UNRESTRICTED FILE UPLOADS

Hi everyone, hope you all are staying safe in this corona time. In this article i am going to demonstrate you the vulnerability which i have found in one of the private programs that could lead to many serious attacks including the famous Remote Code Execution!!

So Let’s begin :)

First of all let’s talk about what is file uploading and how it could lead to vulnerabilities.

Uploading files is an important feature in every web application. It basically allows the users to upload there file on the server. Pretty simple right? Well, if the server is not handling uploading functionality then it could lead to serious vulnerabilities like XSS ,RCE ,DOS, ACCOUNT TAKEOVERS etc.

If you are thinking how then here is one simple example:

Suppose there is a website(abc.com) which is running on PHP language and have a profile upload functionality. Now normally the users are supposed to upload their profile picture via that functionality. But we are hackers right??We have to think out of the box. So what will happen if we try to upload a php file using that functionality? Well, it would basically allows us to run php on the server.

Hmm…Now i think we are ready..Let me show you how i found an Unrestricted File Upload vulnerability :)

Let’s Begin

So i was hunting on a program(let’s say weaksite.com) which was a ebook platform and have the following functionalities:

1- Login/Signup

2- Create Stores

3- Forget Password

And many others

I tried testing on 1 and 3 for around 30 mins and found nothing. So i decided to check 2nd functionality.

On digging deeper, i found that there is a feature to add logo in your store. So i tried to upload a html file to see if i can actually upload files other than images. And guess what? I failed

After that, i created an html file and saved as “anything.png” and tried to change the extension back to html using burpsuite.

And Now i tried to upload the file again and this time it worked!!! The html file got uploaded successfully.

After that i tried to visit my uploaded file and it got rendered successfully!!

So now that i was able to upload anything apart from images, there is no need for me to actually put a php shell on the server(as this was not allowed in the program). Therefore , I have reported this vulnerability to the company and they are now working to fix this

Fix:

There is actually a very simple check for this. All the server need is to check if the extension provided by the client ends with images extension(like .png,.bmp.jpeg etc) and you are good to go :)

TakeAways:

1- Never afraid to fail.

2- Check each and every functionality.

3- Follow the road less traveled ;)

So that’s it for now. I apologize if my English was bad. Hope you all learnt something from this article.

Peace out