This post may contain affiliate links/ads and I may earn a small commission when you click on the links/ads at no additional cost to you. As an Amazon Affiliate, I earn from qualifying purchases. You can read my full disclaimer here.
File upload vulnerability allows us to upload any type of file (even the malicious files) to the server. Many websites allow file upload in one way or the other – some allow to upload jpg or png files as profile picture whereas some allow uploading other types of files like pdf, txt, mp3, mp4 etc.
To understand this, Let’s take a scenario where a website allows user to upload a profile pic in jpg format and it has a file upload vulnerability. If that website uses php as server side language, then a hacker can write a malicious file in php language and upload it as a jpg file.
This malicious file will allow hacker to gain access to the webserver using a reverse shell or backdoor.
In this post, we are not only going to cover how you can hack a website using file upload vulnerability but also how to secure it?
You can either write your own PHP shell, python shell or ruby shell to gain access to the web server or you can use tools like Metasploit, weevely etc. to generate the same.
WARNING: This is for education purpose only. All the things performed here are on my own devices or on the devices I have permission to test. I or TechSphinx take no responsibility if you go to prison doing something illegal using the methods shown here.
- Kali Linux and Metasploitable installed for testing. (If you don’t know how to set up your lab, then check out this post)
- Already know to setup Burp Proxy (If you don’t know then check out this post before continuing.)
- Understanding of the “Warning” (The above text written in red)
We will be using DVWA (Damn Vulnerable Web Application) and weevely for pen-testing.
1.) Start your Kali vm and Metasploitable vm.
2.) Now, Login to your Metasploitable VM and take note of its IP address using “ifconfig” command. In my case, the IP is 10.0.2.4
3.) Now, login to your Kali VM, open the web browser on the Kali machine and put the IP of Metasploitable in the URL of browser. You will see the metasploitable2 welcome page.
4,) Click on DVWA. Login to DVWA using:
5.) Go to the file upload tab.
6.) Browse a file from your device and try to upload it. (In my case, I’ve uploaded the eclipse.jpg file)
7.) Once uploaded, navigate to 10.0.2.4/dvwa/hackable/uploads/eclipse.jpg (Replace the “10.0.2.4” with your Metasploitable machine IP and eclipse.jpg with your uploaded file name.)
You can see the uploaded image in your browser.
Now, let’s try to exploit the file upload vulnerability.
1.) Navigate to DVWA security and Select “low” and hit submit.
2.) Open the Terminal
3.) Let’s generate our malicious file using weevely.
weevely generate abcxyz /root/Desktop/hack.php
weevely: name of the tool we are using.
generate: to generate the reverse shell.
abcxyz: password for the reverse shell, so that only we can connect (you can use any password of your own, in my case I used “abcxyz”)
/root/Desktop/hack.php: name and location of the file we are creating using weevely.
4.) Now, upload the newly generated reverse shell. (hack.php)
5.) Once it uploaded successfully, open new tab and go to 10.0.2.4/dvwa/hackable/uploads/hack.php
You’ll see a Blank page (NO file not found error), this means the file has been uploaded successfully.
6.) Now, Head back to the terminal and use weevely to connect to your reverse shell.
weevely 10.0.2.4/dvwa/hackable/uploads/hack.php abcxyz
10.0.2.4/dvwa/hackable/uploads/hack.php: URL of the uploaded file, Replace IP according to your Metasploitable IP.
abcxyz: password we used above while generating our reverse shell.
Once connected to the reverse shell, you can execute the Linux OS commands like ls, pwd, uname –a etc.
You can also type “help” to see what weevely can do after a successful connection.
We’ve exploited the file upload vulnerability in low difficulty, let’s move up a level and try to exploit on medium difficulty.
1.) Change security level of DVWA from low to medium.
2.) Try the same exploit (hack.php) which we used in the low difficulty. You’ll notice it doesn’t work anymore. Try to upload a normal image (eclipse.jpg) and make sure that the normal image file is uploading without any problems.
3.) Now copy or rename the hack.php file to hack2.jpg file, because we now know that the server is accepting jpg file but it doesn’t allow us to upload PHP file.
4.) Start Burp Proxy. (Make sure the intercept is ON)
5.) Upload the hack2.jpg file.
6.) Go to the Headers tab in burp suite and change the extension of the uploaded file from hack2.jpg to hack2.php and Forward the request.
7.) You’ll notice the file (hack2.php) has been uploaded successfully.
8.) Now, open a terminal and use weevely to connect to the shell.
weevely http://10.0.2.4/dvwa/hackable/uploads/hack2.php abcxyz
The password (abcxyz) will remain the same as we just copied/renamed the same shell we created using weevely before. Now, you can run the linux OS commands (ls, pwd, uname -a) as before.
Now, time for high difficulty.
1.) Change the security level to HIGH.
2.) Try the exploit of medium difficulty, you’ll notice it doesn’t work. Now, DVWA is not only checking for extension but also verifying that it’s an image.
3.) Now, copy again the hack.php file to hack3.jpg.
4.) Start burp proxy to intercept the connection.
5.) Upload hack3.jpg file.
6.) Now, in the headers tab change the hack3.jpg to hack3.php.jpg (We are using double extension here.)
7.) Also Type GIF98 before the php code.
8.) Then forward the request, if you have done everything correctly, the file will be uploaded.
9.) Connect to the shell using weevely.
weevely http://10.0.2.4/dvwa/hackable/uploads/hack3.php.jpg abcxyz
You will get the reverse shell.
As the name suggests, it’s impossible to exploit at this level.
This level contains all the security features that need to be implemented to secure against the file upload vulnerability.
Secure Against File Upload Vulnerability.
Let’s see how to secure against the file upload vulnerability by taking some simple measures:
- Never allow user to upload any executable files like php, exe, py etc.
- Check the uploaded file type and file extension. Only allow the file type what you are expecting. For example: if you are allowing user to upload a profile pic, then make sure the extensions are in jpg, jpeg or png and file type is an image. Don’t allow users to upload pdf, txt file types for profile pic.
- Analyse and recreate the file. In case of profile pic, analyse it’s content, resize it to suit your website and change its name. Use php-Imagick library to strip metadata and recreate the image file, this is what they are doing in the impossible difficulty.
So, Check the Extension, Check the file Type, and Recreate the entire image. This way if a hacker is trying to upload a malicious file, it will be destroyed during the recreation process.
Go on, and practice file upload vulnerability. If you encounter any problems, then feel free to ask in the comment section.