How Websites Get Hacked With FileUpload Vulnerability?

The vulnerability which we are about to demonstrate in my opinion is the number 1 reason why websites hacked and are exploited further to the server level. When a hacker performs a SQL Injection attack on a website he needs a way to get shell level access and install the PHP backdoor so he can touch other files on server or compromise the server itself if it's vulnerable. If we could secure our uploads and restrict our upload area so that they don't allow it does not allow the upload of other files instead of images we can protect our upload area.

However there is a problem, The PHP files can still be uploaded by various methods. The most common method is by renaming the PHP backdoor to the following and then uploading the shell.

shell.php;.jpg
shell.php.jpg
shell.php..jpg
shell.php.jpg
shell.php.jpg:;
shell.php.jpg%;
shell.php.jpg;
shell.php.jpg;
shell.php.jpg:;
However there is also a method to block the upload of the above files. But there is also another way to bypass it even if the uploading of the files name with the above extension is blocked. We will use tamper data for this purpose.

Step 1 

Install http live headers firefox extention, then go to the upload section. Open Live HTTP Headers and upload shell. Now if you try to go to the link where you have your shell uploaded it will give you error (only on some websites) so we will have to change that hidden .php.jpg extension into the .php.

So as we uploaded the shell and opened the Live HTTP Headers you should find where you have uploaded your shell. You will have to find the line where ti writes that you uploaded the shell. Select it and then click on button reply.






Step 2 - 

After uploading, find the directory where your fle uploaded, example if you uploaded it in images then it will be in http://website/images/shell.php. The rest of the steps are self explanatory.





How To Protect Your Website from the FileUpload Vulnerability?

That's a separate topic and will be explained in a separate post. However for now I would recommend you to install a third party fileuploading service, Where the file get's uploaded the fileuploading service's server not yours.

About the author : 

Minhal Mehdi is a Tech Blogger and Ethical Hacker, He runs a blog http://www.devilscafe.in. where he writes about Exploits and vulnerabllies