Uploads
Upload vulnerabilities occur when an application does not properly validate or sanitise user-uploaded files
What is an Upload Vulnerability?
Upload vulnerabilities occur when an application does not properly validate or sanitize user-uploaded files. This can lead to unauthorized code execution, file inclusion, or other security breaches. Attackers may exploit these vulnerabilities to upload malicious files, such as web shells or configuration files, that can compromise the server or application.
Example Tests for Upload Vulnerabilities
When performing a penetration test, you can use various payloads to test for upload vulnerabilities. Below are some example tests and methodologies to identify such vulnerabilities.
Example Payloads and Techniques
Uploading a Web Shell
PHP Web Shell: Upload a simple PHP file with the following content:
ASP Web Shell: Upload an ASP file with the following content:
Uploading .htaccess File
To change the behaviour of the web server, you can upload an
.htaccess
file:
This allows you to upload a PHP file disguised with a
.jpg
extension and have it executed as PHP.Bypassing File Type Restrictions
Polyglot Files: Create a file that can be interpreted as both an image and a script. For example, an image with PHP code hidden in comments.
MIME Type Bypass: Change the MIME type of the file to bypass content-type checks.
Using Alternate Extensions
Upload files with different extensions that might still be interpreted as scripts by the server, such as
.phtml
,.phar
, or.shtml
.
Configuration Files
Apache Configuration (.htaccess): Upload an
.htaccess
file to enable execution of other uploaded files.Tomcat Configuration: Modify the
web.xml
file to include malicious servlet mappings.
Testing Methodology
Identify Upload Points:
Locate file upload functionalities in the application, such as profile picture uploads, document uploads, etc.
Attempt File Uploads:
Use various payloads to attempt uploading different file types and observe the server's response.
Monitor the server's directory structure to see where files are stored and if they are accessible.
Analyze Responses:
Check if the uploaded files are executable by accessing them directly via a web browser.
Use intercepting proxies like Burp Suite or OWASP ZAP to manipulate file uploads and bypass client-side restrictions.
Monitor Server Behavior:
Observe any changes in server behaviour, error messages, or execution of uploaded files.
References
Remote code execution (RCE) using file uploads
If you need to quickly make RCE code from bash disguised as an image for an LFI/malicious upload.
Example bypass upload restrictions.
Antivirus testing / sanitisation of files
Antivirus testing and file sanitization are crucial steps to ensure that uploaded files do not contain malicious content. By integrating antivirus solutions and file sanitization processes, you can prevent the upload of harmful files that could compromise your system.
EICAR Test Files
EICAR (European Institute for Computer Antivirus Research) provides standard test files that can be used to test the effectiveness of antivirus software. These files are harmless and are designed to trigger antivirus alerts.
To test your antivirus and file sanitisation mechanisms, you can use a ZIP file containing EICAR test files. The ZIP file is password-protected to prevent accidental execution. The password for the ZIP file is "password".
Download the ZIP file containing EICAR test files:
Contents of the ZIP file:
eicar.com: A standard EICAR test file.
eicar (copy 1).txt: A copy of the EICAR test file with a different name.
eicar.exe: The EICAR test file with an
.exe
extension.eicarfileupload.png: A PNG image containing the EICAR test string.
eicarfileupload.png_original: The original PNG image.
eicar.jpeg: The EICAR test file with a
.jpeg
extension.eicar.pdf: The EICAR test file with a
.pdf
extension.eicar.perl: The EICAR test file with a
.perl
extension.eicar.png: The EICAR test file with a
.png
extension.eicar.py: The EICAR test file with a
.py
extension.eicar.tar.gz: The EICAR test file compressed in a
.tar.gz
archive.eicar.txt: The standard EICAR test file in a
.txt
format.
Example Tests
Upload the ZIP File:
Upload the EICAR ZIP file to the application.
Check if the antivirus detects and blocks the upload.
Extract and Scan:
If the file is uploaded successfully, the server should extract the contents of the ZIP file.
The antivirus should scan the extracted files and block or quarantine any malicious content.
Sanitization Process:
Implement a sanitization process to clean or remove any detected threats.
Ensure the application notifies the user if their upload contained malicious content and was sanitized.
Testing Methodology
Identify Upload Points:
Locate file upload functionalities in the application, such as profile picture uploads, document uploads, etc.
Attempt File Uploads:
Use various payloads to attempt uploading different file types and observe the server's response.
Monitor the server's directory structure to see where files are stored and if they are accessible.
Analyse Responses:
Check if the uploaded files are executable by accessing them directly via a web browser.
Use intercepting proxies like Burp Suite or OWASP ZAP to manipulate file uploads and bypass client-side restrictions.
Monitor Server Behaviour:
Observe any changes in server behaviour, error messages, or execution of uploaded files.
Conclusion
Upload vulnerabilities can lead to severe security breaches if not properly mitigated. Always ensure user inputs are sanitised and validated before processing. Implement proper file type checks, size limits, and use safe directories for storing uploaded files. Regular security testing and updates to the application code can help prevent such vulnerabilities.
Last updated