By exploitdb papers bot•January 3, 2010•
papers
Understanding Arbitrary File Upload in Service d'upload 1.0.0
Understanding Arbitrary File Upload in Service d'upload 1.0.0
What this paper is
This paper describes a vulnerability in a web application called "Service d'upload Version 1.0.0". The vulnerability allows an attacker to upload arbitrary files to the server. Specifically, it enables the upload of a PHP shell, which can then be used to execute commands on the server.
Simple technical breakdown
The vulnerability lies in how the "Service d'upload" application handles file uploads. It appears to have insufficient checks on the type or content of files being uploaded. This allows an attacker to upload a malicious PHP script (a "shell") disguised as a regular file. Once uploaded, the attacker can access this PHP script through a web browser and use it to send commands to the server, effectively gaining control.
The paper provides two example URLs:
http://server/upload/: This is likely the main upload page of the vulnerable application.http://server/upload/up/ch99.php: This is an example of where a malicious file (in this case, namedch99.php) might be located after a successful upload.
Complete code and payload walkthrough
The provided text is not code in the traditional sense of a programming language script that can be executed directly. Instead, it's a descriptive text file detailing a vulnerability and its exploitation. It contains:
- Metadata: Information about the vulnerability, author, email, location, severity, target systems, and search terms (dorks).
- Exploitation Steps: A high-level description of how to exploit the vulnerability.
- Example URLs: Demonstrations of the upload page and a potential location of a successfully uploaded shell.
- Greetings: A list of individuals and websites the author wishes to acknowledge.
There is no executable code or shellcode provided in this specific Exploit-DB paper. The "Exploit" section is purely descriptive:
1- Shell Upload: This is a textual description of the attack vector. It indicates that the primary goal is to upload a "shell".http://server/upload/: This is a placeholder URL pointing to the web application's upload functionality. An attacker would interact with this URL to initiate the upload process.http://server/upload/up/ch99.php: This is a placeholder URL showing where the uploaded malicious file (a PHP shell namedch99.php) would reside on the server after a successful exploit. An attacker would then navigate to this URL to interact with the uploaded shell.
Mapping:
- Descriptive Text (
1- Shell Upload, example URLs) -> Practical Purpose: Guides an attacker on the general steps and locations involved in exploiting the arbitrary file upload vulnerability to gain shell access.
Since there is no code or shellcode, there are no further code blocks, functions, structs, macros, or execution stages to explain.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No prior authentication to the web application is explicitly required by the paper, suggesting the upload functionality might be publicly accessible.
- Lab Preconditions:
- A vulnerable instance of "Service d'upload Version 1.0.0" deployed on a web server.
- A web server environment (e.g., Apache, IIS) with PHP support.
- The ability to upload files through the web application.
- A method to determine the absolute path of the uploaded file on the server, or a predictable upload directory.
- Tooling Assumptions:
- A web browser for interacting with the upload page.
- A tool to craft and send HTTP requests (e.g., Burp Suite, OWASP ZAP,
curl) to manipulate upload parameters or bypass client-side checks if any exist. - A pre-written PHP shell script (e.g., a simple
cmd.phporbackdoor.php) that can execute system commands. The paper implies the attacker provides this.
- Execution Pitfalls:
- File Type Validation: The application might have server-side checks for file extensions (e.g.,
.jpg,.png). Attackers might need to use techniques like double extensions (.php.jpg), null bytes (if supported by the server), or exploit other vulnerabilities to bypass these. - Content Inspection: More robust applications might inspect file content (magic bytes) to verify file types.
- Upload Directory Restrictions: The application might restrict uploads to specific directories, or the uploaded file might not be directly executable if placed in a non-web-accessible location.
- Web Server Configuration: The web server might be configured to disallow execution of PHP files in certain directories.
- Shell Detection: Antivirus or intrusion detection systems might flag known shell scripts.
- Path Traversal: If the application is also vulnerable to path traversal, an attacker might be able to upload the shell to a more desirable location.
- File Type Validation: The application might have server-side checks for file extensions (e.g.,
- Tradecraft Considerations:
- Reconnaissance: Identify the exact version of "Service d'upload" and its deployment path. Use Google Dorks as suggested (
Uploader des fichiers). - Payload Crafting: Prepare a PHP shell that is obfuscated or uses common names to evade detection.
- Upload Mechanism: Understand how the application handles uploads. Is it a simple POST request with a file field? Are there other parameters?
- Accessing the Shell: Once uploaded, determine the correct URL to access the shell. This often involves knowing the application's directory structure.
- Post-Exploitation: Be prepared for the possibility that the initial shell might be limited in functionality or easily detected. Have follow-up plans for privilege escalation or establishing persistence.
- Reconnaissance: Identify the exact version of "Service d'upload" and its deployment path. Use Google Dorks as suggested (
Where this was used and when
- Context: This vulnerability was identified in a web application named "Service d'upload Version 1.0.0".
- Year: The paper was published on January 3, 2010. This suggests the vulnerability was likely present and exploitable around that time.
- Usage: The paper describes a generic "Shell Upload" vulnerability. Such vulnerabilities are commonly exploited by attackers to gain initial access to web servers, allowing them to steal data, deface websites, or use the server for further malicious activities. The specific usage in the wild for this exact version of "Service d'upload" is not detailed in the paper beyond the general exploitation scenario.
Defensive lessons for modern teams
- Strict File Type Validation: Implement robust server-side validation for file uploads. This includes checking file extensions, MIME types, and potentially file content (magic bytes). Whitelist allowed file types rather than blacklisting.
- Secure Upload Directories: Store uploaded files in directories that are not directly web-accessible or executable. If executable files must be stored, ensure they are placed in a secure, isolated environment.
- Rename Uploaded Files: Automatically rename uploaded files with random, unique names to prevent attackers from predicting their URLs. Do not rely on user-provided filenames.
- Content Security Policy (CSP): Implement CSP to restrict the sources from which scripts can be loaded and executed, which can mitigate the impact of an uploaded malicious script.
- Web Application Firewalls (WAFs): Use WAFs to detect and block common upload attacks, including attempts to upload executable files or scripts.
- Regular Patching and Updates: Keep all web applications and their dependencies updated to the latest secure versions. Vulnerabilities like this are often fixed in later releases.
- Principle of Least Privilege: Ensure the web server process runs with minimal necessary privileges to limit the damage an attacker can do if they gain code execution.
ASCII visual (if applicable)
This vulnerability is primarily about a web application's file upload mechanism. A simple flow diagram can illustrate the process.
+-----------------+ +-------------------+ +-----------------+
| Attacker's | ----> | Web Application | ----> | Server File |
| Machine | | (Service d'upload)| | System |
| (Crafts PHP | | (Upload Endpoint) | | (Upload Dir) |
| Shell) | +-------------------+ +--------+--------+
+-----------------+ |
| (Stores File)
v
+-----------------+ +-------------------+ +--------+--------+
| Attacker's | ----> | Web Application | ----> | Server File |
| Machine | | (Accesses Shell) | | System |
| (Sends Commands)| | | | (Executes Cmds) |
+-----------------+ +-------------------+ +-----------------+Explanation:
- The attacker crafts a malicious PHP file (a shell).
- The attacker sends this file to the web application's upload endpoint.
- The vulnerable web application, due to insufficient validation, stores this malicious file on the server's file system, often in a web-accessible directory.
- The attacker then accesses the uploaded file via its URL.
- When the attacker's browser requests this URL, the web server executes the PHP code, allowing the attacker to send commands.
Source references
- Paper ID: 10938
- Paper Title: Service d'upload 1.0.0 - Arbitrary File Upload
- Author: indoushka
- Published: 2010-01-03
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/10938
- Raw URL: https://www.exploit-db.com/raw/10938
Original Exploit-DB Content (Verbatim)
========================================================================================
| # Title : Service d'upload Version 1.0.0 Shell Upload Vulnerability
| # Author : indoushka
| # email : indoushka@hotmail.com
| # Home : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860)
| # Total alerts found : 1
| High : 1
| Medium :
| Low :
| Informational :
| # Web Site : www.iq-ty.com
| # Dork : Uploader des fichiers
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)
| # Bug : Shell Upload
====================== Exploit By indoushka =================================
# Exploit :
1- Shell Upload
http://server/upload/
http://server/upload/up/ch99.php
================================ Dz-Ghost Team ========================================
Greetz : Exploit-db Team (loneferret+Exploits+dookie2000ca)
all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 * www.hackteach.org
Rafik (Tinjah.com) * Yashar (sc0rpion.ir) * Silitoad * redda * mourad (dgsn.dz) * www.cyber-mirror.org
www.albasrah-forums.com * www.amman-dj.com * www.forums.ibb7.com * www.maker-sat.com * www.owned-m.com
www.vb.7lanet.com * www.3kalam.com * Stake (v4-team.com) * www.3kalam.com * www.dev-chat.com
www.al7ra.com * Cyb3r IntRue (avengers team) * www.securityreason.com * www.packetstormsecurity.org
www.sazcart.com * www.best-sec.net * www.app.feeddigest.com * www.forum.brg8.com * www.zone-h.net
www.m-y.cc * www.hacker.ps * no-exploit.com * www.bug-blog.de * www.gem-flash.com * www.soqor.org
www.h4ckf0ru.com * www.bawassil.com * www.host4ll.com * www.hacker-top.com * www.xp10.me
www.forums.soqor.net * www.alkrsan.net * blackc0der (www.forum.aria-security.com)
SoldierOfAllah (www.m4r0c-s3curity.cc)www.arhack.net * www.google.com * www.np-alm7bh.com
www.lyloo59.skyrock.com * www.sec-eviles.com * www.snakespc.com * www.kadmiwe.net * www.syrcafe.com
www.mriraq.com * www.dzh4cker.l9l.org * www.goyelang.cn * www.h-t.cc * www.arabic-m.com * www.74ck3r.com
r1z (www.sec-r1z.com) * omanroot.com * www.bdr130.net * www.zac003.persiangig.ir * www.0xblackhat.ir
www.mormoroth.net * www.securitywall.org * www.sec-code.com *
-------------------------------------------------------------------------------------------