[security] File upload

The lab uses metasploitable.

This lab gives awareness of file upload vulnerability, there are three levels of security – low, medium and high, the objective is to try to upload a forward shell code then connect to it to gain the server access.

Low security

This is the php code of low security file upload:
low1
From the php code it handles the file transfer after upload button is clicked, but there is no check on the type of file uploaded.

Generate shell webapp with weevely

weevely is a python script that generates a php file to open shell access to the target server.

low2

Upload and gain shell access

low3

low4

After the file is successfully uploaded, gain a shell access with weevely.
low5

Medium security

This is the medium security code, which checks the size of the file and the content-type of the file which is image/jpeg, change the extension of the file from php to php.jpg the webapp will accept the upload.
medium5

medium3

medium6

At first I thought I cannot run the shell with weevely because jpg is appended, but weevely still works….
medium7

High security

This is the php code in high security which checks the jpg extension:
high1

But the same old trick used on medium security can be used on high security too.
So I copy shell.php.jpg to shell2.php.jpg and try to upload.
high2

high3

high4

This is the result when i use the shell2.php.jpg with weevely:
high5

Why prepended php extension can still be run?

The problem lies within the default php configuration file in the metasploitable server:
high6
This part AddHandler php5-cgi .php is the problem, the solution can be found here. Or see this code in github which teaches you how to implement checking for file upload with php.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s