As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.
The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.
In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.
The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.
In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.
Proof of Concept
For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.
Upload.php
Code:
<?php /** * @author lionaneesh * @copyright 2011 * @page upload.php */ // If the upload request has been made , Upload the file $uploadMessage = ""; if (isset($_POST['upload'])) { $path = $_FILES['uploadFile']['name']; if(move_uploaded_file($_FILES['uploadFile']['tmp_name'],$path) == TRUE) { $uploadMessage = "File Uploaded <a href='$path'>HERE</a>"; } } ?> <html> <head> <title>Welcome to Vulnerable Apps</title> </head> <body> <h1>Arbitary file upload ( POC )</h1> <hr /> <p>Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. </p> <hr /> <h2>Upload</h2> <hr /> <table> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data"> <tr> <td width="100">Upload File </td> <td width="380"><input class="cmd" type="file" name="uploadFile"/></td> <td><input style="margin-left:20px;" type="submit" name="upload" class="own" value="Upload"/></td> </tr> </form> </table> <?php echo $uploadMessage; ?> </body> </html>
This is a basic example of how these bugs occur.
How to exploit it
Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.
Some PHP Shells :-
Ani-Shell
[ R57 Shell
C99 Shell
Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.
Now to exploit this vulnerability the hacker have to carry out some steps :-
Upload the Shell
Go to the link
Gain Access
That's it for this tutorial stay tuned for more.