Definition:
File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.
LAB 1
Exploiting unrestricted file uploads to deploy a web shell
Remote code execution via web shell upload
Lab description:This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.You can log in to your own account using the following credentials: wiener:peter
Steps:
- Access the lab
- log in to the application using the credentials wiener: peter
- You can see the that there is a image upload functionality
4. Open any text editor to create a basic PHP web shell and save it. let’s keep the name webshell.php
<?php echo file_get_contents(‘/home/carlos/secret’); ?>This web shell will echo the content of the secret file stored in the location /home/carlos
5. Open Burp Suite and turn the intercept on {proxy — intercept on}
6. Make sure that you have installed extensions like foxy proxy to easily switch between proxies or you have manually taken care of it in the preference setting
7. After turning on the intercept go to the web application click on browse and choose webshell.php
8. click on the Upload button
9. The request will be intercepted in Burp suite
10. Send the request to repeater(press Ctrl+R)
11. In the repeater tab check the response of the request by forwarding the request
12. The response shows 200 OK and the file avatars/webshell.php has been uploaded. Note that the web application is not restricting the upload of PHP file.
13. Forward the request from the intercept tab.
14. Turn of the Intercpt. Click on “ Back to My Account”
15. View Page Source, scroll down
16. Click on the Link /files/avatars/webshell.php and retrieve the secret
17. Submit it
Key Takeaways from the Lab:
No validation is done by the web application, Hence we are able to upload a malicious web shell
Impact :
read and write arbitrary files, exfiltrate sensitive data, even use the server to pivot attacks against both internal infrastructure and other servers outside the network.
I hope you enjoyed reading this article!
