File Upload Vulnerability & RCE

Hello, Team,

I am Sourav Saha. Here is my Vulnerability which I found in your domain.

 

Vulnerable Domain: https://www.Icannotshowtheurl.com/

 

Vulnerability Name:

File Upload Restriction Bypass:

Description:

File upload mechanisms are very common on websites, but sometimes have poor validation. This allows attackers to upload malicious files to the web server, which can then be executed by other users or the server itself. This can also happen in authenticated areas of a website.

Validation Steps (POC):

1.     1.  Visit the Profile https://www.Icannotshowtheurl.com/

2. After that we can see “My Profile” option on the left-hand side 

1.      3. There is an option to upload our profile picture, which is “Upload your photo”

4. From there if I try to upload a php reverse shell script (which we will discuss later on this report) that will not allow me to do this.

5. But I will use my burpsuit proxy to bypass this

2.       6. Before uploading that php reverse shell file, I renamed it from “upload.php” to “upload.php.jpeg” so that I can bypass the client-side validation.

7. 7. So, for that set your browser’s proxy as same as the burpsuit proxy. In my case I used foxyproxy extension in my mozilla-firefox browser just to make the steps shorter.

8.  And my burpsuit settings were like this

9. Goto Proxy à Options à Proxy Listener à Select interface à edit à under Binding tab change the Bind to port to any port number you want. In my case I used 8888

10. Now select the file reverse shell file which we have already renamed and before clicking on the upload button make sure your intercept is on which is under Intercept tab

11. 

12. After that you should get a request like this

13. There you will find a parameter and the value filename=”upload.php.jpeg” and you need to remove “.php” from the filename.

14. Now forward the request

15. To find out the file just uploaded, will be found on this location and the file name will be changed: - ttps://www.Icannotshowtheurl.com/

Vulnerable Locations for File Upload Restriction Bypass: -

https://www.Icannotshowtheurl.com/

Remediation

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.

 

For more information about this vulnerability:

https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/file-upload-bypass

https://infosecwriteups.com/bypass-server-upload-restrictions-69054c5e1be4

Remote Code Execution (RCE):

 

Description:

Remote Code Execution is used to expose a form of vulnerability that can be exploited when user input is injected into a file or string and the entire package is run on the parser of the programming language. This is not the type of behavior that is exhibited by the developer of the web application. A Remote Code Execution Attack can lead to a full-scale attack that would compromise an entire web application and the webserver. You should also note that virtually all programming languages have different code evaluation functions.

A code evaluation may also occur if you allow user inputs to gain access to functions that are evaluating code in the same programming language. This type of measure may be purposely implemented to gain access o the mathematical functions of the programming language or by accident because the user-controlled input is designed by the developer to be inside any of these functions. It is not advisable to carry out this line of action. Many people find it malicious to even use code evaluation.

Before going ahead, I need to tell you I am using weevely tool from kali linux and it is an inbuilt tool in kali linux. To generate weevely reverse shell file use command as following:

weevely generate [type a password removing these brackets] [type filename.php removing these brackets]

Example: weevely generate 1234567890 upload.php

This command will generate a php reverse shell file and save it on the current directory you are working in.

For taking the RCE on the server I uploaded the reverse shell file by following the steps of “File Upload Restriction Bypass” vulnerability.

1.      Click on the file and copy the whole URL.

2.     Run this command on your kali linux terminal: -
weevely https://www.example.com/uploads/users/43881650390771.php [type the password removing these brackets]
weevely http://example.com/filename.php  1234567890

3.     Here if I “pwd” command for current working directory it will show as follows

4.      As you can see here I got the remote access of your server.

Getting into the dashboard: -

1. As I have the remote access of this server so enumerated more grab more details. Then I found a .env file which is an ASCII text file.

2. Opened that file to read its content and got the database name, username, password and some more details. (Which I can’t show for security reason.)

3. Open https://www.Icannotshowtheurl.com/ for phpmyadmin page and use these credentials for log in. (Which is found in .env file)

Mitigation And Detection Of RCE Attacks: -

RCE attacks can take advantage of a range of vulnerabilities, making it difficult to protect against them with any one approach. Some best practices for detecting and mitigating RCE attacks include:

• Input Sanitization: RCE attacks commonly take advantage of injection and deserialization vulnerabilities. Validating user input before using it in an application helps to prevent many types of RCE attacks.
• Secure Memory Management: RCE attackers can also exploit issues with memory management, such as buffer overflows. Applications should undergo vulnerability scanning to detect buffer overflow and other vulnerabilities to detect and remediate these errors.
• Traffic Inspection: As their name suggests, RCE attacks occur over the network with an attacker exploiting vulnerable code and using it to gain initial access to corporate systems. An organization should deploy network security solutions that can block attempted exploitation of vulnerable applications and that can detect remote control of enterprise systems by an attacker. 
• Access Control: An RCE attack provides an attacker with a foothold on the enterprise network, which they can expand to achieve their final objectives. By implementing network segmentation, access management, and a zero trust security strategy, an organization can limit an attacker’s ability to move through the network and take advantage of their initial access to corporate systems.

Check Point firewalls enable an organization to detect and prevent attempted exploitation of RCE vulnerabilities via injection or buffer overflow attacks. Placing applications behind a firewall helps to dramatically reduce the risk that they post to the organization.