(Learn everything about file upload vulnerability from scratch.)

First time visited this website? Check out our awesome free labs of account takeover(Based on Real Scenarios) and explore various ways hackers are using to hack thousands on account. Lab1 Lab2 Lab3 Lab4 Lab5 Lab6

INTRODUCTION

Abusing File Upload Functionality

Have you ever posted something on Instagram? Did you ever saved your file on the Cloud(Google Drive etc). Have you ever uploaded a document on a website(Like your resume etc)? Well, most of us have used this feature in many web application but do you guys know that this very feature of web application can lead to potential vulnerabilities? What can be the impact you ask? Well, It can be used to completely takeover the servers!

It is as if someone has sent you parcel that contains a bomb hidden in a toy to your house and you turn it on without verifying the toy.

There have been so many companies whose servers got compromised because of the misconfigured file upload functionality. Now you may be thinking, “What can a mere file upload functionality will do? It can only be used to upload files right?” Well, Not particularly. See, Most of the web application uses some kind of programming language on the server side to perform various operation. Consider the following scenario:

There is a website (xyz.com) that in which you can upload an image. Assuming that this website is vulnerable and is running PHP it its back end think what will happen if a hacker tries to upload a php file rather than an image? In worst case, the php file will get executed and the server will get compromised.

That being said, there can be other vulnerabilities that can occur because of file upload functionalities:

  • XSS(Cross Site Scripting)
  • DoS(Denial Of Service)
  • SQL Injection
  • XML Injection
  • CSV Injection
  • Remote Code Execution
  • Path Traversal

etc

Let us understand how we can achieve these by exploiting file upload vulnerability.

AnnouncementIf you want to learn how hackers hack millions of accounts on a website, Then check out this beginner friendly course which will teach you how to perform account takeovers in real world websites that will boost your bug bounty hunting skills from basics to advance level.

MIND MAP FOR PENETRATION TESTERS

While testing for file upload vulnerabilities, We should test each and everything that is described in the mind map below:

Source: GItHub

This mind map will help you to cover most of the vulnerabilities that may arise because of file upload functionality. Now, Let us move further and try to understand how we can achieve all these.

FILE UPLOAD VULNERABILITY: XSS

I guess you all are familiar with this term XSS. If not, then check out this article to learn about it from basics to advanced. In simple terms, It is a vulnerability that allows an attacker to embed JavaScript code in the vulnerable web application. Now, Let us try to understand how we can find xss via file uploads.

Method 1:

Let’s say that you are testing on a website xyz.com. The first thing that you should do is: Rename the file that you want to upload with an xss payload. Like if are uploading a file 123.gif then rename it to something like <img src=x onerror=alert(1)>.gif and upload it to the server. If it is vulnerable, then you will see a popup displaying 1.

Image Source: BruteLogic

Method 2:

Let’s assume there is an application that is allowing its user to upload images. In this case, first of all we need to test whether this application is allowing us to upload a svg file or not. If yes, then create a svg file(test.svg) with the following content below:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Hacked");
   </script>
</svg>

Now upload test.svg file and visit the file in your browser. You will see a popup saying “Hacked”

Example:

Check out this link for the Proof-Of-Concept: http://brutelogic.com.br/poc.svg

CONCLUSION

I hoped you all have learnt about file upload vulnerabilites and how we can find xss by abusing file uploads. If you have any doubts or issues then please let me know in the comment section. Keep learning and have a great day ahead!

Join our telegram channel over here

Subscribe to our YouTube Channel over here.

If you want to learn windows hacking in depth then i recommend you to check out this amazing beginner friendly course on “Hacking Windows With Python From Scratch(2022)” in which you will learn:

  • Creating Undetectable Payload
  • Execute shell commands, download and upload files and access webcam.
  • Hack any windows based machine and get full access.
  • Bind payload with any files.
  • How black hat hackers get unauthorized access to windows machine.

Click here to visit the course.