1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Understanding Arbitrary File Upload Vulnerablilities

Discussion in 'Ethical hacking Tips' started by lionaneesh, Jul 24, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.

    The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.

    In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.

    Proof of Concept



    For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.

    Upload.php
    Code:
      <?php
       
      /**
       * @author lionaneesh
       * @copyright 2011
       * @page upload.php
       */
       
      // If the upload request has been made , Upload the file
       
      $uploadMessage = "";
       
      if (isset($_POST['upload']))
      {
            $path = $_FILES['uploadFile']['name'];
            if(move_uploaded_file($_FILES['uploadFile']['tmp_name'],$path) == TRUE)
            {
                  $uploadMessage = "File Uploaded <a href='$path'>HERE</a>";
            }
      }
       
      ?>
       
      <html>
       
      <head>
       
          <title>Welcome to Vulnerable Apps</title>
       
      </head>
       
      <body>
       
      <h1>Arbitary file upload ( POC )</h1>
      <hr />
       
      <p>Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. </p>
       
      <hr />
      <h2>Upload</h2>
      <hr />
       
      <table>
      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
          <tr>
          
              <td width="100">Upload File </td>
              <td width="380"><input class="cmd" type="file" name="uploadFile"/></td>
              <td><input style="margin-left:20px;" type="submit" name="upload" class="own" value="Upload"/></td>
          
          </tr>
      </form>
      </table>
      <?php
       
      echo $uploadMessage;
       
      ?>
       
      </body>
       
      </html>
      
    In the above script we simply ask the user to input the file to be uploaded and without even checking what the file-type is or its extension we upload it.

    This is a basic example of how these bugs occur.

    How to exploit it



    Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.

    Some PHP Shells :-

    Ani-Shell
    [ R57 Shell
    C99 Shell

    Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.

    Now to exploit this vulnerability the hacker have to carry out some steps :-

    Upload the Shell

    [​IMG]

    Go to the link

    [​IMG]

    Gain Access

    [​IMG]

    That's it for this tutorial stay tuned for more.
     
  2. Scripting

    Scripting John Hoder

    Joined:
    Jun 29, 2010
    Messages:
    421
    Likes Received:
    57
    Trophy Points:
    0
    Occupation:
    School for life
    Location:
    /root
    Don't you have some tut on how to bypass if there is the extension limit ?
     
  3. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Maybe I'll write one in some days to come!
     
    Scripting likes this.
  4. Mr.sp41t3r

    Mr.sp41t3r New Member

    Joined:
    Jun 14, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    0
    have a nice document thanks you..
     
  5. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Welcome ,My Pleasure :)
     

Share This Page