White Hat Institute

Unrestricted file upload (medium-security level)

Some sever side scripting languages check “.php” extension at the filename and allow only those file which does not contain the “.php” extension. There is a way to bypass this by making a small change to the file name during the interception phase of the request.

For this example, we will be using an “OWASP-BWA” web server and explicitly targeting the “bWAPP” database.

File upload

Click on the “bWAPP” and login to the site with a medium security level setup.

File upload 39

From the “Portal” page, select “Unrestricted File Upload” and click on the “Hack” button.

File upload 40

Browse for the malicious PHP file and try to upload it to the page, make sure that the Burp proxy’s interception option is on.

File upload 41

From the “Proxy” tab under the “Intercept,” analyze the “Raw” field. Find the filename and add a dot (.) to the end of the “.php” extension (Ex: image_file.php.) and then click on the “Forward” button to complete the request.

File upload 42

Once the request is submitted, it will allow the PHP file to get uploaded on the web server and create a “here” hyperlink to view or execute it. Before clicking on the hyperlink, start the multi-handler and listen for an incoming connection.

File upload 43

To execute our malicious PHP file on the web-server and create a backdoor, click on the “here” link, and it should send a reverse connection to the attacker’s computer.

File upload 44