Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson gives participants a demonstration of unrestricted file upload. Basically, these files can execute any command and then show up on a web server. The code is placed in a PHP file and uploaded using the Burp Suite interceptor to see where a file is positioned on a web server.

Video Transcription

00:04
Hello and welcome to the side. I bury secure coding Course my name Miss anywhere. And this is sans top 25.
00:12
Upload fire with dangerous type demo. Unrestricted file upload.
00:19
This is the demo for and restricted file upload. We're gonna use Mattila Day under others. There's an unrestricted file upload file upload menu item. When you come here,
00:32
it basically allows the upload of any type of file.
00:37
Now, what we would demonstrate here is a Web shell script in. So
00:45
what we're gonna do is actually upload a PHP file.
00:50
And if you'll notice it's going to be a standard form that will be able to take in any kind of command,
01:00
and that command is then going to execute in a shell
01:04
on the Web server
01:07
So you just take this code
01:11
and place it in a PHP file.
01:15
And of course, since there's no restriction or validation being done,
01:19
we're going to go ahead and upload that.
01:23
Now, before we click the upload button,
01:26
we do want to turn on burbs. Sweet, because we want to see if there are any hidden parameters here that might clue us in as to where our file might be positioned on the Web server. I've got my interceptor on.
01:45
Go ahead and
01:47
intercept that.
01:51
And when you'll notice is that in the form there's specified an upload directory
01:59
and it actually gives us the
02:01
the actual location directory location
02:06
for where? Our files. We're going to be uploaded. Well, great. That makes it super easy.
02:13
From previous error messages, we've determined that Mattila day runs Inzamam
02:20
and it's running on a Windows system.
02:23
So using that information, we know that Zampa actually has an HT Docks directory. So we're changing the path to have the upload directory be this
02:38
Hot Dogs directory.
02:40
I'm gonna go ahead and forward that,
02:44
and so this lets me know. Yes was indeed loaded there. Open up another window,
02:55
grab my Web server,
03:00
and
03:05
I can in folk
03:07
that PHP file.
03:09
So now I have a great Web shell that allows me to then execute any command I like on this Web server.
03:21
So knowing it's a Windows machine, I could do D i r.
03:27
And you see the content etcetera. So, Eddie, any type of Windows Command I can now execute.
03:32
And of course, this is due to the fact that there's no validation being done on the server side
03:39
for what is able to be uploaded and executed
03:45
on the what shiver.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor