Segfault ethical hacking week 15

3 Ways to Topple a Web Server: A Complete Guide to File Vulnerabilities (Upload, Download, Inclusion)

Features that handle user files (like forums, file archives, or profile picture uploads) are common in web applications. However, this ordinary functionality can become a deadly door, giving away everything on your server. This week, we'll dive deep into three major vulnerabilities caused by improper file handling: File Upload, File Download, and File Inclusion.

1. File Upload Vulnerability: Planting Malware on My Server 

A File Upload Vulnerability allows an attacker to upload arbitrary files to a server. The ultimate goal of this attack is to upload a Web Shell, which can execute commands on the server.

What is a Web Shell? A web shell is a script file that allows server commands to be executed through web requests. A server can be compromised with just a single line of code. <?php system($_GET['c']); ?> The code above executes the value passed in the 'c' parameter directly on the server (e.g., /webshell.php?c=ls -al). After uploading the web shell, the attacker can access it through a web browser to control the server remotely.

How Do They Bypass Defenses? (Bypass Techniques)

Servers typically block the upload of executable files like .php, .jsp, or .asp. Attackers use various techniques to bypass this defensive logic.

• Double Extension: This technique deceives filters by using extensions like webshell.php.jpg. Some servers may only check the first extension instead of the last one.

• NULL Byte Injection: This involves inserting a NULL character (%00) in the middle of the filename, like webshell.php%00.jpg. In older systems based on C/C++, the NULL character is treated as the end of the string, causing the file to be saved as webshell.php.

• .htaccess File Upload: In an Apache server environment, an attacker might upload a malicious .htaccess file that overwrites server settings, forcing it to execute a specific extension (e.g., .jpg) as a PHP file.

Countermeasures

• Extension Whitelisting (Most Important): Create a whitelist of allowed extensions (e.g., jpg, png, gif) and only permit those files to be uploaded.

• Filename Obfuscation and Path Secrecy: Change the name of the uploaded file to a random string and store it in a path that cannot be directly guessed or accessed from the outside.

• Use External Storage: Store files on a separate file server (NAS) or cloud storage (like AWS S3) to isolate them from the web server.

• Store Files in a Database: Another method is to store files as binary data (BLOB) within the database.

2. File Inclusion Vulnerability: Assembling Server Files at Will 

A File Inclusion vulnerability occurs in functions like include or require that load and execute specific files based on user input (parameters).

• Local File Inclusion (LFI): Includes files from within the server.

• Remote File Inclusion (RFI): Includes files from an external server. RFI is far more critical as it allows an attacker to execute any malicious script they want immediately.

Attack Scenario (LFI)

1. An attacker notices a URL that functions like ?page=intro.php.

2. The attacker then inputs a path to a critical system file, like ?page=../../../../etc/passwd, to read its contents.

3. If file uploading is not possible, the attacker can use LFI to poison the web server's log file (access_log) by recording a malicious script in it, and then include that log file to execute the code. This is known as Log Poisoning.

3. File Download Vulnerability: A Window into the Server's Soul 

A File Download Vulnerability involves manipulating the parameters of a download function to retrieve files from outside the intended directory. The core of this attack is Path Traversal.

Attack Scenario

1. An attacker discovers a download link structured like download.php?fileName=report.pdf.

2. The attacker then uses ../ to navigate to parent directories, using a payload like fileName=../../../../etc/passwd (Linux) or fileName=../../../../boot.ini (Windows) to download critical system files.

The biggest advantage of this vulnerability is the ability to download the source code in its original form. An attacker who obtains the source code can easily find high-value information like database credentials, server logic, and other hidden vulnerabilities, making it a severe threat that enables further chained attacks.

From a penetration testing perspective, if a file download vulnerability is found, the top priority becomes downloading the web application's configuration files (web.xml, config.php, etc.) and the source code itself.