Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Understanding Arbitrary File Upload Vulnerablilities (http://www.go4expert.com/articles/understanding-arbitrary-file-upload-t26351/)

lionaneesh 24Jul2011 12:52

Understanding Arbitrary File Upload Vulnerablilities
 
As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.

The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.

In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.

Proof of Concept



For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.

Upload.php
Code:

  <?php
 
  /**
  * @author lionaneesh
  * @copyright 2011
  * @page upload.php
  */
 
  // If the upload request has been made , Upload the file
 
  $uploadMessage = "";
 
  if (isset($_POST['upload']))
  {
        $path = $_FILES['uploadFile']['name'];
        if(move_uploaded_file($_FILES['uploadFile']['tmp_name'],$path) == TRUE)
        {
              $uploadMessage = "File Uploaded <a href='$path'>HERE</a>";
        }
  }
 
  ?>
 
  <html>
 
  <head>
 
      <title>Welcome to Vulnerable Apps</title>
 
  </head>
 
  <body>
 
  <h1>Arbitary file upload ( POC )</h1>
  <hr />
 
  <p>Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. </p>
 
  <hr />
  <h2>Upload</h2>
  <hr />
 
  <table>
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
      <tr>
     
          <td width="100">Upload File </td>
          <td width="380"><input class="cmd" type="file" name="uploadFile"/></td>
          <td><input style="margin-left:20px;" type="submit" name="upload" class="own" value="Upload"/></td>
     
      </tr>
  </form>
  </table>
  <?php
 
  echo $uploadMessage;
 
  ?>
 
  </body>
 
  </html>

In the above script we simply ask the user to input the file to be uploaded and without even checking what the file-type is or its extension we upload it.

This is a basic example of how these bugs occur.

How to exploit it



Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.

Some PHP Shells :-

Ani-Shell
[ R57 Shell
C99 Shell

Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.

Now to exploit this vulnerability the hacker have to carry out some steps :-

Upload the Shell

http://imgs.g4estatic.com/understand...s/uploadbi.png

Go to the link

http://imgs.g4estatic.com/understand...es/upload2.png

Gain Access

http://imgs.g4estatic.com/understand...s/upload3v.png

That's it for this tutorial stay tuned for more.

Scripting 26Jul2011 13:52

Re: Understanding Arbitrary File Upload Vulnerablilities
 
Don't you have some tut on how to bypass if there is the extension limit ?

lionaneesh 26Jul2011 17:52

Re: Understanding Arbitrary File Upload Vulnerablilities
 
Quote:

Originally Posted by Scripting (Post 85423)
Don't you have some tut on how to bypass if there is the extension limit ?

Maybe I'll write one in some days to come!

Mr.sp41t3r 28Jul2011 00:02

Re: Understanding Arbitrary File Upload Vulnerablilities
 
have a nice document thanks you..

lionaneesh 4Aug2011 10:39

Re: Understanding Arbitrary File Upload Vulnerablilities
 
Quote:

Originally Posted by Mr.sp41t3r (Post 85492)
have a nice document thanks you..

Welcome ,My Pleasure :)


All times are GMT +5.5. The time now is 21:19.