Understanding Arbitrary File Upload Vulnerablilities

lionaneesh's Avatar author of Understanding Arbitrary File Upload Vulnerablilities
This is an article on Understanding Arbitrary File Upload Vulnerablilities in Ethical hacking Tips.
Rated 5.00 By 1 users
As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.

The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.

In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.

Proof of Concept



For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.

Upload.php
Code:
  <?php
   
  /**
   * @author lionaneesh
   * @copyright 2011
   * @page upload.php
   */
   
  // If the upload request has been made , Upload the file
   
  $uploadMessage = "";
   
  if (isset($_POST['upload']))
  {
        $path = $_FILES['uploadFile']['name'];
        if(move_uploaded_file($_FILES['uploadFile']['tmp_name'],$path) == TRUE)
        {
              $uploadMessage = "File Uploaded <a href='$path'>HERE</a>";
        }
  }
   
  ?>
   
  <html>
   
  <head>
   
      <title>Welcome to Vulnerable Apps</title>
   
  </head>
   
  <body>
   
  <h1>Arbitary file upload ( POC )</h1>
  <hr />
   
  <p>Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. </p>
   
  <hr />
  <h2>Upload</h2>
  <hr />
   
  <table>
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
      <tr>
      
          <td width="100">Upload File </td>
          <td width="380"><input class="cmd" type="file" name="uploadFile"/></td>
          <td><input style="margin-left:20px;" type="submit" name="upload" class="own" value="Upload"/></td>
      
      </tr>
  </form>
  </table>
  <?php
   
  echo $uploadMessage;
   
  ?>
   
  </body>
   
  </html>
In the above script we simply ask the user to input the file to be uploaded and without even checking what the file-type is or its extension we upload it.

This is a basic example of how these bugs occur.

How to exploit it



Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.

Some PHP Shells :-

Ani-Shell
[ R57 Shell
C99 Shell

Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.

Now to exploit this vulnerability the hacker have to carry out some steps :-

Upload the Shell



Go to the link



Gain Access



That's it for this tutorial stay tuned for more.
Scripting's Avatar, Join Date: Jun 2010
John Hoder
Don't you have some tut on how to bypass if there is the extension limit ?
lionaneesh's Avatar, Join Date: Mar 2010
Invasive contributor
Quote:
Originally Posted by Scripting View Post
Don't you have some tut on how to bypass if there is the extension limit ?
Maybe I'll write one in some days to come!
Scripting like this
Mr.sp41t3r's Avatar, Join Date: Jun 2009
Light Poster
have a nice document thanks you..
lionaneesh's Avatar, Join Date: Mar 2010
Invasive contributor
Quote:
Originally Posted by Mr.sp41t3r View Post
have a nice document thanks you..
Welcome ,My Pleasure