00:04
Hello and welcome to the side. I bury secure coding Course my name Miss anywhere. And this is sans top 25.
00:12
Upload fire with dangerous type demo. Unrestricted file upload.
00:19
This is the demo for and restricted file upload. We're gonna use Mattila Day under others. There's an unrestricted file upload file upload menu item. When you come here,
00:32
it basically allows the upload of any type of file.
00:37
Now, what we would demonstrate here is a Web shell script in. So
00:45
what we're gonna do is actually upload a PHP file.
00:50
And if you'll notice it's going to be a standard form that will be able to take in any kind of command,
01:00
and that command is then going to execute in a shell
01:07
So you just take this code
01:11
and place it in a PHP file.
01:15
And of course, since there's no restriction or validation being done,
01:19
we're going to go ahead and upload that.
01:23
Now, before we click the upload button,
01:26
we do want to turn on burbs. Sweet, because we want to see if there are any hidden parameters here that might clue us in as to where our file might be positioned on the Web server. I've got my interceptor on.
01:51
And when you'll notice is that in the form there's specified an upload directory
01:59
and it actually gives us the
02:01
the actual location directory location
02:06
for where? Our files. We're going to be uploaded. Well, great. That makes it super easy.
02:13
From previous error messages, we've determined that Mattila day runs Inzamam
02:20
and it's running on a Windows system.
02:23
So using that information, we know that Zampa actually has an HT Docks directory. So we're changing the path to have the upload directory be this
02:40
I'm gonna go ahead and forward that,
02:44
and so this lets me know. Yes was indeed loaded there. Open up another window,
03:09
So now I have a great Web shell that allows me to then execute any command I like on this Web server.
03:21
So knowing it's a Windows machine, I could do D i r.
03:27
And you see the content etcetera. So, Eddie, any type of Windows Command I can now execute.
03:32
And of course, this is due to the fact that there's no validation being done on the server side
03:39
for what is able to be uploaded and executed