first commit

dvwa/vulnerabilities/upload/help/help.php

@@ -0,0 +1,54 @@
+<div class="body_padded">
+	<h1>Help - File Upload</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>Uploaded files represent a significant risk to web applications. The first step in many attacks is to get some code to the system to be attacked.
+			Then the attacker only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.</p>
+
+		<p>The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems,
+			and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>Execute any PHP function of your choosing on the target system (such as <?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/function.phpinfo.php', 'phpinfo()' ); ?>
+			or <?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/function.system.php', 'system()' ); ?>) thanks to this file upload vulnerability.</p>
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>Low level will not check the contents of the file being uploaded in any way. It relies only on trust.</p>
+		<pre>Spoiler: <span class="spoiler">Upload any valid PHP file with command in it</span>.</pre>
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>When using the medium level, it will check the reported file type from the client when its being uploaded.</p>
+		<pre>Spoiler: <span class="spoiler">Worth looking for any restrictions within any "hidden" form fields</span>.</pre>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>Once the file has been received from the client, the server will try to resize any image that was included in the request.</p>
+		<pre>Spoiler: <span class="spoiler">need to link in another vulnerability, such as file includion</span>.</pre>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>This will check everything from all the levels so far, as well then to re-encode the image. This will make a new image, therefor stripping
+			any "non-image" code (including metadata).</p>
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Unrestricted_File_Upload' ); ?></p>
+</div>
+

dvwa/vulnerabilities/upload/index.php

@@ -0,0 +1,76 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: File Upload' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'upload';
+$page[ 'help_button' ]   = 'upload';
+$page[ 'source_button' ] = 'upload';
+
+dvwaDatabaseConnect();
+
+$vulnerabilityFile = '';
+switch( $_COOKIE[ 'security' ] ) {
+	case 'low':
+		$vulnerabilityFile = 'low.php';
+		break;
+	case 'medium':
+		$vulnerabilityFile = 'medium.php';
+		break;
+	case 'high':
+		$vulnerabilityFile = 'high.php';
+		break;
+	default:
+		$vulnerabilityFile = 'impossible.php';
+		break;
+}
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/upload/source/{$vulnerabilityFile}";
+
+// Check if folder is writeable
+$WarningHtml = '';
+if( is_writable( realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" ) == false ) {
+	$WarningHtml .= "<div class=\"warning\">Incorrect folder permissions: " . realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" . "<br /><em>Folder is not writable.</em></div>";
+}
+// Is PHP-GD installed?
+if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) {
+	$WarningHtml .= "<div class=\"warning\">The PHP module <em>PHP-GD is not installed</em>.</div>";
+}
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: File Upload</h1>
+
+	{$WarningHtml}
+
+	<div class=\"vulnerable_code_area\">
+		<form enctype=\"multipart/form-data\" action=\"#\" method=\"POST\" />
+			<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\" />
+			Choose an image to upload:<br /><br />
+			<input name=\"uploaded\" type=\"file\" /><br />
+			<br />
+			<input type=\"submit\" name=\"Upload\" value=\"Upload\" />\n";
+
+if( $vulnerabilityFile == 'impossible.php' )
+	$page[ 'body' ] .= "			" . tokenField();
+
+$page[ 'body' ] .= "
+		</form>
+		{$html}
+	</div>
+
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Unrestricted_File_Upload' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://blogs.securiteam.com/index.php/archives/1268' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.acunetix.com/websitesecurity/upload-forms-threat/' ) . "</li>
+	</ul>
+</div>";
+
+dvwaHtmlEcho( $page );
+
+?>

dvwa/vulnerabilities/upload/source/high.php

@@ -0,0 +1,35 @@
+<?php
+
+if( isset( $_POST[ 'Upload' ] ) ) {
+	// Where are we going to be writing to?
+	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
+	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
+
+	// File information
+	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
+	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
+	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
+	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
+
+	// Is it an image?
+	if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
+		( $uploaded_size < 100000 ) &&
+		getimagesize( $uploaded_tmp ) ) {
+
+		// Can we move the file to the upload folder?
+		if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
+			// No
+			$html .= '<pre>Your image was not uploaded.</pre>';
+		}
+		else {
+			// Yes!
+			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
+		}
+	}
+	else {
+		// Invalid file
+		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
+	}
+}
+
+?>

dvwa/vulnerabilities/upload/source/impossible.php

@@ -0,0 +1,62 @@
+<?php
+
+if( isset( $_POST[ 'Upload' ] ) ) {
+	// Check Anti-CSRF token
+	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
+
+
+	// File information
+	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
+	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
+	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
+	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
+	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
+
+	// Where are we going to be writing to?
+	$target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
+	//$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
+	$target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
+	$temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
+	$temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
+
+	// Is it an image?
+	if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
+		( $uploaded_size < 100000 ) &&
+		( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
+		getimagesize( $uploaded_tmp ) ) {
+
+		// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
+		if( $uploaded_type == 'image/jpeg' ) {
+			$img = imagecreatefromjpeg( $uploaded_tmp );
+			imagejpeg( $img, $temp_file, 100);
+		}
+		else {
+			$img = imagecreatefrompng( $uploaded_tmp );
+			imagepng( $img, $temp_file, 9);
+		}
+		imagedestroy( $img );
+
+		// Can we move the file to the web root from the temp folder?
+		if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
+			// Yes!
+			$html .= "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
+		}
+		else {
+			// No
+			$html .= '<pre>Your image was not uploaded.</pre>';
+		}
+
+		// Delete any temp files
+		if( file_exists( $temp_file ) )
+			unlink( $temp_file );
+	}
+	else {
+		// Invalid file
+		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
+	}
+}
+
+// Generate Anti-CSRF token
+generateSessionToken();
+
+?>

dvwa/vulnerabilities/upload/source/low.php

@@ -0,0 +1,19 @@
+<?php
+
+if( isset( $_POST[ 'Upload' ] ) ) {
+	// Where are we going to be writing to?
+	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
+	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
+
+	// Can we move the file to the upload folder?
+	if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
+		// No
+		$html .= '<pre>Your image was not uploaded.</pre>';
+	}
+	else {
+		// Yes!
+		$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
+	}
+}
+
+?>

dvwa/vulnerabilities/upload/source/medium.php

@@ -0,0 +1,33 @@
+<?php
+
+if( isset( $_POST[ 'Upload' ] ) ) {
+	// Where are we going to be writing to?
+	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
+	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
+
+	// File information
+	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
+	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
+	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
+
+	// Is it an image?
+	if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
+		( $uploaded_size < 100000 ) ) {
+
+		// Can we move the file to the upload folder?
+		if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
+			// No
+			$html .= '<pre>Your image was not uploaded.</pre>';
+		}
+		else {
+			// Yes!
+			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
+		}
+	}
+	else {
+		// Invalid file
+		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
+	}
+}
+
+?>