How to exploit File Upload vulnerability – LLODO

Although not in the list of Top 10 web security vulnerabilities according to the OWASP 2020 announcement, File Upload is still an extremely dangerous vulnerability that you should be careful of. File Upload is a favorite target for hackers, as it requires your website to upload large amounts of data and write it to disk.

How to exploit File Upload vulnerability

This creates an opportunity for attackers to inject malicious scripts into your server. If hackers can figure out how to execute those scripts, they can compromise your entire system.

So, in this article, I will show you how the File Upload vulnerability works through a real example.

How File Upload Vulnerability Works

Ellyx13 is a hacker who signed up for a website that runs on a popular content management system (like WordPress, for example).

Ellyx13 has noticed a few interesting things about the site’s avatar upload function.

How to exploit File Upload vulnerability 34

First, uploaded files are not renamed as part of the upload process. The original filename appears in the avatar profile URL. Second, the site checks the file format with javascript.

How to exploit File Upload vulnerability 35

Ellyx13 writes a simple script called hack.php. When the website executes this PHP script, it will run any commands passed in the “cmd” parameter.

How to exploit File Upload 36 vulnerability

Ellyx13 disables JavaScript in her browser and uploads files hack.php make your avatar profile. Since JavaScript is disabled, the file format will not be checked.

How to exploit File Upload vulnerability 37

No wonder Ellyx13’s avatar profile can’t be displayed, because the file I uploaded is not a valid image file. However, the hack.php script is currently live on the server.

How to exploit File Upload 38 . vulnerability

Now, you just need to change the URL of the avatar profile in the browser address bar a little to make the hack.php script execute.

How to exploit File Upload vulnerability 39

In fact, any command passed in the “cmd” parameter will be executed on the server. Ellyx13’s file upload created a command execution vulnerability.

How to exploit File Upload 40 . vulnerability

Now Ellyx13 has permission to execute commands on the web server. At this point, I have the right to execute cmd commands to access sensitive data such as locating the my.cnf file to find the database configuration file, for example. By entering the command path:

How to exploit File Upload vulnerability 41

I already have the database configuration file path, what should I do next? Using the command of course cat /etc/mysql/my.cnf to read the file content and find the web password account and nothing more.

How to exploit File Upload 42 . vulnerability

Very dangerous, right? Now that we have seen how the File Upload attack can make your website vulnerable, now we will learn how to secure the File Upload feature.

How to secure File Upload

File Upload is a fairly easy way for an attacker to inject malicious code into your website. You need to make sure your uploaded files are quarantined until they are fully secured, otherwise you could create an easy path for your system to be attacked.


Clever hackers often exploit a combination of vulnerabilities when attacking your website – uploading malicious code to the server is the first step in the attack process. The next step is to find a way to execute the malicious code.

Even large companies suffer from this vulnerability, especially if they are running complex, legacy codebases.


Any input coming from the user must be handled with care until it is guaranteed to be safe. This is especially true for uploaded files, because initially your application often treats them as a block of innocuous data, allowing attackers to inject any kind of malicious code they want into the system. your.

Split uploads

Uploaded files are usually less processed. Unless you are building a website that handles images, videos or documents. If that’s the case, making sure uploaded files are kept separate from the system code is of the utmost importance.

You can use cloud storage services or a content management system to store uploaded files. Also, if you want, you can write uploaded files to your database. Both of these approaches prevent random script execution.

Even storing uploaded files on a file server or in a separate disk partition helps, isolating the potential damage that a malicious file can cause.

Make sure the file upload cannot be executed

However, if the uploaded files are written to disk, make sure they are not treated as executables by the operating system. Your web server must have read and write permissions on the directories used to store the uploaded content, but cannot execute any files there. If you are using a Unix-based operating system, make sure that the uploaded files do not have “executable” permissions.

Rename the uploaded file

Rewriting or obfuscating filenames would make it harder for an attacker to identify malicious files once they’ve been uploaded. At this point, the hacker will not be able to determine the file name to execute the file upload.

Validate file formats and extensions

Make sure you check that the file extension of the uploaded file is in the list of allowed file types. Do this on the server side, as client side checks can be disabled.

Content-Type Authentication

Files uploaded from the browser will be accompanied by a Content-Type header. Make sure it’s on the whitelist of allowed file types. (Be aware, however, that simple scripts or proxies can spoof the file type, so this protection, while useful, is not sufficient to deter an attacker.)

Use a virus scanner

Virus scanners are very helpful in detecting malicious files masquerading as a different file type, so if you are using the File Upload feature, you should run a virus scan.

There are also other File Upload security measures such as checking file size, zip bomb, etc.

If you want me to work on any holes next, please comment below. Don’t forget to join Anonyviet’s Server Discord here.

Link Hoc va de thi 2021

Chuyển đến thanh công cụ