File upload functions are a favorite target for hackers,
because they require your site to take a large chunk of data
and write it to disk.
This gives attackers the opportunity to smuggle malicious scripts
onto your server. If they can subsequently find a way to execute
those scripts, they can compromise your entire system.
Let's see how an attack might work. This is based on a
real-world example.
Mal is a hacker that has signed up for a website
running on a popular content management system.
He has noticed a couple of things about the site's profile image upload function.
Firstly, uploaded files do not get renamed as part of the
upload process. The file name appears in the URL of the profile image
when it is published.
Secondly, file-type checking is done in JavaScript.
Mal writes a simple script called hack.php.
When this web shell is executed by PHP, it will run any command
passed in the "cmd" parameter.
He disables JavaScript in his browser, and uploads hack.php
as his profile image. Since JavaScript is disabled, the file type is not
checked.
Unsurprisingly, his profile looks broken - the file he uploaded is
not a valid image. However, the script now lives on the server.
Dropping the URL of the "profile image" in the browser address bar
causes the script to be executed.
In fact, any command passed in the "cmd" parameter will get executed on the server.
His upload has created a command execution vulnerability.
Help Mal get access to sensitive data on the server.
Pass in the
locate my.cnf command to find a database config
file.
Good job! Now invoke the
cat /etc/mysql/my.cnf
command to read the file and discover the database password.
