Ax1al
Published in

Ax1al

A glimpse of unrestricted File Upload

Just for thumbnail XD

As we all already know file is a feature of any web application allowing the client to transfer his/her file from the respective end to the server-side. To upload data to the server, the client again initiates a connection to the server and then typically sends an HTTP POST|GET request which contains the data to be uploaded and the server knows how to handle the incoming request and store the respective data. But as usual upload file features are one of the significant risks to applications. Any attacker to think to place any malicious code into the system to be attacked as the initial path. Then the attacker finds some way to get the malicious code to be executed and takes over the action which the attack meant for.

The consequences of the unrestricted file upload of the web application can vary from complete server take over to some simple client-side attacks. This completely depends on the attacker's mindset and how the server handles the file upload feature. The attacks that happen due to these unrestricted file upload are of two types: (1) The metadata of the file which is encoded and transfer during the request of the file upload which evaluates the firewall and performs unintended action after being placed in the server. (2) The file content can be a simple image or even malicious malware for any suspicious activity at the server-side.

Attack Scenarios:

I will be demonstrating how the unrestricted file upload works vulnerability would be leverage using Damn Vulnerable Web Application (DVWA) which is an application built for testing all attack scenarios. If you don't know about DVWA and want to try it in your system here is the original links: www.dvwa.co.uk

Low-Level Security:

You would find this upload feature once you log in to the DVWA default credentials are admin:password. Here the application allows to upload any file, But how to verify it.

<div class="vulnerable_code_area">
<form enctype="multipart/form-data" action="#" method="POST" />
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose an image to upload:
<br />
<input name="uploaded" type="file" /><br />
<br />
<input type="submit" name="Upload" value="Upload" />
</form>
</div>

This is the code that is responsible for the file upload, here you can see there is a file input tag with the name “Upload” but the tag did not have any parameter of accepting which is used to mention the whitelisted file extension, so this will help in client-side validation.

Since DVWA is built with PHP and MySQL we know that payload or the malicious code which we are trying to place on the server should be the same.

<?php system($_GET['c']) ?>

This is a simple one-liner PHP payload that takes a GET variable ‘c’ and executes directly into system function which is meant to executable system commands, So create a file and save with extension as PHP. Now you have the payload and upload this file to the application. After uploading the file we need to know the file path to execute or view the file, since DVWA is Damn Vulnerable it returns the file location.

On visiting the URL you can see an error which system command can’t execute blank as a command because you did not pass any GET parameter with name as ‘c’. Now add “?c=id” to the URL and you can see the command result.

From here you can move forward getting a reverse shell or adding some suspicious files for future needs.

Medium-Level Security:

DVWA has three different levels which could be modified in the setting. Here at the medium level, the application was enabled with the server-side validation of allowing only images.

You could see this error if you try to upload some other file without an image extension. But since this is medium-level we have similar to an above low level, just change the file extension of the above payload from php to “php.jpeg” | “php.png”. The application was just checking the end file extension and did not verify with the file header which actually represents the file type. Once done you can upload the file and follow as above low-level.

High-Level Security:

High-level security is very similar to the above one you can use the same payload to trick the application which has the server-side validation.

Detection & Remedies:

  • First of all, check if the uploaded file can be accessed through the URL of the web application. If then Check on the Content-type and Content-disposition of the request header and verify file type and extension.
  • Make sure to separate these uploaded files from the server files like maintaining cloud storage or using services like Amazon S3 bucket.
  • If the application accepts large files and compressed files then has a separate method to handle decompression bomb files. So the application can enforce a size limit on uploaded files in both client and server side.
  • During the file upload whitelist the file extension and only non-executable file extension only.

Reference

Till then happy hacking !!

Blog by Nerd of Axial . Join us at the discord server .

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aravindha Hariharan

Aravindha Hariharan

Secarmy Developer | CNSS | Cybersecurity Enthusiastic | CTF Player | InfoSec | Red-Hat Academy Student Ambassador |