A file upload vulnerability occurs when a web application allows users to upload files to the server without properly validating or restricting the type, size, or content of the uploaded files. This can lead to serious security risks if attackers exploit the vulnerability to upload malicious files.

How It Works

Insufficient Validation: The application fails to properly check the file type, size, or content.

Malicious File Upload: An attacker uploads a malicious file (e.g., a script, executable, or malware) to the server.

Execution or Exploitation: The malicious file is executed or used to compromise the server, application, or other users.

Effects of File Upload Vulnerabilities

Remote Code Execution (RCE):

Attackers can upload scripts (e.g., PHP, ASP) and execute them on the server, gaining full control over the system.

Server Compromise:

Malicious files can exploit server vulnerabilities, leading to unauthorized access, data theft, or server takeover.

Malware Distribution:

Attackers can upload malicious files (e.g., viruses, ransomware) that are then distributed to other users.

Defacement:

Attackers can upload files to replace or modify website content, leading to defacement or loss of reputation.

Denial of Service (DoS):

Uploading large files or filling up server storage can crash the server or make it unavailable.

Data Breaches:

Malicious files can be used to steal sensitive data stored on the server.

Client-Side Attacks:

Uploaded files (e.g., malicious PDFs, images) can exploit vulnerabilities in client-side software when downloaded by users.

Lab: Remote code execution via web shell upload

This lab contains a vulnerable image upload function. It doesn’t perform any validation on the files users upload before storing them on the server’s filesystem.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Login with credential then go my account u see file upload functionality.

Then Upload any picture

Go in burp browser http history

Click on filter setting then see mime type setting so now click on image so
you can see all request related to picture related

Then send 2 request to repeater first GET file/avatars/untitled.png request
and second

POST my-account/avatars/ then change the second request first what change
first file name .png to .php then add exploit <?php echo
file_get_contents('/home/carlos/secret'); ?> ,send the requst
u see the request send successfully so go on next request no 1 then chnge .png
to .php then send the request

You see any file is come to this exploit so copy this result and go in
browesr click on Submit solution paste in the result.

You successfully solved the lab u know all thing about file upload
vunerabilty.

Common Exploitation Techniques

File Type Bypass:

Attackers bypass file type checks by modifying file extensions (e.g., .php to .jpg.php) or using MIME type spoofing.

Malicious Scripts:

Uploading scripts (e.g., .php, .jsp, .asp) that execute on the server.

Zip Bombs:

Uploading compressed files that decompress to enormous sizes, exhausting server resources.

Embedded Malware:

Embedding malicious code in seemingly harmless files (e.g., images, documents).

Real-World Examples

Facebook Image Upload Vulnerability (2018): A flaw allowed attackers to upload malicious files disguised as images, leading to remote code execution.

WordPress Plugin Vulnerabilities: Many plugins have had file upload vulnerabilities, allowing attackers to upload malicious scripts.

By implementing proper security measures, developers can significantly reduce the risk of file upload vulnerabilities and protect their applications and users.