AboutUploaded files represent a significant risk to web applications. The first step in many attacks is to get some code to the system to be attacked. Then the attacker only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. ObjectiveExecute any PHP function of your choosing on the target system (such as or ) thanks to this file upload vulnerability. Low LevelLow level will not check the contents of the file being uploaded in any way. It relies only on trust. Spoiler: Upload any valid PHP file with command in it.
Medium LevelWhen using the medium level, it will check the reported file type from the client when its being uploaded. Spoiler: Worth looking for any restrictions within any "hidden" form fields.
High LevelOnce the file has been received from the client, the server will try to resize any image that was included in the request. Spoiler: need to link in another vulnerability, such as file includion.
Impossible LevelThis will check everything from all the levels so far, as well then to re-encode the image. This will make a new image, therefor stripping any "non-image" code (including metadata). |
Reference: