File Uploads
Introduction
Uploading user files has become a key feature for most modern web applications. File upload vulnerabilities are amongst the most common vulnerabilities found in web and mobile applications. If users' data is not correctly filtered and validated, attackers may store malicious data on the back-end server and exploit the file upload feature to execute arbitrary files on that server
File Types and Related Attacks
Web and Reverse Shells Payloads to Inject
Blacklist filter Bypasses
External Resources:
Content/Type and Mime/Type Bypass
File Uploads to XSS Attack
There are different cases in which you can gain XSS from file uploads:
Uploading a HTML file containing a script in javascript
Uploading a HTML file containing a link to our server to steal the document cookie
Other cases:
Whenever an application shows an image's metadata after its upload, it is possible to inject a payload inside metadata parameters such as
comment
orartist
by usingexiftool
:exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg
By using SVG images, it's possible to inject a payload with something like:
<script type="text/javascript"> alert("window.origin");</script>
File Upload to SSH Access
Suppose you have an Arbitrary File Upload vulnerability where you can also specify the uploaded file's location, whether via a vulnerable filename or a path parameter. Also suppose that you have write access on SSH's authorized_keys file for a local user.
You can gain an SSH shell using the following:
Use
ssh-keygen
to generate a key namedfileup
cat fileup > authorized_keys
Upload the file to
/home/username/.ssh/authorized_keys
(or/root/.ssh/authorized_keys
).Note that you might need to leverage a path traversal vulnerability to reach these destinations.
Use
ssh username@IP -i fileup
to gain the SSH shell asusername
Notice that SSH might require using
chmod 500 fileup
to use the-i fileup
option
File Uploads to XXE Attacks
[Read
/etc/passwd
] XXE from SVG images upload by using the following payload:[Exfiltrate PHP Code] XXE from SVG to read source code:
Injections in File Names
A common file upload attack uses a malicious string for the uploaded file name
The filename may get executed or processed if the uploaded file name is reflected on the page.
We can try injecting a command in the file name, and if the web application uses the file name within an OS command, it may lead to a command injection attack.
Some examples of filenames for this attack:
System Command Execution
file$(whoami).jpg
file
whoami.jpg
file.jpg||whoami
XSS from filename:
<script>alert(window.origin);</script>
SQLi from filename:
file';select+sleep(5);--.jpg
Windows Specific Attacks
Reserved Characters: such as (
|
,<
,>
,*
, or?
) are characters for special uses (such as wildcards).If the web application doesn't apply any form of input sanification, it's possible to refer to a file different from the specified one (which does not exist)
This behaviour causes an error which may be shown on the web application, potentially showing the
upload directory
Windows Reserved Names: can be used to replicate the same behaviour as the reserved characters previously shown. (
CON
,COM1
,LPT1
, orNUL
)Windows Filename Convention: it's possible to overwrite a file (or refer to a non-existant file) by using the
~
character to complete the filenameExample:
HAC~1.TXT
β may refer to hackthebox.txtReference: https://en.wikipedia.org/wiki/8.3_filename
Last updated