Hello and welcome to the side. Very secure coding course. My name is anywhere and this is Sands Top 25. Upload fire with dangerous type lab. We're gonna be using Web goats. Malicious file. Execution lesson.
This is the lab of Web goats. Malicious execution, malicious file execution. The instruction state that the form below allows you to upload an image which will be displayed on this page.
Features like this are often found on Web based discussion boards in social networking sites. This feature is vulnerable to malicious file execution.
In order to pass this lesson, upload and run a malicious file
in order to prove that your file can execute it should create another file that has this name, basically this location. And it's called Guess dot t x c.
Now, in order to do this, what we need to do is actually upload a particular file
that is going to be excusable
within the Web server once it's uploaded.
So the file that we're gonna use is called command dot jsp.
So as you know, Web goat is
a Java J two ee Web application
and so we can upload Js peas. And if the permissions
are not secure. We may even be able to execute a JSP.
So this particular J S P is actually from fusty be. And you can probably google for it fusty B and then Google for, uh, see MD dot jsp.
It's pretty simple. It's just a standard form. And inside of the script lit code, what we're going to do is
receive in a command from a text box, and I owe stream that we can then use to write out to create a file. And so let's go ahead and see how it works.
So for the image, I'm going to just go ahead and browse, too.
I can tell where it's been loaded. If I just right click and inspect this element,
I can actually see that it's in the uploads directory.
Okay, so that's helpful. So
if we open up a new tablets, describe this
and we have our text box
and, of course, in the UNIX or the Lenox environment. In order to create a file,
all we have to do is a command called touch
do the command, touch space and then just grab
and then just grab the location
okay? And so it states that the file was created.
We come back over here
and we refresh our lesson.
We can see that we have successfully completed the lesson.
Now, the problems here involve allowing, of course,
any file to be uploaded. The file was executed ble. So
when it got uploaded, it then had the ownership of
the process that runs, Ah, Web goat in Tomcat,
which is route in this case. And so
there's full privilege there to execute that file in this up loads directory.
So what you would instead want to do is lock down your Web server
place files that are uploaded to completely different directory. Make them non execute herbal
A CZ. Well, as if you could afford it, run them through a malware scanner to ensure that you're not also uploading a malicious payload