I’ve noticed that I’ve been very inactive on this blog, so today I’ll be touching on a rather recent topic that has struck my interest – Unrestricted File Uploads.

In this vulnerability, we consider the dangers of not having proper controls on a upload feature to stop an attacker from uploading malicious code. There are many types of attacks here, ranging from overwriting critical files (if the web user has rights to do so) to having a virtual interface to go further into the server. I was able to be introduced to the latter of the two – a situation where no handler was defined for PHP code, but the uploader allowed .htaccess files and even allowed those rules to be applied to the current directory. An example file that would allow PHP could would be configured as follows:

allow from all
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php

Of course this could be modified to allow execution of most any filetype, and barring the idea that the web/apache user be denied rights to execute, a hacker could land anything they desired.

So, once that was in place, I was able to upload a PHP Shell and had direct access to a terminal running on the server. It turned out that the web user had read access nearly everywhere, and quite a bit of write access in web-facing directories. From this stage we would be able to do more thorough recon of the machine, and as we had local access to a terminal, ultimately find an elevation of privileges exploit to run.

Now aside from being able to get root, if you can land a shell on the machine, you’ll be able to see whatever the web user can see correct? Thinking further into that, you should be able to traverse the web site’s main directory and take a look at the source for server-side scripting languages, including those that may have SQL passwords in them! Once you have SQL passwords, you could very easily get all database information with no need for SQL injections – though if the upload hole is open, SQLi may very well be present as well.

Seems like a fun exploit right? It seems rather prevalent as well, especially in non-commercial applications, so keep your eyes open for this one!