File Upload Vulnerabilities

Requirement

In order to get the best experience learning this Vulnerability, you should have basic knowledge in how to build an upload function using HTML


Learn it here: W3Schoolds - PHP file upload

If you have learned this vulnerability before, why not going to solve my challenges here?

What is File Upload Vulnerabiliy?

In this module, you'll learn how simple file upload functions can be used as a powerful vector for a number of high-severity attacks. File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing to properly enforce restrictions on these could mean that even a basic image upload function can be used to upload arbitrary and potentially dangerous files instead. This could even include server-side script files that enable remote code execution. In some cases, the act of uploading the file is in itself enough to cause damage.

What is the impact of file upload vulnerabilities

The impact of file upload vulnerabilities generally depends on two key factors:

• Which aspect of the file the website fails to validate properly, whether that be its size, type, contents, and so on.
• What restrictions are imposed on the file once it has been successfully uploaded.

In the worst case scenario, the file's type isn't validated properly, and the server configuration allows certain types of file (such as .php) to be executed as code. In this case, an attacker could potentially upload a server-side web shell, effectively granting them full control over the server.

More details, the Untrusted Data in this module is exactly the files uploaded by users
So, this will come to the next question: "How do file upload vulnerabilities arise?"

How do file upload vulnerabilities arise?

In this module, you'll learn how simple file upload functions can be used as a powerful vector for a number of high-severity attacks. File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing to properly enforce restrictions on these could mean that even a basic image upload function can be used to upload arbitrary and potentially dangerous files instead. This could even include server-side script files that enable remote code execution. In some cases, the act of uploading the file is in itself enough to cause damage.

So.. How do web servers handle requests for static files?

Before we look at how to exploit file upload vulnerabilities, it's important that you have a basic understanding of how servers handle requests for static files

• If this file type is non-executable, such as an image or a static HTML page, the server may just send the file's contents to the client in an HTTP response.
• If the file type is executable, such as a PHP file, and the server is configured to execute files of this type, it will assign variables based on the headers and parameters in the HTTP request before running the script. The resulting output may then be sent to the client in an HTTP response.
• If the file type is executable, but the server is not configured to execute files of this type, it will generally respond with an error. However, in some cases, the contents of the file may still be served to the client as plain text. Such misconfigurations can occasionally be exploited to leak source code and other sensitive information.

Let's get into practical exercise

Let's go role playing, you will now be acting as a hacker, who are trying to upload a webshell to the server
At the time you successfully attach the webshell, the server would be under your control