Exploiting a File Upload Mechanism to Gain RCE
Written by Sagiv Michael on
Exploiting a File Upload Mechanism to Gain RCE
Written by Sagiv Michael on
Introduction
Imagine uploading a photo to your favorite social media site, only to unknowingly grant hackers complete control over the server. This scenario, while frightening, is precisely what a Remote Code Execution (RCE) attack via a file upload mechanism can achieve. RCE vulnerabilities are a significant concern in web security, allowing attackers to exploit seemingly harmless features like file uploads to execute malicious code on a server. This code can range from stealing sensitive data to launching further attacks across a network. In this article, we’ll demonstrate how we gain complete control over a system in a real-world situation during a penetration test and discuss steps you can take to protect yourself and your systems.
How Did We Manage to Achieve a Remote Code Execution?
During the penetration test, we stumbled upon a WordPress complaint form for issues related to the product, which accepts only photos for attachments to be uploaded as proof. To achieve a successful Remote Code Execution (RCE), we needed three elements to be fulfilled:
- File upload mechanism.
- A destination folder where the files are stored in the system.
- Know how the file name is saved on the system.
So far, we have discovered only the first requirement (the upload mechanism). We needed to discover the destination folder to fulfill the second requirement (destination folder), which wasn’t hard. All we had to do was upload a regular PNG file to the system, which can be uploaded by default. The server responded with the absolute file path, which also convincingly answers the third requirement.
After we armed ourselves with the three crucial elements, we needed to bypass the restrictions preventing us from uploading a PHP file (since WordPress works with PHP as the backend technology).
Testing various techniques, we discovered that putting the PNG extension (.png) before the PHP extension (.php) in the filename and the content type of image/png bypasses the system’s restrictions. We discovered this quickly with the help of an open-source tool called Upload_Bypass, which was developed by the author of this article and automated the entire discovery process. Lastly, for the body, we chose the following PHP code:
<?php echo 123 ?>
When we accessed the uploaded PHP file with a GET request, we received a response with the content of “123″, meaning the code found in the PHP file was rendered and executed successfully.
After we bypassed the system’s restrictions and verified that PHP files could be executed, it was time to upload a PHP web shell that allowed operating system commands to be executed remotely on the server. We tried uploading a PHP file with a built-in function called system, which should enable us to run system commands on the server, but it seems to be blocked by the system’s Web Application Firewall (WAF):
<?php system($_GET[“cmd”]);?>
Since the previous echo function worked, we figured that the WAF detects and blocks the PHP system function and, as a result, prevents the file’s execution. Therefore, we tried to bypass the restriction by using these alternative functions as well, but with no luck:
passthru(), shell_exec()
However, when we tried to upload the previous PHP shell again with the exec() function, it was uploaded successfully, meaning we bypassed the WAF’s restrictions!
Next, all we had to do was access the uploaded file with a user-controlled parameter and execute system commands, which led to a complete system takeover. We managed to access all of the WordPress databases, retrieve FTP credentials, and more.
Mitigation
If you have encountered any of the above scenarios, please follow the below instructions provided by Clear Gate for immediate mitigation and to prevent unsafe file upload mechanism vulnerabilities further:
- Validate the MIME type to verify that the content of a file aligns with the expected format.
- Use an allow list for permitted extensions instead of a deny list.
- Do not return the complete path of the uploaded file in the HTTP response.
- Use an anti-malware solution to scan for malicious files before processing them on the server.
- Disable the execution permissions of the uploaded files.
Conclusion
This article has demonstrated the dangers of Remote Code Execution attacks via unsafe file upload mechanisms. We explored a real-world scenario during a penetration test where seemingly harmless features were exploited to gain complete control over a system. We highlighted the importance of proper server-side validation to mitigate these vulnerabilities. By implementing the recommended measures, such as avoiding path disclosure in responses, using allowlists, and validating MIME types, web application owners can significantly reduce the risk of falling victim to such attacks. Remember, even seemingly minor security lapses can have devastating consequences. Always prioritize strong security practices to protect your systems and user data.
Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in file upload deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their security and protect valuable data from potential threats.