Web shells and the dangers of unrestricted file upload

Jan 26, 2023 by Thibault Debatty | 2666 views

Cylab Play Offensive Security

https://cylab.be/blog/255/web-shells-and-the-dangers-of-unrestricted-file-upload

In previous blog posts, we have already illustrated two web application vulnerabilities: brute force login cracking and SQL injection. In this post we illustrate a 3rd vulnerability, unrestricted file upload, and show how it can be exploited using a web shell.

Unrestricted file upload vulnerability happens when [1]:

  1. an attacker can upload files that are not filtered or validated and;
  2. the attacker has a way to trigger the execution of the uploaded file.

This means that the attacker is able to upload an executable script, that will be executed by the server. One category of such web scripts is called web shell. This creates a shell interface that the attacker can access using his browser [2]. A web shell can be used to:

  • steal data from the server;
  • modify the website to infect website visitors (watering hole attacks);
  • deface the website;
  • launch distributed denial-of-service (DDoS) attacks;
  • relay commands inside the network which is inaccessible over the Internet (for example to start a lateral movement);
  • to use as command and control base, for example as a bot in a botnet system.

The victim

To illustrate this danger, we will use the Upload web application from Cylab Play, our collection of vulnerable apps. And we will deploy the app using Play with Docker:

https://cylab.be/resources/cylab-play

This app is a simple photo gallery, where users can upload pictures. The vulnerability arises from the fact that the app is not validating or filtering the type of uploaded files…

upload.png

Web shells

To run the attack, instead of uploading an image, we will upload a web shell. The app is written in PHP, so we need a PHP web shell. These are pretty easy to find. This GitHub repo lists some of them:

https://github.com/JohnTroony/php-webshells

For this demo, I will use c99, an old but general-purpose web shell:

wget https://github.com/cermmik/C99-WebShell/raw/master/c99shell.php

And I will upload the c99 shell on the gallery:

c99-upload.png

When c99 is uploaded, it will not be displayed on screen (as it is not an image), but we can check the source of the page to find where the file is stored on the server:

c99-path.png

Now if we manually enter this address in the URL bar of the browser, the server will execute the file, because it is a PHP script! This gives us this (nice) interface:

c99shell.png

C99 is a general purpose web shell, that allows to browse, download and modify files on the server. For this demo I have simply modified the web page, but this could be used to steal data, run a crypto miner, or start a larger attack…

upload-defaced.png

References

  1. https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
  2. https://en.wikipedia.org/wiki/Web_shell

This blog post is licensed under CC BY-SA 4.0

SQLMap : additional techniques
In a previous blog post, we have explained what SQL injection is, and how to exploit it using sqlmap. In this blog post, we will show some additional techniques: how to exploit web applications that use clean URLs, how to exploit a POSTed form, how to hide traces etc.
Mar 21, 2023 | 2259 views
Crack a login page : the easy way
In this blog post, we will show that a login page from a web application can be easily cracked if the application does not implement specific protections against this kind of attack.
Jan 24, 2023 | 4498 views
SQL injection with SQLMap
Code injection is one of the most critical web application vulnerabilities. Indeed, the consequences of code injection can be dramatic (impact). Moreover, still today a lot of web applications are vulnerable to code injection (frequency). Finally, some tools like SQLMap allow to automatically detect and use these vulnerabilities (exploitation). For this reason, the vulnerability is listed in the top 10 published by the Open Web Application Security Project (OWASP) [1]. In this blog post, we will present one type of code injection, called SQL injection, and we will show how to perform a SQL injection attack with SQLMap.
Jan 11, 2023 | 2741 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept