The dangerous effect of upload feature

Two days ago, I tried to do some research with web application security. My main focus is targeting the upload feature of a website. Many website today using upload feature to interact with their user, for example on a job searcher website or educational website. From several trials that I’ve done with some website, almost 30% of the website using unsanitized upload feature, and the rest, mostly using a filtering upload feature.

I will not go for the unsanitized upload feature, it will be covered automatically. OK lets discuss about using an upload feature arbitrarily. As I said before, many website today using this feature, I will choose some website which offering for job vacancy. Lets consider I already found the site, then I tried to upload my file into the site, since I my backdoor application made with PHP, so I choose my backdoor.php file. But, something happen in here, the browse menu couldn’t found (read) my PHP file, it only identify the PDF, DOC, DOCX, JPG and PNG file.

This would be a problem. Next, I tried to fire-up my Burpsuite. The reason is to catch any data transaction between the site and the browser. After setting my proxy to 8080, again I request the page and try to use upload button again. This time my Burpsuite response quickly with the request. I tried to examine the data. And, bingo, after a few forwarding data, I have this data

For more detail, I will paste it in here :

$('#fileInput').uploadify({
'uploader'  : 'uploadify/uploadify.swf',
'script'    : 'uploadify/uploadify.php',
'cancelImg' : 'uploadify/cancel.png',
'auto'      : true,
'folder'    : '/upload',
'multi'        : true,
'queueSizeLimit': 3,
'fileExt'    : '*.pdf;*.doc;*.docx;*.jpg;*.gif;*.png',
'fileDesc'    : 'Files',
onComplete: function (evt, queueID, fileObj, response, data) {
i++;
$("#filename").append("File" + fileObj.name +  Successfully Uploaded

“);

See, this code prevent the user from uploading another file into the server. Now, using Burpsuite, I tried to change the Javascript syntax, so it will allow me to upload my PHP backdoor into the server. I simplify change the *.png into *.php and continue forward the packet until the page fully loaded. Next, I turn off my proxy and try to use the upload button again, and this time it successfully read the PHP file.

Well, now it’s easly for me to upload my backdoor.php. After successfully upload my backdoor, the next thing to do is find the folder where my backdoor saved into. To do this, I’m using Dirbuster from OWASP. From the result I could knew that there is a folder name /upload/ inside the server. I tried to open the folder, and WOW, there is my backdoor application, listed inside the folder. Good, next I try to run my backdoor, and here what I got
+ Using method 0 [system()] on http://www.xxxxxxxxxxxxmi.com/upload/backdoor.php


www.xxxxxxxxxxxxxmi.com> uname -a
Linux zzzzzzzzzzhost.com 2.6.35.7-hhhhhhh #1 SMP Mon Dec 13 08:34:39 CST 2010 x86_64 x86_64 x86_64 GNU/Linux
www.xxxxxxxxxxxxxmi.com> pwd
/home/xyz/public_html/upload</div>

The lesson is, always use a secure upload feature for your website , if it not to important, please using your email to receive the file (cv, resume etc).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Spentera

We are specializing in penetration test, vulnerability assessment, computer forensics, as well as intrusion analyst and malware analysis. Customers can contact us directly at contact[at]spentera[dot]id, or use Contact Our Team menu on the sidebar.