File Upload Vulnerability

on

Introduction

File upload exploit is a vulnerability that targets the  integrity of web applications. 
This vulnerability is a portal that permits attackers to infiltrate a system and tamper with the server's critical infrastructure. Hackers can exploit file upload vulnerabilities to upload malicious files that contain malicious code, which can be executed on the server, or execute unauthorized actions on the server. Some of the devastating tactics employed by hackers include uploading malicious files, overwriting existing files, and using the server as a storage platform for nefarious content.

File upload vulnerabilities are usually attributable to web applications that lack the capacity to validate uploaded files or enforce security checks on the server-side or on the front end to restrict file upload. This weakness is a gateway that allows hackers to exploit it by uploading malicious files with malicious code or tampered content, such as web shells, malware, or viruses, and then execute them on the server. This action could lead to a total compromise of the entire system, and hackers could wreak havoc on the web application.




Different Attack methods


There are different attack methods that can be used in order to exploit file upload vulnerabilities found within web application end points these are;

Unrestricted File Upload has become a major security concern, as it enables attackers to upload any file, regardless of type, onto the server side bypassing any restrictions. The implications of such an act are high - the attacker can potentially upload malicious files such as web shells, which can then be executed on the server thereby compromising the entire system.


File Type Restriction Bypass is another malicious tactic employed by attackers, wherein they are able to bypass the file type restrictions implemented by the web application. To elucidate, consider a scenario where a web application only allows image files to be uploaded. In such a scenario, an attacker could potentially upload a disguised malicious file that can wreak havoc on the system.

Path Traversal is yet another technique employed by attackers to compromise the security of the system. This technique is predicated on the attacker uploading a file that contains directory traversal characters, such as "../". Such a file can then be leveraged to access files located outside of the web application's root directory, thus opening up the system to a host of vulnerabilities.

Malicious File Execution is perhaps the most potent weapon in the attacker's arsenal, wherein they can upload a file that can be executed on the server, be it a web shell or a malicious script. This can enable the attacker to gain unauthorized access to sensitive information or even take control of the server, thereby wreaking untold havoc.

Last but not least, Denial of Service is a malicious tactic whereby the attacker uploads a plethora of files that are exceedingly large in size, leading to an overload of the server and rendering it unavailable to legitimate users. Such an act can have disastrous consequences, including the loss of sensitive data and even total system failure.

Practical

Now enough theory, lets get into the fun parts, I'm going to go through the mind of a hacker when trying to find this vulnerability, with cool ways that are executed by an attacker to ultimately take over.


.htaccess attack

Before getting into this file upload vulnerability, it is important to understand what .htaccess is:
"htaccess files (or "distributed configuration files") provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof." - Oracle 

 Whatever that means...

Simply put the .htaccess file is a file that can control how the web server interprets files within a directory, usually it is used within web applications to make configurations on a per directory basis meaning that you can make custom configs that would allow web application to interpret things differently, interesting :D


Now simply, knowing what .htaccess gives us a couple scenarios that we could pose in this File Upload Vulnerability however that depends on the configuration of the web server, firstly knowing .htaccess  is just a file, say for example we uploaded this onto a web server through a vulnerable file upload end point, after it successfully uploads, we upload a web shell with a extension of .png, after going to the directory to it instead of the web server processing it as a .png instead it is processed as a .php, and we now have access to a web shell running.

Why? Well quite simply that's because in the .htaccess we told the web server to process any file as a .png as a .php, which allowed us to upload a .png and it be processed as a .php :D

So lets test out our theory...


Image Reverse Shell

Okay, so say we don't have a vulnerable file upload end point - meaning that we can't actually upload  .php files or anything, it the type of block list is a whitelist, where it only allows certain type of file extensions instead of preventing certain ones, which is what is recommended in preventing file upload vulnerabilites.

Now for this vulnerability to work we need to confirm a couple of things, so a couple of ways we can do that is to test how it reacts to files being uploaded that are actually allowed, so go ahead and upload you're favourite dog picture


My favourite dog picture...



And see how the website reacts, look out for errors, try different types of files, maybe upload a .txt file with a .png extension on it, see what errors come up, does it upload?, see how the web application reacts, for example:





We can see in this error, after I uploaded a file with just text as a png, It gave me an a error, knowing this, in this instance we know that we have to upload a png with a certain amount of size, assuming that it checks for size.





Similarly we might just get a success, which means we know that we can upload any png.


We can also try upload a reverse shell php file with the file extension changed to .png to see if there is any processing on the data.


So simply what we are going to do is, use a tool called exiftool, exiftool is a tool that comes pre-packaged in kali linux, but if you can't find it then you can use apt-get exiftool and it should install, however if you're having any issues try update your apt-get using apt-get update

So copy this reverse shell piece of code from this https://gist.githubusercontent.com/sente/4dbb2b7bdda2647ba80b/raw/31218294e74361df73215b44a219af3b95945618/Simple-Backdoor-One-Liner.php


Then copy this piece of code:


Syntax is : exiftool -DocumentName='<Enter the code from the reverse shell source code here>' <filename of image>

Now we should have a new image with the malicous code inside of image.

Now we can upload our image onto our vulnerable end point, then navigate to the image directory.

Now for this vulnerability to execute code, you add a ?cmd=<terminal code> for example


Now this is what response I got back:


As you can see on the bottom on line 9, we can see image.php.png, I am assuming that's the response from the webserver after it processed the ls command that I had given it.


Phishing

So, we tried to upload a .php, but they've got php server disabled running in the uploads directory, we tried all of the methods above, but it isn't changing anything :( what do we do? 

Especially in cyber security, we should always be thinking outside the box and this mindset should be incorporated in every aspect of our work, even here, a bad actor will usually use techniques that are outside of the box of the mindset of a developer.

So what is this type of attack? Well simply put, if we can't take over the website, then that's fine :D we can look at different ways we can still cause malicious damage, an attacker will always have this mindset, he will try to do anything even if it caused a little bit of damage.

In this part, after you've concluded that you can't gain admin access or you can't get a remote code execution, however we have identified a vulnerable file upload end point that allows us to upload extensions that isn't right for example allowing us to upload .html, we can create a phishing .html file that follows the design of the website, masked to look like it is a authentic login page, we can then upload that .html onto their website, essentially  allowing us to farm logins using the main domain, this makes it look really authentic because the actual domain would be the theirs, we can then use this to further exploit and maybe send it to admins using further OSINT to get their emails.

Here's a POC that I actually submitted to as a bounty on hackerone.com



This is a quick html that i used as POC to showcase my vulnerability, the source code was just a quick form with a POST to my netcat server.

Have a look at the terminal on the screen, you can see the response in the header of the GET request with the username and password.

Enumerating extensions using tools

In this attack, you can focus on farming peoples accounts, this is why its essential to use a whitelist instead of a blacklist, this is why these problems occurs as it looks like the developer has blocked .php and other extensions however since its a blacklist, only certain extensions were blocked essentially if we enumerate using tools like Burp Suite Intruder, we can find out what extensions are not allowed and what are allowed have a look below on how we do something like this:

Firstly we have to go ahead and download the burp package File Fuzzer, its a powerful tool that is on: https://github.com/JonCooperWorks/burp-filefuzzer/releases/download/v0.0.2-alpha/burp-filefuzzer-v0.0.2-alpha.jar



Press on Add


Press on Select file


Head over to Intruder and choose the attack type as Pitchfork


 Select Payload type as Extension-Generated 



Select File generator as your payload generator

Fuxploider

If you can't use Burp suite, or prefer to use open source tools, Fuxploider is a great open source penetration testing tool that is free to use.

It can be downloaded from here: https://github.com/almandin/fuxploider

Fuxploider is a powerful tool and can be used by developers who are looking to prevent as well as identify File Upload vulnerabilities

Installation

Firstly, you want to use git clone to clone the directory.
Use this command git clone https://github.com/almandin/fuxploider.git
Then use cd fuxploider to get into the directory.
then use pip3 install -r requirements.txt to install it.

Heres a video on how to use fuxploider:




How does it affect the CIA triad?

File upload vulnerability is a vulnerability that can quickly escalate damage severely with major impact to CIA triad.

Confidentiality: The file upload vulnerability affects confidentiality in different ways, this is because an attacker who is able to upload and remote code execution can laterally move and access database information and possibly delete or access the CMS which can allow them access to information of customers and other people

Integrity: A file upload vulnerability can affect integrity in different ways, one of the main key ways that file upload vulnerability can affect integrity is through gaining Remote Code Execution (RCE) through file upload vulnerability, this will allow an attacker to change web page files, possibly lateral movement can allow an attacker to move on to other parts of critical resources such as CMS or other databases connected to the web server.

Availability: This is one of the key things that file upload vulnerability can cause problems to, an attacker can use this vulneraiblity to cause DOS attacks as well as DDoS attacks, by mass uploading files onto the network, they can also get RCE and can delete webpages or remove information making webserver inaccessible.

Prevention


When considering the safety of your system, it's imperative to implement input validation measures that only accept uploads with allowed extensions and specific criteria such as file size limits. Moreover, it's essential to implement content-type validation to ensure uploaded files match their specified MIME types, thus enhancing system integrity.

In addition, server-side checks are crucial to secure your system from malicious attacks. Such checks include anti-virus scans, file-type validation, and secure hashing algorithms, which provide an added layer of security to the system.

Restricting file permissions is another necessary step. Uploaded files should be stored in directories with limited access to prevent unauthorized users from accessing them. Further, restricting access to files by running the upload directory outside of the webroot will increase the security of the system.

To prevent mass uploading of files through end points from overwhelming your system with a barrage of file uploads, it's critical to implement rate-limiting mechanisms, which restrict the number of requests made to the server from specific ip addresses.

Educating users on safe file handling practices is vital. They must know how to avoid uploading malicious files or opening files from unknown sources. It's imperative to educate users on such matters to promote system safety and security.

Lastly, monitoring and logging all upload activity will help detect any anomalous behaviour or security incidents. Diligent logging of all upload activity is necessary to ensure system safety and security.

References

File Upload Vulnerabilities (n.d.) Intigriti. [Online] https://blog.intigriti.com/hackademy/file-upload-vulnerabilities/.

Austin, A. and Williams, L. (2011) ‘One technique is not enough: A comparison of vulnerability discovery techniques,’ pp. 97–106.

Apache Tutorial: .htaccess files - Apache HTTP Server (n.d.) docs.oracle.com. [Online] [Accessed on 26th May 2023] https://docs.oracle.com/cd/B14099_19/web.1012/q20206/howto/htaccess.html.

Comments

Post a Comment