🐌File Upload Attacks
The worst possible kind of file upload vulnerability is an unauthenticated arbitrary file upload
vulnerability. With this type of vulnerability, a web application allows any unauthenticated user to upload any file type, making it one step away from allowing any user to execute code on the back-end server.
The most common and critical attack caused by arbitrary file uploads is gaining remote command execution
over the back-end server by uploading a web shell or uploading a script that sends a reverse shell.
Basic Exploitation
The most basic type of file upload vulnerability occurs when the web application does not have any form of validation filters
on the uploaded files, allowing the upload of any file type by default.
Let's imagine a upload form that does not specify what type of file we can upload:
Many kinds of scripts can help us exploit web applications through arbitrary file upload, most commonly a Web Shell
script and a Reverse Shell
script.
A web shell prints it's output back to us within the web browser. It has to be written in the same programming language that runs the web server, as it runs platform-specific functions and commands to execute system commands on the back-end server, making web shells non-cross-platform scripts.
Let's say we have a website http://SERVER_IP:PORT/
, as the index
page is usually hidden by default. But, if we try visiting http://SERVER_IP:PORT/index.php
, we would get the same page, which means that this is indeed a PHP
web application.
but if not we can juste use Wappalyzer
To start exploiting the vuln , let's start by writing <?php echo "Hello HTB";?>
to test.php
, and try uploading it to the web application
we get a message saying File successfully uploaded
and if we go to http://SERVER_IP:PORT/uploads/test.php
Try to upload a PHP script that executes the (hostname) command on the back-end server, and submit the first word of it as the answer.
Upload Exploitation
Web Shell
Now we will try to be able to interact with it to take control over the back-end server.
A good webshell for PHP
is phpbash and good to know but SecLists provides a plethora of web shells for different frameworks and languages, which can be found in the /opt/useful/SecLists/Web-Shells
directory in PwnBox
.
It's good practice to know how to write our own webshell:
add ?cmd=id
after the request to enter the command
For .NET
web applications:
Reverse Shell
One reliable reverse shell for PHP
is the pentestmonkey PHP reverse shell. Furthermore, the same SecLists we mentioned earlier also contains reverse shell scripts for various languages and web frameworks, and we can utilize any of them to receive a reverse shell as well.
After changing the IP and port
We launch our listener with netcat, upload our script to the web application, and then visit its link to execute the script and get a reverse shell connection
Custom Reverse Shell
msfvenom
can generate a reverse shell script in many languages and may even attempt to bypass certain restrictions in place. We can do so as follows for PHP
Last updated