How to Perform File Upload Attack?

Applications face a serious risk from uploaded data. In several attacks, the first move is to get  some code into the target machine. The attacker just needs to figure out how to get the code to  run. The attacker will complete the first move by using a file upload. 

Full device takeover, an overloaded file system or database, forwarding attacks to back-end  systems, client-side attacks, or simple defacement are all possible outcomes of uncontrolled file  upload. It is determined by what the application does with the uploaded file and, more  importantly, where it is stored. 

In this case, there are two types of issues. The first is for file metadata, such as the route and  name of the file. The transport, such as HTTP multi-part encoding, usually provides these. This  information may lead to the application overwriting or storing a sensitive file in an incorrect  position. Before using the metadata, it must be thoroughly validated. 

The file size or content is the other type of problem. The range of issues here is entirely  dependent on the file’s intended use. For some examples of how files might be misused, see the  examples below. To defend against this form of attack, examine all your application does with  files and consider which processing and interpreters are involved. 

IMPACT 

Total server takeover, an overloaded file system or database, forwarding attacks on back-end  systems, and simple defacement are all possible outcomes of uncontrolled file upload. It is  determined by what the application does with the uploaded file and, more importantly, where it  is stored. The following is a list of possible attacks by the attacker: 

• Upload and run a web-shell to compromise the web server, which can run commands,  browse system files, browse local resources, target other servers, and exploit local  vulnerabilities, among other things. 

• Put a phishing page into the website. 

• Put a permanent XSS into the website. 

• Exfiltrate potentially confidential data by circumventing cross-origin resource sharing (CORS)  policy. 

• Upload a file with a malicious path or name, overwriting important files or personal  information that other users have access to. The attacker could, for example, replace  the.htaccess file in order to run specific scripts.

SITE: DVWA 

LINK: http://dvwa/vulnerabilities/upload/ 

STEPS TO REPRODUCE 

1. Open the DVWA application and go to File upload option. 

2. Look for a parameter where we can upload a file. Here we will inject a malicious file which is  Dhanush.php. Download or create a malicious file on your own and upload it. 

3. As we can see that the file is uploaded now, and the file is malicious. This is how we can test  for file upload vulnerability. 

DEFENSES 

• Without a white-list filter, never support a filename and its extension explicitly. • If Unicode characters are not needed, it is highly recommended that the file name and  extension only accept alphanumeric characters and one dot as input.

• Limit the file size to a maximum value to prevent denial of service attacks. • There should be no “execute” authorization on the uploaded directory. • Do not rely on client-side validation only.