Critical File Upload Vulnerabilities: Exploits and Mitigation Strategies

By Baskar Mariyappan

Almost every application we use features a file upload function, from sharing documents to images. Without proper security measures, this seemingly innocuous feature can become a gateway for serious exploits, including Remote Code Execution (RCE). Securing file uploads is crucial for safeguarding both your application and its users. In this blog, we’ll delve into common vulnerabilities and effective strategies to protect against them.

File upload functionality enables users to send files from their personal devices to a server or web application. This feature is integral for various tasks, such as submitting forms, sharing media, or updating data. Proper handling of file uploads ensures that users can interact with applications efficiently and securely.

File upload functionality can be exploited by attackers who upload malicious files, such as scripts or executables, to a server. If file validation is weak, these harmful files can bypass security checks and execute code on the server. This can lead to access or Remote Code Execution (RCE), severely compromising the server’s security.

3.1 XSS Via File Upload

XSS via file upload occurs when an attacker uploads a file containing malicious scripts that are executed in the browser of anyone who views the file. If the application improperly handles or displays these files, it can lead to cross-site scripting attacks. This vulnerability allows attackers to steal cookies, manipulate web content, or hijack user sessions.

How this can be achieved:

① Create a payload file and save it in .html format.

② You can use the payload <script>alert(document.cookie)</script>.

③ Upload this payload file through any file upload functionality.

④ Once uploaded, open the file, where you will be able to successfully trigger XSS.

3.2 SSRF Via File Upload

SSRF via file upload occurs when an attacker uploads a file that causes the server to make unintended requests to internal or external resources. For example, if an attacker uploads a file that contains a URL pointing to an internal service, such as http://localhost/admin, and the server processes this URL, it might access sensitive internal endpoints. This can expose internal network details or services that should be restricted.

How this can be achieved:

① Create a simple text file or an XML file with the following content:

② Upload this payload file through any file upload functionality.

③ Once uploaded, open the file, where you will be able to view the metadata contents of the AWS on successful exploitation.

3.3 RCE Via File Upload

RCE via file upload can also be exploited by uploading a file that tricks the server into revealing sensitive files like /etc/passwd. For instance, if an attacker uploads a file that includes a payload to read the /etc/passwd file, and the server processes it in a way that discloses the contents, sensitive system information such as user credentials can be exposed. This can lead to further exploitation and unauthorized access to the system.

How this can be achieved:

① Create a payload file and save it as per the application tech stack (.php for PHP application, .aspx for ASP.NET application etc..)

② Basic payload for RCE:

<? php echo file_get_contents(‘/etc/passwd’); ?>

③ Upload this payload file through any file upload functionality.

④ Once uploaded, open the file, where you will be able to view the etc/passwd file on successful exploitation.

3.4 Path Traversal Via File Upload

Path traversal via file upload occurs when an attacker uploads a file with a name that includes directory traversal characters, allowing them to access files outside the intended directory. For example, if an attacker uploads a file named ../../../../etc/passwd, and the server saves or processes it in an unrestricted manner, they might gain access to sensitive system files. This vulnerability can lead to unauthorized access to crucial system information or configuration files.

How this can be achieved:

① Upload a file through file upload functionality.

② Provide the file name as “../../../file.txt”

③ Open the file once uploaded.

④You will observe that the file has been saved three directories backward upon successful exploitation.

3.5 DOS Via File Upload

DOS via file upload occurs when an attacker uploads a file designed to overwhelm the server’s resources, such as a massive file or a file with excessive metadata. For example, uploading a large, resource-intensive file like a multi-gigabyte video can exhaust server storage or processing power, leading to a denial of service.

How this can be achieved:

① Create a large- size file .

② Upload the file through any file upload vulnerability.

③ It can be observed that the application goes down, causing DOS.

And there are even more…

Attaining file upload vulnerabilities isn’t easy, as developers typically implement various security mechanisms to prevent them. However, attackers can still find ways to bypass these protections. Consequently, it’s crucial to continuously update and refine security measures to effectively address evolving threats.

4.1 Double Extension

Double extension involves naming a file with multiple extensions to bypass security filters, such as malicious.php.jpg, which might be processed as an image while containing executable code.

4.2 Bypassing Blacklisting Security Check

Bypassing blacklisted file types involves uploading files with extensions that circumvent blacklists, such as using .php5 or .phtml if .php is blocked, to exploit the same vulnerabilities.

4.3 Adding contents via EXIF Tool

Uploading contents via EXIF allows attackers to hide malicious payloads in the EXIF metadata of image files, which can evade detection by security systems that scan only the visible content of the file.

4.4 Magic Bytes

Magic bytes involve manipulating the initial bytes of a file to bypass security checks. For example, an attacker might upload a file with PHP code, but modify its initial bytes to resemble those of a JPEG file, such as FF D8 FF E0 (JPEG magic bytes), to trick the server into treating it as a harmless image.

4.5 File Encoding

Attackers can encode payloads in formats such as Base64 to evade detection by security filters that scan only for specific file types or patterns. For example, they might upload a file with Base64-encoded JavaScript embedded in a .jpg image, which can avoid detection by filters that only check for JavaScript files.

Part Five: Through A real Life Exploit

Recently, I came across an application with file upload functionality. The application was PHP-based, as I discovered from an exposed info.php page. My goal was to upload a malicious PHP file, and with the added advantage of a directory listing vulnerability, I was quite hopeful.

However, when I tried uploading a PHP file, I noticed the application had a security check that blacklisted PHP files. Knowing that blacklisting can often be bypassed, I attempted to upload a malicious payload saved as .php5, but it failed. Then I tried uploading a .phtml file, which was successfully uploaded. To my delight, when I accessed the file, the payload executed, and PHP command injection led to Remote Code Execution (RCE).

Image 1: The application is observed to have a blacklisting approach in the file upload functionality. So Tried to upload a payload file and saved it in a format ‘.phtml’ which is an executable format of PHP payloads.Image 2: Observe that the file has been uploaded.Image 3: It can be observed that the payload get executed while opening the file.

PAYLOAD:

<? php echo file_get_contents(‘/etc/passwd’); ?>

① Strict File Type Validation: Ensure only specific, expected file types are accepted and validate file extensions and MIME types.

② Whitelist Accepted File Types: Implement a whitelist of allowed file types rather than relying on blacklisting to block harmful file extensions.

③ Content Scanning and Sanitization: Use antivirus software and other security tools to scan and sanitize uploaded files for malicious content.

④ Limit File Size: Set strict limits on the maximum file size to prevent denial of service (DOS) attacks due to large file uploads.

⑤ Store Files Outside the Webroot: Store uploaded files in a directory outside the webroot to prevent direct access through URLs.

⑥ Disable Executable Permissions: Ensure that uploaded files cannot be executed by the server by disabling executable permissions on the upload directory.

⑦ Use Randomized File Names: Rename uploaded files with randomized names to prevent overwriting existing files and reduce predictability.

⑧ Implement File Integrity Checks: Verify the integrity of uploaded files through hash checks to detect any unauthorized modifications.

⑨ Log and Monitor File Uploads: Log all file uploads and monitor for any suspicious activities to quickly identify and respond to potential threats.

⑩ Employ a Web Application Firewall (WAF): Utilize a WAF to detect and block malicious upload attempts by analyzing incoming traffic and enforcing security policies.

Securing file upload functionality is essential to protect your application from severe vulnerabilities like Remote Code Execution (RCE) and Cross-Site Scripting (XSS). Even seemingly harmless features can become gateways for attackers if not properly managed. By implementing robust security measures, such as strict file validation and storing files outside the web root, you can significantly reduce the risk of exploitation and safeguard both your application and its users.