File upload vulnerability is a common security issue found in web applications. File upload vulnerabilities occur when a web application allows users to upload files but fails to properly validate or sanitize them. Attackers exploit these vulnerabilities to upload malicious files (such as web shells or malware) that can lead to remote code execution, data breaches, or server compromise. Effective information gathering is critical for identifying and exploiting these vulnerabilities during penetration testing.
Impact of file upload vulnerability
- Web shell upload
- Reverse shell upload
- Remotly control
- Security loss
- Financial loss
- File overwrite
Information Gathering Process
Server version and name, Language, Allow extention, etc
Extention:
- PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
- ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
- Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
Find uploaded folder
- Guess common directories like
/uploads/,/files/, or/images/. - Look at response headers or source code references for hints about file locations.
Identify Upload Functionality
Locate areas in the application where users can upload files. These could be:
- Profile picture uploaders
- Document submission forms
- File sharing features
- Avatar upload sections
Filtering file uplode
- Client-side filtering
- Server-side filtering
- Blacklist filtering
- Whitelist filtering
- Limited file uploads
Bypass Filtering
Client-side filtering:
Step 1: Check source code properly
Step 2: Delete filtering code
Step3: upload file and call uploaded file from uploaded directory
Using Burp Suite:
Step 1: Intercept response
Stap 2: Delete .Js file and forward
Step3: upload file and call uploaded file from uploaded directory