2

The file(resume) upload feature is accepting any sort of files. I have uploaded the PHP shell into it. How do I again access to that uploaded file? I'm bruteforcing the web directory to check for uploaded file path. Is my approach correct?

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
dany
  • 193
  • 7
  • dany I would suggest checking how the file viewer works - do you browse straight to this file? Is there a parameter that includes the relative local file path? Or is the file stored in a database? Besides that, do you know for a fact that PHP is installed, or are you just assuming this? Also check out [this post](http://security.stackexchange.com/a/11992/33) regarding other potential attacks regarding file uploads, besides just file execution. – AviD Oct 27 '12 at 20:47

3 Answers3

2

Your approach is fine for finding vulnerable systems, but it's likely not vulnerable.

The file you uploaded isn't guaranteed to be in any publicly accessible directory. It may be stored outside of the document root of the web server, then read via a PHP script that streams the content back to you.

In such a case, there's no way to make the web server run the script as a PHP script, because the PHP module won't execute anything outside of its base directory (document root).

Polynomial
  • 133,763
  • 43
  • 302
  • 380
1

There is no guarantee that the file you uploaded is also available through the webserver. It might be that the path to where the file is stored is protected and cannot be browsed.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
1

What I usually do depends on the exact type of app. If it's a user contributed content application where the uploaded files are visible after upload, then just upload something safe, find where it's uploaded through standard application functionality, and that's your location.

Assuming here that that's not the case you have a couple of options. If you can identify the product in use (assuming it's a packaged app) then a good approach is download the app or the documentation and find out the default location from that.

If it's bespoke then you're likely back to the bruteforcing approach that you're currently using. as @lucas-kauffman and @polynomial have mentioned, it's possible/probable that the application uploads outside of the web root, in which case you won't be able to directly access the content.

Of course there's other things you could do as part of a pentest with a file upload feature that could still be interesting. A standard one you may not yet have tried is uploading eicar to check the A-V on the upload facility, in a lot of cases they won't have any.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221