File uploads are a critical element of any website or application to consider when working on system security. In this blog post, we’ll explore methods for exploiting file upload vulnerabilities. When you recognize the danger, you can also safeguard your own systems from attack.

What Are File Upload Vulnerabilities?

File upload functions allow users to send files from their devices directly to a web server if they follow certain rules. For example, they may allow users to upload only JPG files. But what if malicious code is disguised as an accepted file type? 

This can create serious security risks known as “file upload vulnerabilities”. So file upload vulnerabilities are when web servers can’t vet their contents to maintain safe and secure operations if users upload rogue files with malicious intent. 

To prevent insecure file upload attacks, the system must be configured correctly and accept only approved types of files. Malicious actors can exploit file upload vulnerabilities to quickly gain access and control of a web server if your vulnerability management fails. Without adequate security checks, attackers are able to smuggle dangerous files containing malicious code onto vulnerable servers – leaving them exposed and susceptible.

Learn more about broken access control.

How Dangerous Are File Upload Vulnerabilities?

The impact of file upload vulnerabilities depends on a few key factors.

  • Case #1: The website can fail to properly validate the uploaded file’s type and content. This allows attackers to upload a file containing server-side code (web shell). This could end up giving the attacker control over the server, which is extremely dangerous.
  • Case #2: If the website fails to validate an uploaded file’s name, the attacker can overwrite critical files by uploading a file with the same name. If the server is also vulnerable to directory traversal, the attacker can overwrite a file from unanticipated locations (for example apache2.conf).
  • Case #3: If the website fails to properly validate the uploaded file’s size, attackers can rapidly fill available disk space.  This is a type of DoS attack.

Exploiting File Upload Vulnerabilities

Also see: What is a cyber attack?

How To Exploit File Upload Vulnerabilities?

In this section, we will discuss “How to Exploit File Upload Vulnerabilities” step-by-step with several helpful examples.

The example cases used in this post are lab environments from PortSwigger.

1. Basic Web Shell Upload

Condition: To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can then log in to your own account using the following credentials: wiener:peter.

Step #1: We are now logged in as user wiener and looking for the file upload function in the application.

Basic Web Shell Upload

Step #2: We have located a file upload function in the user’s profile.

Methods For Exploiting File Upload Vulnerabilities

Step #3: After locating the file upload function, we create a PHP file that contains the code in the screenshot below, allowing us to view the secrets of the user “Carlos”.

Step #4: Now we can upload the PHP file that we created earlier.

Step #5: Now we need to force the webserver to run this file. To do this, we must make a GET request to the file that we uploaded before. We can view the uploaded folder endpoint in the screenshot above (/files/avatars/file_upload_test.php). Make the request and read the secret of the user “Carlos”.

Step #6: Submit the flag and the lab is solved!


NOTE: We are not going to show the main application and lab solved page in the other sections.


2. Web Shell Upload via Content-Type Restriction Bypass

Condition: To solve this lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: We’ve found the same file upload function and tried to upload the same PHP file. Unfortunately, the application has a content-type restriction.

Web Shell Upload via Content-Type Restriction Bypass

Step #2: We recognized the application only allows image/jpeg and image/png content types. So we changed the content type to the image/jpeg and the file was successfully uploaded to the /avatars/file_upload.php endpoint.

Step #3: Let’s now make a GET request for the file that we uploaded before. Read the secret of the user “Carlos”.

3. Web Shell Upload via Directory Traversal

Condition: To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: As seen in previous examples, the first step is inspecting the file upload function. After inspecting the function, we recognized that there is no restriction for uploading a PHP file to the server.

Step #2: But when we make a GET request to our uploaded PHP file, the server returned the contents of the PHP file as plain text.

Step #3: After trying some bypass techniques, we realized that we can simply upload our PHP file via directory traversal. Now we just need to change the filename from file_upload_test.php to ..%2ffile_upload_test.php. After the change, we can now see that the file was successfully uploaded to the /files directory (the parent directory of /avatars).

Step #4: Now, if we make a GET request to /files/avatars/../file_upload_test.php endpoint, we can access the secret of the user “Carlos”. We can also access the file using a GET request to /files/file_upload_test.php endpoint.

4. Web Shell Upload via Blacklisted Extension Bypass

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter

Step #1: We can use the same file upload function for the exploitation process. We can now see the error message in the HTTP response body. This means that PHP files are not allowed.

Web Shell Upload via Blacklisted Extension Bypass

Step #2: After a few tries we found a way to bypass the blacklist restriction. In this case, we will use what we learned in the previous examples. First, we need to upload and overwrite the .htaccess file for uploading the extensions that we wanted to upload. So we will change the filename to .htaccess and change the content to AddType application/x-httpd-PHP .prplbx

Step #3: After this step, we can now upload our PHP file with the .prplbx extension.

Step #4: Now we can access the secret of the user “Carlos” as we did before. The difference is, this time we will make a GET request to file_upload_test.prplbx instead of file_upload_test.php .

5. Web Shell Upload via Obfuscated File Extension

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter.

Step #1: We can use the same file upload function for the exploitation process. We can see the error message in the HTTP response body. PHP files are not allowed. Only JPG and PNG files are allowed.

Web Shell Upload via Obfuscated File Extension

Step #2: After a few tries we found a successful method. We can obfuscate the filename, if we add a NULL byte and an allowed extension to the filename, we can bypass the restriction.

Step #3: Now we can access the secret of the user Carlos as usual.

6. Remote Code Execution via Polyglot Web Shell Upload

Condition: To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter.

Step #1: We can use the same file upload function for the exploitation process. We can see the error message in the HTTP response body. PHP files are not allowed. Only JPG and PNG files are allowed.

Remote Code Execution via Polyglot Web Shell Upload

Step #2: Now we can add a PHP payload to the valid image file using ExifTool to bypass the restriction.

Step #3: After the creation step, we can now upload our new PHP file.

Step #4: Now we can access the secret of the user “Carlos” as usual.

How To Prevent File Upload Vulnerabilities?

The most effective way is to implement all of the following practices:

  • Compare the file extension with the whitelist of allowed extensions rather than the blacklist of prohibited ones. It is much easier to guess which extensions you might want to allow, rather than the ones an attacker might try to upload. 
  • Make sure the filename doesn’t contain any substrings that may be accidentally interpreted as a directory or traversal sequence (../). 
  • Rename uploaded files to avoid collisions that may cause existing files to be overwritten. 
  • Do not upload files to the server’s filesystem until they have been fully validated. 
  • Whenever possible, use an established framework for preprocessing file uploads rather than attempting to write your own validation mechanisms.

Conclusion

In this blog post, we talked about what file upload vulnerabilities are and their potential damage to systems. We have also explained methods for exploiting file upload vulnerabilities and ways to prevent file upload vulnerabilities.

Fortunately, there are some key defensive strategies to strengthen your system’s overall security posture in order to protect it against file upload attacks. Education is always the best defense; knowing what malicious components look like and how vulnerable you may be will help you implement the proper strategies for keeping your data secure. With the right defense in place and constant vigilance on suspicious activities, you will be well-equipped to defend against any potential file upload attack.

We hope you found our blog post useful and that it will help you to make secure file uploads in the future. Don’t forget to check out our Penetration Testing services to stay secure!