2016-12-02 19:19:11 +00:00
|
|
|
<div class="body_padded">
|
|
|
|
<h1>Help - File Upload</h1>
|
|
|
|
|
|
|
|
<div id="code">
|
|
|
|
<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
|
|
|
|
<tr>
|
|
|
|
<td><div id="code">
|
|
|
|
<h3>About</h3>
|
|
|
|
<p>Uploaded files represent a significant risk to web applications. The first step in many attacks is to get some code to the system to be attacked.
|
|
|
|
Then the attacker only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.</p>
|
|
|
|
|
|
|
|
<p>The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems,
|
|
|
|
and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.</p>
|
|
|
|
|
|
|
|
<br /><hr /><br />
|
|
|
|
|
|
|
|
<h3>Objective</h3>
|
|
|
|
<p>Execute any PHP function of your choosing on the target system (such as <?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/function.phpinfo.php', 'phpinfo()' ); ?>
|
|
|
|
or <?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/function.system.php', 'system()' ); ?>) thanks to this file upload vulnerability.</p>
|
|
|
|
|
|
|
|
<br /><hr /><br />
|
|
|
|
|
|
|
|
<h3>Low Level</h3>
|
|
|
|
<p>Low level will not check the contents of the file being uploaded in any way. It relies only on trust.</p>
|
|
|
|
<pre>Spoiler: <span class="spoiler">Upload any valid PHP file with command in it</span>.</pre>
|
|
|
|
|
|
|
|
<br />
|
|
|
|
|
|
|
|
<h3>Medium Level</h3>
|
|
|
|
<p>When using the medium level, it will check the reported file type from the client when its being uploaded.</p>
|
|
|
|
<pre>Spoiler: <span class="spoiler">Worth looking for any restrictions within any "hidden" form fields</span>.</pre>
|
|
|
|
|
|
|
|
<br />
|
|
|
|
|
|
|
|
<h3>High Level</h3>
|
|
|
|
<p>Once the file has been received from the client, the server will try to resize any image that was included in the request.</p>
|
2018-10-12 15:49:58 +00:00
|
|
|
<pre>Spoiler: <span class="spoiler">need to link in another vulnerability, such as file inclusion</span>.</pre>
|
2016-12-02 19:19:11 +00:00
|
|
|
|
|
|
|
<br />
|
|
|
|
|
|
|
|
<h3>Impossible Level</h3>
|
|
|
|
<p>This will check everything from all the levels so far, as well then to re-encode the image. This will make a new image, therefor stripping
|
|
|
|
any "non-image" code (including metadata).</p>
|
|
|
|
</div></td>
|
|
|
|
</tr>
|
|
|
|
</table>
|
|
|
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
<br />
|
|
|
|
|
|
|
|
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Unrestricted_File_Upload' ); ?></p>
|
|
|
|
</div>
|
|
|
|
|