for post

Note: For more details of LFI, please check my previous blog.

By using double extension technique, we can upload malicious files or bypass file upload functionality.

Preventive Measures /mitigation

· Enforce a whitelist of accepted, non-executable file extensions.

· The application should perform filtering and content checks with a whitelist filter on files uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users.

Uploaded directory should not have any “execute” permission and all the script handlers should be removed from these directories.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store