Understanding File Upload Vulnerabilities

Understanding File Upload Vulnerabilities

In the digital world, the practice of uploading files is a fundamental functionality across numerous websites and applications. This article delves into the realm of File Upload Vulnerabilities, a significant security concern that arises from this seemingly harmless function. This blog post presents a comprehensive exploration for both beginners and seasoned professionals in cybersecurity, with the aim of broadening their understanding and enhancing their skills in dealing with such vulnerabilities.

File Upload Vulnerabilities: An Overview

File upload functions enable users to transfer files from their local devices to a web server, following certain guidelines. These rules often restrict users to upload only specific types of files, like JPG. But what if a harmful code disguises itself as an acceptable file type?

This can initiate serious security issues, known as “file upload vulnerabilities”. They occur when web servers fail to verify the contents of uploaded files thoroughly, compromising the safety and integrity of their operations. If malevolent users upload rogue files with harmful intent, they can exploit these vulnerabilities swiftly, especially when your vulnerability management https://www.prplbx.com/services/vulnerability-management/ falls short.

Without proper security checks, attackers can sneak in hazardous files laden with malicious code onto susceptible servers, leaving them exposed and vulnerable.

The Potential Impact

The consequences of file upload vulnerabilities are dependent on several key factors.

  • Scenario 1: When a website fails to validate the type and content of an uploaded file appropriately, attackers can upload a file containing server-side code (web shell). This can grant the attacker control over the server, posing a significant threat.
  • Scenario 2: If the website does not validate an uploaded file’s name, the attacker can overwrite essential files by uploading a file with an identical name. Coupled with directory traversal vulnerability, the attacker can overwrite a file from unexpected locations (for instance, apache2.conf).
  • Scenario 3: If the website does not validate the size of the uploaded file correctly, attackers can quickly fill up the available disk space, leading to a type of Denial of Service (DoS) attack.

Exploiting File Upload Vulnerabilities: Step-by-step Guide

This section explores how to exploit File Upload Vulnerabilities with practical examples. The examples used in this blog post are lab environments from PortSwigger https://portswigger.net/.

Basic Web Shell Upload

To exploit this vulnerability, we will use a basic PHP web shell and exfiltrate the contents of a specific file. Let’s take a look at the following steps:

  1. Log in to your account and look for the file upload function in the application.
  2. Next step is to locate the file upload function in the user’s profile.
  3. Create a PHP file that includes a specific code, enabling you to view the secrets of a user.
  4. Upload the created PHP file.
  5. Make the web server run this file by making a GET request to the file you uploaded earlier.
  6. Submit the flag, and the lab is solved!

Web Shell Upload via Content-Type Restriction Bypass

In this scenario, we will bypass the content-type restriction to upload a basic PHP web shell and exfiltrate file contents.

Step #1: Locate the file upload function and try to upload the PHP file. The application might have a content-type restriction.

Step #2: The application might only allow image/jpeg and image/png content types. Change the content type to image/jpeg and upload the file successfully to the /avatars/file_upload.php endpoint.

Step #3: Make a GET request for the uploaded file. Read the secret of the user.

The above examples illustrate just a few ways to exploit file upload vulnerabilities. It’s important to keep in mind that these vulnerabilities can be exploited in numerous ways, depending on the specific configurations and shortcomings of the system.

Prevention

The most effective way to prevent insecure file upload attacks is to implement the following practices:

  • The file types allowed to be uploaded should be restricted to only those necessary for business/websites’s functionality. File types containing executable content are usually not required and should be disallowed. It’s easier to guess the extensions you might want to allow rather than the ones an attacker might try to upload.
  • Ensure the filename does not contain any substrings that may be accidentally interpreted as a directory or traversal sequence (../).
  • Rename uploaded files to avoid collisions that may overwrite existing files.
  • Do not upload files to the server’s file system until they have been fully validated.
  • Use an established framework for preprocessing file uploads rather than trying to write your own validation mechanisms.
Web Shell Upload via Content-Type Restriction Bypass

Web Shell Upload via Content-Type Restriction Bypass: 

The following steps use Burp Suite, a web proxy tool; for information on how to set up Burp Suite, refer to this link.

1) Open notepad, enter the following code <?php system($_GET[‘cmd’]);?> and save it as shell.php

file upload

2) When you attempt to upload this file, you’ll notice that the web application blocks it, indicating that it only permits image files. However, we have a PHP file.

file upload

3) In order to bypass this, we select the file again and click “Upload”.

4) Next, while uploading the file, intercept the request using Burp Suite. Observe that the Content-Type header is set to application/octet-stream.

5) Change the Content-Type from application/octet-stream to image/jpeg and forward the request.

file upload

6) Notice that our malicious file is uploaded successfully, bypassing the restrictions set by the web application.

file upload

7) Append this endpoint to the URL and press “Enter”.

8) Observe that our shell has successfully loaded.

file upload

9) Type the following command: ?cmd=pwd next to our uploaded shell, and you will be able to gain the present working directory in the web application.

file upload

10) Another command: ?cmd=whoami allows us to see the currently logged-in user.

file upload
TL;DR

In this blog post, we discussed what file upload vulnerabilities are and their potential damage to systems. We also explained methods for exploiting file upload vulnerabilities and ways to prevent these vulnerabilities.

Fortunately, there are key defensive strategies to strengthen your system’s overall security posture, protecting it against file upload attacks. Education is always the best defense; understanding what malicious components look like and how vulnerable you may be https://www.prplbx.com/vulnerability-scanning/ will aid you in implementing the proper strategies for keeping your data secure. With the right defense in place and constant vigilance on suspicious activities, you will be well-equipped to defend against any potential file upload attack.

We hope you found our blog post useful and that it will help you secure file uploads in the future. Testing services at https://www.prplbx.com/security/pentest to stay secure!

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems, and provide recommendations to remediate them.

“Join us on our journey of growth and development by signing up for our comprehensive courses.