Abusing File Upload

19 Nov

As a penetration tester you might come across with web applications that are containing the file upload functionality.This functionality of course can be abused and it can lead from command execution to full system compromise.So even though file upload can be a necessary component of your application can be also and your weakest point.

In this tutorial we will see how we can exploit the file upload functionality on a web application in order to discover further information about our target.For the needs of this tutorial we will use the DVWA (Damn Vulnerable Web Application) which is hosted on Metasploitable 2.

Backtrack by default has various webshells installed for different web technologies like asp,php,jsp,perl etc. but you are free to use the webshell of your preference.Our application is based on php so we have to choose a webshell that is written in php as well.In the next image you can see the location that the webshells exists in Backtrack:

Locating the web shells in Backtrack


We choose our web backdoor which in this case is going to be the php-backdoor.php and we will try to upload it despite the fact that the application is saying to choose images.

Uploading the Web Shell


As we can see from the image above the backdoor has been successfully uploaded regardless the fact that it wasn’t an image.In this case this occured because we have configured the DVWA to run with the lower security settings so the application is not doing the appropriate extension check and allows us to upload any file we want.However if we change the setting to medium or to higher it would be a different scenario.Now that the webshell has been uploaded to the web server the next step is to try to discover the exact location.In this case the application unveiled the path that the webshell exists so we access it from our browser.The next image is showing the functions of our webshell and the direct path on the address bar:

Web Shell Functions


So this backdoor it gives us the capability to execute commands,to upload additional files,to browse directories and to execute mysql queries.So lets start with the command execution.Before we start executing commands we have to bear in mind in what environment is our webshell uploaded.The reason is that we have to consider different paths and different commands if we are on Windows or in Unix operating systems.The application is hosted on a unix environment so we need to execute Unix commands.One of the first commands that we can try is the ls which it will return the contents of the parent directory.

Discovering the contents of the parent directory


Another important command is the cat /etc/passwd which it will display the contents of the passwd file.

Discovering the contents of /etc/passwd


Some other useful commands that it will allow you to obtain information from the target once you have uploaded a webshell are:

  • whoami
  • uname -a
  • ping
  • users
  • pwd
  • netstat -a
  • id
  • cat /etc/shadow
  • w

The following images are showing the output that these commands have produced.

whoami – Current User


Kernel Version


Ping the host


Other users


List of services


Parent Working Directory


Print UIDs and GIDs


Current Logged Users


From the images above we can see that we have managed to gather important information regarding our target which it can allow us to conduct further attacks.Specifically we get the following information:

Current User:www-data
Kernel Version: Linux Metasploitable 2.6.24-16-server
Other users:msfadmin,root
List of Services:login,nfs,mysql,x11,telnet,smtp,postgresql etc.
Working Directory:/var/www/dvwa/hackable/uploads
Logged Users:root

We can also leave our tracks on the webserver by creating a simple html file with the command below:

echo “Hacked by netbiosX” > pentestlab.html

Creating an html page on the webserver



As this article indicates file upload functionality in web applications can be very dangerous as attackers can abuse it.From my experience often this issue comes in contrast with the business needs as the security consultants from one point suggest to clients to remove this capability in order to mitigate the potential risk and the system administrators from the other side to mention that file upload is a necessity and it cannot be removed.So in a situation where the file upload function is needed the appropriate solutions must be implement like content-type verification,file name extension verification and denying access to the directory that the
uploaded files are stored.


Posted by on November 19, 2012 in Web Application


Tags: , , , , ,

7 responses to “Abusing File Upload

  1. Robert Winkel

    November 19, 2012 at 10:05 am

    So, how would you get around file name extension verification? What about content-type verification?

    • akismet-94fe247609823407c33317ec2f766ee1

      November 19, 2012 at 4:12 pm

      Hi Robert,

      test.php … …. …docx // For extension checks

      Or for mimetype checks, tamper the datastream using burp or similar, and change it to the one that is matching the file extension, example;

      Have fun and HH

  2. lxt

    November 19, 2012 at 11:09 am

    cat /etc/shadow will NOT work

  3. netbiosX

    November 19, 2012 at 7:53 pm


    akismet answered you correctly.The reason that I haven’t put this information that you asked on this post was because the post would been huge.So there will be another one post soon that will cover your questions by examples in order to cover completely this issue.


    Correct because this command requires root privileges.However it is always good to test it!

  4. Tengku Zahasman

    March 21, 2013 at 7:25 am

    In many occasions I find uploading SSI files .shtml useful too, as they are rarely blocked by file uploads and also capable to execute OS commands as such


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: