As a penetration tester you might come across with web applications that are containing the file upload functionality.This functionality of course can be abused and it can lead from command execution to full system compromise.So even though file upload can be a necessary component of your application can be also and your weakest point.

In this tutorial we will see how we can exploit the file upload functionality on a web application in order to discover further information about our target.For the needs of this tutorial we will use the DVWA (Damn Vulnerable Web Application) which is hosted on Metasploitable 2.

Backtrack by default has various webshells installed for different web technologies like asp,php,jsp,perl etc. but you are free to use the webshell of your preference.Our application is based on php so we have to choose a webshell that is written in php as well.In the next image you can see the location that the webshells exists in Backtrack:

Locating the web shells in Backtrack

 

We choose our web backdoor which in this case is going to be the php-backdoor.php and we will try to upload it despite the fact that the application is saying to choose images.

Uploading the Web Shell

 

As we can see from the image above the backdoor has been successfully uploaded regardless the fact that it wasn’t an image.In this case this occured because we have configured the DVWA to run with the lower security settings so the application is not doing the appropriate extension check and allows us to upload any file we want.However if we change the setting to medium or to higher it would be a different scenario.Now that the webshell has been uploaded to the web server the next step is to try to discover the exact location.In this case the application unveiled the path that the webshell exists so we access it from our browser.The next image is showing the functions of our webshell and the direct path on the address bar:

Web Shell Functions

 

So this backdoor it gives us the capability to execute commands,to upload additional files,to browse directories and to execute mysql queries.So lets start with the command execution.Before we start executing commands we have to bear in mind in what environment is our webshell uploaded.The reason is that we have to consider different paths and different commands if we are on Windows or in Unix operating systems.The application is hosted on a unix environment so we need to execute Unix commands.One of the first commands that we can try is the ls which it will return the contents of the parent directory.

Discovering the contents of the parent directory

 

Another important command is the cat /etc/passwd which it will display the contents of the passwd file.

Discovering the contents of /etc/passwd

 

Some other useful commands that it will allow you to obtain information from the target once you have uploaded a webshell are:

  • whoami
  • uname -a
  • ping
  • users
  • pwd
  • netstat -a
  • id
  • cat /etc/shadow
  • w

The following images are showing the output that these commands have produced.

whoami – Current User

 

Kernel Version

 

Ping the host

 

Other users

 

List of services

 

Parent Working Directory

 

Print UIDs and GIDs

 

Current Logged Users

 

From the images above we can see that we have managed to gather important information regarding our target which it can allow us to conduct further attacks.Specifically we get the following information:

Current User:www-data
Kernel Version: Linux Metasploitable 2.6.24-16-server
Other users:msfadmin,root
List of Services:login,nfs,mysql,x11,telnet,smtp,postgresql etc.
Working Directory:/var/www/dvwa/hackable/uploads
Logged Users:root

We can also leave our tracks on the webserver by creating a simple html file with the command below:

echo “Hacked by netbiosX” > pentestlab.html

Creating an html page on the webserver

 

Conclusion

As this article indicates file upload functionality in web applications can be very dangerous as attackers can abuse it.From my experience often this issue comes in contrast with the business needs as the security consultants from one point suggest to clients to remove this capability in order to mitigate the potential risk and the system administrators from the other side to mention that file upload is a necessity and it cannot be removed.So in a situation where the file upload function is needed the appropriate solutions must be implement like content-type verification,file name extension verification and denying access to the directory that the
uploaded files are stored.

7 Comments

    1. Hi Robert,

      Try;
      test.php … …. …docx // For extension checks

      Or for mimetype checks, tamper the datastream using burp or similar, and change it to the one that is matching the file extension, example;
      application/vnd.openxmlformats-officedocument.wordprocessingml.document

      Have fun and HH

      Reply

  3. @Robert

    akismet answered you correctly.The reason that I haven’t put this information that you asked on this post was because the post would been huge.So there will be another one post soon that will cover your questions by examples in order to cover completely this issue.

    @lxt

    Correct because this command requires root privileges.However it is always good to test it!

    Reply
  4. Pingback: Bypassing File Upload Restrictions « Penetration Testing Lab
  5. Pingback: Bypassing File Upload Restrictions | MixLoL

Leave a comment