How Is a Shell Upload Vulnerability Exploited

April 14, 2022 Posting Komentar

Vanquish upload vulnerabilities permit an attacker to upload a malicious PHP file and execute it by accessing it via a web browser. The "shell" is a PHP script that allows the attacker to control the server - substantially a backdoor program, like in functionality to a trojan for personal computers. If the assailant can upload this page/shell to a spider web site, they can command the awarding server. Trounce upload vulnerabilities are very easy to notice and exploit in PHP. File uploads are usually handled by the move_uploaded_file() function, so searching for calls to that function can reveal code that might be potentially vulnerable. Multiple methods are bachelor to forbid shell upload vulnerabilities, which I'll discuss in just a bit.

An example of a spider web-shell is a web folio that includes a text field and a push button and when you enter some commands into the text field and press the button, the web page will execute these commands on the server and then display itself again; it will also show the output from the executed commands. This is an example of a very elementary shell. Actual shells are but more advanced variations of this principle and often include features like file browsers and database managers. If you want to look at actual web shells, do a Google image search for "c100 shell" and feel the 1337ness of the UI design.

To make up one's mind whether it is possible to upload the shell, an aggressor tin search awarding code for calls to move_uploaded_file() and see if the file upload functionality can be abused. It is also possible to apply the copy() role to handle uploaded files in earlier versions of PHP, but that'southward a much less common mode of handling file uploads. Many new programmers, especially those that are not enlightened of this vulnerability blazon, make the mistake of merely uploading files to some folder on the web server, which is the approved instance of the vanquish upload vulnerability. All an attacker has to exercise in that example is upload his shell to take over the application.

To preclude vanquish upload vulnerabilities, search your application code for calls to move_uploaded_files() and strengthen each piece of code that uses that part. I recommend creating a spreadsheet that enumerates all code that can be used to upload files in the application to keep rail of the application hardening process. The following defenses can be used to defend confronting trounce upload vulnerabilities:

require hallmark to upload files
store uploaded files in a location not accessible from the web
don't eval or include uploaded data
scramble uploaded file names and extensions,
define valid types of files that the users should be allowed to upload.

A maximum possible combination of these defenses should be used according to the defense in depth principle.

Hallmark should be required to upload files. Examine each slice of code that can exist used to upload files to make sure that the move_uploaded_files() office volition not be executed unless the script is accessed by a valid authenticated user. Pay detail attention to the fact that PHP files tin be executed individually and not as a function of the application. One constructive technique to preclude PHP files from being executed independently from the primary application is to place all code in supplementary files inside course definitions. Another method is to check the value of a variable that is defined by the application earlier executing whatever code in the supplementary PHP files. The supplementary files are the files that contain application code but are not intended to be directly executed by the user by beingness accessed via HTTP requests - these files are intended to exist executed past the application when needed using the include() function.

Another mitigation technique is to store the uploaded files in a location that is non web-accessible. At that place are several options for doing and so. It'southward possible to store uploaded files outside of the web root, in a database, or in a folder that is configured as inaccessible using the web server configuration. A web application developer should know what the spider web root binder is (the folder that is attainable from the web). Placing uploaded files a level higher up the web root binder makes them inaccessible from the spider web. The upshot is that fifty-fifty if an attacker is able to upload a vanquish, the attacker won't be able to access it.

Storing uploaded files outside the spider web root is a strong and like shooting fish in a barrel to implement measure, simply information technology might make installing the application on a large amount of servers slightly more difficult. Because the servers so demand to exist configured to permit storing files exterior of the web root by creating a folder to store the uploaded files and granting the web server permissions to write to that folder, this additional configuration work is a master reason why many commercial applications store uploaded files in a web accessible locations – and subsequently, suffer from beat out upload vulnerabilities. Another mitigation method, which is virtually identical, is to store uploaded files in a database. Files stored in a database cannot be accessed directly via HTTP requests, so even if an attacker is able to upload a crush, they won't be able to access information technology. If the application is already using a database, there is no additional end-user configuration required for using the database method to comprise the uploaded files; however, it is harder to code and there is some maintenance overhead because the database might become quite large and therefore the backups too.

Configuring a folder inside of web root every bit web inaccessible using web server configuration directive is another mitigation technique, however it's also the easiest to implement incorrectly. Nearly ordinarily this is achieved using .htaccess files. The challenge is that protecting the upload folder and so becomes the responsibleness of the end user. When done correctly, using web server configuration to cake access to the uploads folder is merely equally effective as the other methods, but many users don't fix it upward correctly.

When information technology comes to accessing the uploaded files, a PHP script should be used to read the specified file and render its contents. This can exist used to bear witness uploaded images in the browser or for whatever other purpose where it is necessary for the users to admission the uploaded files. The fact that a PHP script returns the contents of the uploaded files rather than the web server processing the uploaded files as a issue of direct requests means that there is no chance that the uploaded files will be executed as code.

Do not eval or include uploaded data. No realistic application requirements where executing uploaded user files every bit server-side code would be a good idea come up to mind, so this is just a technical note. If you are for some reason tempted to include() or eval() user uploaded files, merely don't :)

The file names and extensions of uploaded files should exist changed to forbid possible execution. If the original file names need to be preserved, they should be stored in a lookup tabular array, either in a database or in a XML file. Spider web servers execute PHP files as code based on file extensions. If a file has an extension that is defined as code in the server's configuration, information technology volition be executed. Mutual PHP file extensions are .php and .php5, but there may exist others, depending on the server configuration. It is important non to allow attackers to upload files with extensions that let the files to be interpreted as lawmaking. Scrambling the file extensions, or even removing them completely, accomplishes that. Scrambling the file names likewise provides the added bonus that it makes information technology more difficult for the attacker to observe the uploaded file(southward) and thus makes information technology harder to create HTTP requests that access those files directly.

Lastly, be sure to define valid types of files that the user is allowed to upload. The application should define possible valid file extensions and the programmer should make sure that none of the allowed file extensions can be interpreted as application lawmaking past the web server. Do not bother validating the MIME type of the upload - that can exist easily faked past the aggressor. However, information technology does assist to validate the extension of the file being uploaded and later on passing such validation, all uploaded files should still be treated as dangerous. Don't rely on file type validation as a sufficient defence force - it should exist used in addition to other countermeasures described in this weblog.

In summary, shell upload vulnerabilities can be effectively prevented past blocking direct access to uploaded files and limiting the ability of users to upload files.