Introduction to File RCE Exploitation

Imagine uploading a photo to your favorite social media site, only to unknowingly grant hackers complete control over the server. This scenario, while frightening, exemplifies how a Remote Code Execution (RCE) attack via a file upload mechanism can occur. RCE vulnerabilities are significant concerns in web security, allowing attackers to exploit seemingly harmless features like file uploads to execute malicious code on a server. This code can range from stealing sensitive data to launching further attacks across a network.

In this article, we demonstrate how we achieved complete control over a system during a real-world penetration test by exploiting a file upload RCE vulnerability. We also discuss steps you can take to protect your systems.

Exploiting a File Upload RCE Vulnerability: Our Approach

During a penetration test, we discovered a WordPress complaint form that accepted photo attachments. To achieve successful Remote Code Execution (RCE), three conditions needed to be met:

1. Presence of a file upload mechanism.
2. Knowledge of the destination folder where files are stored.
3. Understanding of how the file name is saved on the system.

We confirmed the first condition—the upload mechanism existed. To determine the destination folder, we uploaded a standard PNG file. The server’s response included the absolute file path, revealing both the storage location and the file naming convention.

Bypassing File Type Restrictions

With all three conditions satisfied, we proceeded to bypass restrictions preventing PHP file uploads. Since WordPress uses PHP as its backend, uploading a PHP file could lead to RCE.

We experimented with various techniques and discovered that naming the file with a .png extension before the .php extension (e.g., image.png.php) and setting the content type to image/png bypassed the system’s restrictions. This approach was quickly identified using an open-source tool called Upload_Bypass, developed by the article’s author, which automated the discovery process.

We used the following simple PHP code in the file body:

<?php echo 123 ?>

Upon accessing the uploaded PHP file via a GET request, the server responded with “123,” confirming successful execution of the PHP code.

Uploading a PHP Web Shell

After verifying that PHP files could be executed, we aimed to upload a PHP web shell to execute operating system commands remotely. Initially, we tried uploading a PHP file containing the system() function:

We tried uploading a PHP file with a built-in function called system, which should enable us to run system commands on the server, but it seems to be blocked by the system’s Web Application Firewall (WAF):

<?php system($_GET[“cmd”]);?>

Since the previous echo function worked, we figured that the WAF detects and blocks the PHP system function and, as a result, prevents the file’s execution. Therefore, we tried to bypass the restriction by using these alternative functions as well, but with no luck:

passthru(), shell_exec()

However, when we tried to upload the previous PHP shell again with the exec() function, it was uploaded successfully, meaning we bypassed the WAF’s restrictions!

Next, all we had to do was access the uploaded file with a user-controlled parameter and execute system commands, which led to a complete system takeover. We managed to access all of the WordPress databases, retrieve FTP credentials, and more.

Our approach to exploiting the file upload RCE involved bypassing MIME type restrictions.

Mitigation Strategies for File Upload RCE Vulnerabilities

If you have encountered any of the above scenarios, please follow the below instructions provided by Clear Gate for immediate mitigation and to prevent unsafe file upload mechanism vulnerabilities further:

• Validate the MIME type to verify that the content of a file aligns with the expected format. 
• Use an allow list for permitted extensions instead of a deny list.
• Do not return the complete path of the uploaded file in the HTTP response.
• Use an anti-malware solution to scan for malicious files before processing them on the server.
• Disable the execution permissions of the uploaded files.

Implementing strict validation can prevent file upload RCE vulnerabilities.

Conclusion

This case study highlights the dangers of Remote Code Execution attacks via unsafe file upload mechanisms. By exploiting a seemingly benign feature, attackers can gain complete control over a system. Implementing proper server-side validation, avoiding path disclosures, using allowlists, and validating MIME types are critical steps in mitigating these vulnerabilities.

Organizations should prioritize cybersecurity risk assessments and penetration tests to identify and address such risks. Clear Gate offers in-depth manual penetration tests to help organizations strengthen their security and protect valuable data from potential threats.

References

• File Upload Cheat Sheet
• Test Upload of Malicious Files