File Upload Vulnerabilities on PortSwigger

PortSwigger- File Upload Vulnerabilities

Hello folks,

This blog focuses on how we can identify and exploit File Upload vulnerabilities on websites. In this blog, I will be providing a detailed walkthrough of all PortSwigger’s Lab. I am assuming that you guys have basic knowledge of file types.

You can check out the PortSwigger’s labs for File Upload vulnerability here.

Before proceeding with the labs, I will be explaining about the concept of File upload Vulnerabilities.

First of all there are some conditions that the web application must follow before exploiting this vulnerability:

  1. There must be an upload functionality on the website for which we might have to register on the website.
  2. We should know the server side language in which we will generate a malicious file.
  3. The files which we are uploading must be accessible from the website.

In order to achieve these conditions, we need to perform proper reconnaissance on the web application.

For condition number 1 and 3, we can use Directory Brute Forcing technique using tools like Gobuster, Dirb, Dirbuster, etc. and for condition number 2, we need to use a technology profiler like Wappalyzer.

After performing complete reconnaissance, we need to create a malicious file written in server side language like PHP, NodeJS, Asp, etc. These malicious files are called web shells.

Let’s now proceed without any delay and begin the penetration testing process on PortSwigger’s labs.

Lab-1 Remote code execution via web shell upload

In this lab scenario, we will be looking at a simple case of File Upload vulnerability without any defense in place. Let us access the lab. We will require Burp Suite Community edition here.

1.1 Webpage

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

1.2 Login

After logging in we will find an upload functionality on the “My-account” page. Now it’s time to create a web shell written in PHP. We can open our terminal and type following command:

nano malicious.php

It will create a file with name as malicious.php and open it on nano editor where we can simply type the following payload which will help us to read the contents of /home/carlos/secret:

<?php echo file_get_contents(‘/home/carlos/secret’); ?>

1.3 malicious file

Now click on the “Browse” and select the file that we just created “malicious.php”. Click on Okay to upload it.

1.4 upload

We will find a message on the webpage “The file avatars/malicious.php has been uploaded.

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell.

1.5 Open image in new tab

In the new tab we will find the contents of a secret file which we can simply submit to solve the lab.

1.6 got contents

Great, the lab is solved. Let us try another type of web shell which will help us to execute any command on the target web server. For this, again open another file on nano editor and type the following payload:

<?php echo system($_GET[‘command’]); ?>

1.8 Command shell

Now try to upload the second web shell on the same upload functionality. We will find that the file is uploaded successfully.

1.9 file uploaded successfully

Now in order to execute the web shell we can again open the image on new tab and provide following parameter in the URL followed by the command which we want to execute on the web server:

?command=cat /etc/passwd

We will find the contents of the passwd file on our web page.

1.10 command shell

 

Lab-2 Web shell upload via Content-Type restriction bypass

In this lab, we will see that if the server is only allowing image files (it may only allow file content types like image/jpeg and image/png) then we need to bypass this Content-Type restriction using Burp Suite. Let’s begin the process.

Access the lab and later will require the Burp Suite Community edition here to solve this lab.

2.1 webpage

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same malicious.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”.

2.2 upload

We will find an error saying that file type is not allowed. Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to the Repeater.

2.3 burp suite

Go to the Repeater tab and look for the Content-Type header. Change the value of this header to image/png or image/jpeg. Now send the request and we will see that the malicious file has been uploaded successfully.

2.4 content type changed

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell.

In the new tab we will find the contents of a secret file which we can simply submit to solve the lab.

2.5 got contents

Lab-3 Web shell upload via path traversal

In this scenario, we will explore a condition where the server will be uploading the files in a non-executable directory. It means after uploading the malicious file, we will not be able to execute it. But we have a bypass for it using Path Traversal technique which we are going to see in this lab

Access the lab and later will require the Burp Suite Community edition here to solve this lab.

3.1 webpage

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same malicious.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”.

3.2 file uploaded successfully

We will find a message on the webpage “The file avatars/malicious.php has been uploaded.

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell. In the new tab we will find that the file is not getting executed.

3.3 not working

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Repeater.

3.4 send to repeater

Go to the Repeater tab and try to change the filename to ../malicious.php. But we will find the file is still uploaded to the same directory. Let us try to URL encode the ../ characters and then try to send the request. This time we will find that the file is successfully uploaded to one directory up.

3.5 uploaded successfully

Now, find the GET request on the HTTP History sub-tab which allows us to execute the file. Send this request to the repeater.

3.6 get req send to repeater

Go to the Repeater tab and change the URL to /files/avatars/../malicious.php and we will find the contents of the secret file which we can simply submit to the lab.

3.7 got contents

 

Lab-4 Web shell upload via extension blacklist bypass

In this scenario, we will see how we can perform file upload via Overriding the server configuration. In order to modify or add to one or more of the global settings, many servers also let developers write unique configuration files within specific folders. If a .htaccess file is present, for instance, Apache servers will load a configuration specific to a given directory and will allow us to execute a file with any extension as a PHP file.

Access the lab and later we will require the Burp Suite Community edition here to solve this lab.

4.1 webpage

On the webpage, there is a “My account” button which will take us to login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same malicious.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”. We will find an error saying that PHP files are not allowed.

4.2 not uploaded

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Repeater.

4.3 send to repeater

Go to the Repeater tab and make the following changes:

  1. Change the filename to .htaccess.
  2. Replace the web shell content with:

AddType application/x-httpd-php .any

We will find that the file has been uploaded successfully.

4.4 .htaccess file

Now send another POST request to the Repeater and go to Repeater tab. Now change the filename to “malicious.any”. We will find that the file with .any has been uploaded successfully.

4.5 .any uploaded

Now, find the GET request on the HTTP History sub-tab which allows us to execute the file. Send this request to the Repeater.

4.6 get req send to repeater

Go to the Repeater tab and change the URL to /files/avatars/malicious.any and we will find the contents of the secret file which we can simply submit to the lab.

4.7 got contents

 

Lab-5 Web shell upload via obfuscated file extension

In this lab scenario, we will learn how we can obfuscate file extensions. There are many techniques that we will explore here. You can read  the content on PortSwigger. Let us start the process.

Access the lab and later we will require the Burp Suite Community edition here to solve this lab.

5.1 webpage

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same abc.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”. We will find an error saying that only jpg and png files are allowed.

5.2 Not uploaded

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Repeater. Go to the Repeater tab and change the filename to abc.php.jpg. We will find that the file has been uploaded successfully.

5.3 php.jpg file uploaded

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell. In the new tab, we will get an error.

5.5 getting error

Now we can use the null byte and change the filename to abc.php%00.jpg and send the request. We will find that the file abc.php has been successfully uploaded.

5.6 null byte

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell. We will find the contents of a secret file which we can simply submit to the lab.

5.7 got contents

 

Lab-6 Remote code execution via polyglot web shell upload

More secure servers attempt to confirm that the contents of the file truly match what is expected rather than automatically trusting the Content-Type given in a request. We can create a Polyglot web shell using Exiftool. Let us see how we can create a polyglot and upload our web shell.

Access the lab and later we will require the Burp Suite Community edition here to solve this lab.

6.1 webpage

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same malicious.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”. We will find an error saying that image is not valid.

6.2 getting error

We need to create a polyglot using Exiftool on our Kali machine. Open terminal and type the following command:

exiftool -comment=”<?php echo ‘STARTING’.file_get_contents(‘/home/carlos/secret’).’ENDING’; ?>” any_image.png -o poly.php

This will create a polyglot for us which we can confirm with the help of following command:

exiftool poly.php

6.3

Now let us try to upload the poly.php file on the web application. We will find that this file has been uploaded successfully.

6.4 uploaded successfully

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell. We will find the contents of a  secret file between the strings STARTING and ENDING which we can simply submit to the lab.

6.5 got contents

 

Lab-7 Web shell upload via race condition

Modern frameworks are better able to withstand these kinds of assaults. Typically, they don’t upload files straight to the file system location where they are meant to be stored. To avoid overwriting existing files, they instead take safeguards like uploading to a temporary, sandboxed directory first and randomizing the name. Once this temporary file has undergone confirmation, they only transfer it to its final destination if it is judged secure to do so. Let’s see how we can exploit race conditions for file uploading.

Access the lab and later we will require the Burp Suite Professional edition here to solve this lab.

7.1 webpage

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same abc.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”. We will find an error saying that only png and jpg images are allowed.

7.2 getting error

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Intruder.

7.3 send to intruder

Now in order to get the file execute link, we can try to upload any png or jpg files and see where the file is getting stored.

7.4 image uploaded

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to access the image.

7.5 image

Go back to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the GET request which we used to access the image and send the request to Intruder.

7.6 send get to intruder

Now we have two requests on Intruder. Let’s name the tab as POST and GET based on the requests respectively. Clear everything in the Positions sub-tab of Intruder for both requests and then in the Payloads sub-tab select the payload type as Null payloads and also select “Continue indefinetely”.

7.7 null payloads

Start the Attack for POST request first so that it will start uploading the file indefinitely and then start the attack for GET requests in order to access the web shell. We will get 200 status code on the GET request Intruder attack which will provide us the contents of the Secret file.
7.8 got contents

Submit the secret in order to solve the lab.

7.9 lab solved

This is how we can find and exploit File upload vulnerabilities. We have explored all the possible ways to find and exploit it.

There are some other methods to perform File upload vulnerabilities that are demonstrated on TryHackMe platform as well. We will be uploading it soon. So stay tuned.

You can read out our other write-ups on PortSwigger’s labs here.

Happy Pentesting!!!

Team CyberiumX

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top