(Basic File Upload)
What do I Need to Know First of All?
- What is File Upload Vulnerability?
Let’s understand file upload vulnerability. In fact, one of the major risks faced by web applications is the potential to get a malware or a malicious code.
The ultimate goal of an attacker is to get some code in a website they desire to attack. They aim at executing a malicious code inside the website.
Attacking a website or a web application through uploading a file which contains a malicious code inside it may result in plenty of problems with the website itself among which exists:
- System takeover could happen entirely
- Overloading of a database or a file system could occur
- Back-end systems could even become attacked by such malicious code
- Attacks against clients are also possible
- Simple defacement could be the result as well
- In fact, the effect and its hazardous aspects fundamentally vary according to the application’s reaction towards the file and the place where it stores the file essentially
Where does the problem actually lie?
There are two main types of problems:
- Metadata which is a term that describes the name and the path of an uploaded file. But how could such data reach the website or the application? Basically, HTTP multi-port encoding which is one sort of a transport is responsible for providing metadata to the application. Okay well, what could happen as a result? Either, overwriting of a very important file, or storing it in an adverse location will occur. Both of these are severe circumstances. Therefore, it is important to validate and check Metadata before starting to use it.
- The size of the file or its content, on which the effect and its level depend mainly. Hence, all the interactions between an application and an uploaded file have to get analyzed carefully to understand perfectly what processing and interpreters are there.
- DVWA Security:
It is important to know what Damn Vulnerable Web Application (DVWA) means.
- This is a damn vulnerable web application which is a PHP/MySQL.
- It aims in the first place to provide an efficient means for security professionals for the sake of testing web security tools, which essentially requires a target which has plenty vulnerabilities.
- Securing web applications and further teaching or learning its concepts by teachers or students respectively are also two of the essential benefits that one can get out of DVWA.
- Kali Linux
One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.
- Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
- It provides its user with a variety of tools and functions which appear thirteen categories:
- Information Gathering such as DMitry
- Vulnerability Analysis like Inguma
- Tools for exploitation as Metasploit Framework
- Wireless Attacks like WIFI Honey
- Forensics such as Binwalk
- Web Applications like Skipfish
- Stress testing like FunkLoad
- Sniffing and Spoofing as Wireshark
- Password attacks like done by TrueCrack
- Maintaining Access such as Intersect
- Hardware hacking performed by dex2jar for instance
- Reverse Engineering for which Apktool, for example, can be used
- Reporting tools as MagicTree
- Whenever an attacker pushes a malicious code onto a certain website for access to the website or a file on it, this piece of code is known as a backdoor shell.
- Such code is implementable in various programming languages such as PHP, Ruby, or even Python.
- After accomplishing the task of uploading this code to the website, editing, deleting, or downloading any other files on the website is acceptable. Uploading a self-created file is also another valid option for attackers for the same purpose at the end of the day.
- What is Metasploit Framework?
- It is actually the most common exploit development framework in the world.
- The Metasploit Framework is basically an open-source framework which accepts contributions by developers through GitHub.com website.
- Such contributions are mainly exploits and scanners.
- Later a team that has employees of Rapid7 and senior external contributors reviews them.
- The main developers of the framework are Moore, Mart Miller and spoonm.
- A type of payload following the stagers payload module inside Metasploit is called in-memory Dynamic-link library (DLL) injection stagers.
- It is an advanced and dynamically extensible payload.
- It also has the potential for extension over the network at runtime.
- What is Metasploit Framework?
How to Perform a Basic File Upload?
We need to upload a PHP file on the web server, assuming that the server does not impose any restrictions. Such restrictions are those which could specify the required extension(s) of an uploaded file or its content-type. Allowing text or image type files for instance on a web server with no restrictions will allow for an uploaded malicious PHP file to bypass and execute as a web application with no problems.
- The security level of the website should be low when clicking DVWA Security.
- Kali Linux should be opened now and a PHP backdoor should be created with the following command.
- In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP extension as img.php.
- Type msfconsole to get Metasploit Framework which then should be loaded. Multi handler should be started now.
- Visit the vulnerability menu inside DVWA lab to select “File Upload”.
- Press “Browse” and choose the file then press “Upload” to upload the img.php on the webserver
- The directory’s path to the uploaded file will show after the upload is successful. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
- In Metasploit, the following commands then will result in opening Meterpreter session 1 of victim PC.
Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/