File Upload - Upload. Intercept. Exploit.

File Upload — RCE

As a penetration tester, I often come across interesting security issues during assessments. One such case involved a file upload feature that led to a serious vulnerability Remote Code Execution (RCE). Here’s what happened, step by step.

While testing a web application, I found a file upload functionality. Features like this always get my attention because they’re often poorly secured.

I started by uploading a malicious file a simple ASP web shell with a .asp extension. The application rejected it and returned an error:
"Invalid File Format."

Instead of giving up, I tried a different approach. I uploaded a harmless-looking image file (image.jpg) to see if it would pass the checks. It worked, and the image was uploaded successfully.

Here’s where it got interesting. Using Burp Suite, I intercepted the upload request and made some changes:

Changed the Extension:
I renamed the file from image.jpg to shell.asp.Replaced the File Content:
I replaced the actual image content with malicious ASP shell code. If it was uploaded, this code would let me execute commands on the server.Forwarded the Modified Request:
I sent the request with the altered file.

To my surprise, the file was accepted and uploaded to the server!

Once the file was uploaded, I navigated to its URL on the server. As expected, the web shell opened, giving me full control over the server. This meant I could run commands, access sensitive files, and even escalate privileges further.

The application only checked the file extension during upload, likely on the client-side or as a basic validation step. It didn’t verify the actual content or properly restrict what could be uploaded.

For developers, here are a few key takeaways:

Validate on the Server:
Always validate file uploads server-side, not just client-side.Check File Content (MIME Type):
Don’t rely on extensions — verify the actual file type based on its content.Allow Only Safe File Types:
Use a whitelist of allowed file formats (e.g., .jpg, .png) and block everything else.Store Files Safely:
Place uploaded files in a directory where they can’t be executed, like a dedicated storage server or a non-public folder.Sanitize File Names:
Prevent attackers from using dangerous file names to exploit the system further.

This experience was a reminder of how critical proper file upload security is. A simple oversight can open the door for attackers to take control of a system. As penetration testers, it’s our job to identify these gaps, but it’s equally important for developers to build systems with security in mind.

Secure your apps, and stay ahead of the attackers!