As more and more websites created, many attack surfaces are often to attackers. File Upload vulnerability is a typical candidate for this.
File Upload Vulnerability is a server-side bug that allows attackers to upload malicious onto the server by abusing weak input validation from the server. In the worst case, an attacker can upload a web shell that allows him to execute command remotely. In this article, I will talk about some techniques for pentesters to test for this bug, as well as analyze a CVE for demonstration. Without further ado, let's begin.
1. File Upload by abusing the Content-type header
Content-type header is used to identify the original media type of the resource. There will be cases that developers only rely on this information to validate the file type. For example, image file will have MIME types are image/jpeg, image/png, image/jpg, etc. In this scenario, we can upload a PHP file called shell.php and change the Content-type header to image/jpeg
A more detailed lab is available on Portswigger can be accessed with this link Click here
On the account page, there an upload function that allows us to upload avatar image. Let's try to upload a web shell.
The server said that it only accepts Content-type equals to image/jpeg and image/png. Now let's try to change the Content-type to image/png and upload the shell again
Our web shell is successfully uploaded. By inspect the front-end code, I see that our avatar is located at files/avatars/shell.php
We can execute arbitrary command by accessing to https://[random-id].web-security-academy.net/files/avatars/shell.php?command={the command we wanna execute}. This lab requires us to retrieve the secret flag at /home/carlos/secret, therefore the full url to access the file is https://0aea00500359746b800b90e100720094.web-security-academy.net/files/avatars/shell.php?cmd=cat%20/home/carlos/secret
Done! We will use the secret and submit to solve the lab.
2. File Upload via Path Traversal
In some situations, the website is vulnerable to File Upload vulnerability. However, our uploaded file is stored in a read-only directory, which prevents us from executing the file. To make this vulnerability exploitable, we can try to combine it with Path Traversal by change the file name to ../../../shell.php. If the website is also vulnerable to Path Traversal, our file will be saved in another directory which might have execution permission.
A more detailed lab is available on Portswigger can be accessed with this link Click here
This lab interface is exactly the same as the previous lab as well as the avatar upload functionality. Let's try by first upload shell.php to the server
This website looks so lenient as it accepts the
shell.php without any validation, yet it's not that easy. Once again, we will request to https://[your-id].web-security-academy.net/files/avatars/shell.php?cmd=cat%20/home/carlos/secret
As expected, nothing happened. This is because the file is stored in the directory without execution permission. We need to find a way to save the file in other directory. We can use path traversal in the filename to do this. In this case, we need to URL-encode the ../, which will be ..%2f.
The response says it's saved in another directory, so let's check.
We successfully retrieve the secret file content and solve the lab
3. File Upload when dangerous file extension is blacklisted
When more robust protections is applied, for example when they blacklist some dangerous file extension such as php, exe, jsp, we need to find another way to create a custom file extension and then upload the file with that extension to the server. In Apache server, we can add a custom extension by defining it in the .htaccess file. In short, .htacess file is a configuration file in Apache web-based server, it includes not only this configuration but also a lot more. If extensions are blacklisted, we can try to upload an .htaccess file with this content
`AddType application/x-httpd-php .random`
After uploading this file, we can upload a new web shell file name shell.random with Content-type:application/x-httpd-php.
A more detailed lab is available on Portswigger can be accessed with this link Click here
In this case, let's analyze CVE-2023-3545. This is a security flaw in Chamilo LMS, an e-learning system, which developers improperly implement security check. In the fileUpload.lib.php file, there a function htaccess2txt() which will rename the file if user upload a file named .htaccess.
function htaccess2txt($filename) {
return str_replace(['.htaccess', '.HTACCESS'], ['htaccess.txt', 'htaccess.txt'], $filename);
}The above function just try to replace .htaccess and .HTACCESS. However, by default, filenames in Windows are case-insensitive, meaning that mixed-case filename such as.HtacCess, .htACESS or .htaccESS will be treated as .htacess. Attackers can abuse this weakness to upload .htacess file and define a new extension on the server, then he can repeat the exploit as discussed above to upload malicious file onto the server.
Those are all the exploit techniques i wanna share. In fact, there're a lot more that i haven't covered and we will also have more and more new way to exploit this bug. Therefore, continuously learning is the key to become a good pentester. Happy hacking!